DJI left the private key for its dot-com's HTTPS certificate exposed on GitHub for up to four years

harryb · Nov 17, 2017

Drone maker DJI left its private SSL, firmware keys open to world+dog on GitHub FOR YEARS

mojpoj · Nov 17, 2017

I was just about to post this, you beat me by 30 minutes.

Glad I never registered more than email address with these guys (DJI).

“I had seen unencrypted flight logs, passports, drivers licenses, and identification cards,” Finisterre said,

Haloweenhamster · Nov 17, 2017

I did wonder when it all reach here I'm sure about 9 a.m. this morning I read about it
12 hours ago

harryb · Nov 17, 2017

Haloweenhamster said:
I did wonder when it all reach here I'm sure about 9 a.m. this morning I read about it
12 hours ago

Since no one posted I decided to post.

pixl · Nov 17, 2017

Yeah, it came across my news feed yesterday, but didn't post -- thinking that maybe someone with more developer knowledge than me (ie @gnirtS) would post with comments.

mojpoj · Nov 17, 2017

I do web programming, and putting the SSL private key out there, is like keeping your safe combo taped to the front of it. Using the SSL private key allows a person to decrypt the "conversation". The data that goes back and forth. When you hit HTTPS, the S means it's encrypted with a key. What DJI did, was accidentally leave their key on GITHUB (public) for two years.

So when you sent your credit card info, and driver license to them, if someone was intercepting your data packets, they could decrypt them and see what info was exchanging.

That's the gest of it. Pretty flagrant security incident IMO.

Haloweenhamster · Nov 17, 2017

Thought the driving licence passport and ID cards info was something different that was just on a unsecured server

sar104 · Nov 17, 2017

Haloweenhamster said:
Thought the driving licence passport and ID cards info was something different that was just on a unsecured server

Right - I can't figure out who would have provided that kind of information to DJI.

Keule · Nov 17, 2017

Here firsthand Infos from the person detecting the vulnerabilites:
http://www.digitalmunition.com/WhyIWalkedFrom3k.pdf

pixl · Nov 17, 2017

sar104 said:
Right - I can't figure out who would have provided that kind of information to DJI.

I'm wondering that as well. I've never given them more than an e-mail address, and I'm commercially certified.

Haloweenhamster · Nov 18, 2017

He learned through a DJI modders' Slack channel that some DJI AWS accounts were set to be publicly accessible, and the "buckets" included "all attachments to the service e-mails they receive… images of damaged drones… receipt and other personal data… and 'occasional photos of people cut by propellers.'"

Keule · Nov 18, 2017

sar104 said:
Right - I can't figure out who would have provided that kind of information to DJI.

When you request a 'red zone' NFZ unlock by DJI's flysafe, an ID was/is necessary to submit.
Maybe these were ID's from those requests.

Cyberpower678 · Nov 18, 2017

Boy am I glad I used PayPal to pay for my stuff there. They don't have my credit card info.

sar104 · Nov 18, 2017

Keule said:
When you request a 'red zone' NFZ unlock by DJI's flysafe, an ID was/is necessary to submit.
Maybe these were ID's from those requests.

That is worryingly plausible. I've never used it, but the custom unlock request for restricted zones does require ID.

Forms of Identification: Please submit documentation that identifies your name. Examples of such documentation include but are not limited to a driver’s license, the front of a major credit card, a national or state identification card, a student ID card, etc.

pixl · Nov 18, 2017

Of course hackers already have all of this info via the Equifax breach...

Cyberpower678 · Nov 18, 2017

I do wonder if this serious breach of data through carelessness is enough for a class action. Not saying I'm going to start one, but some people are probably seriously compromised from this incompetence on their part.

dewster · Nov 18, 2017

mojpoj said:
I do web programming, and putting the SSL private key out there, is like keeping your safe combo taped to the front of it. Using the SSL private key allows a person to decrypt the "conversation". The data that goes back and forth. When you hit HTTPS, the S means it's encrypted with a key. What DJI did, was accidentally leave their key on GITHUB (public) for two years.

So when you sent your credit card info, and driver license to them, if someone was intercepting your data packets, they could decrypt them and see what info was exchanging.

That's the gest of it. Pretty flagrant security incident IMO.

Holy (bleeeep)!

PT_Mavic · Nov 19, 2017

Just one more reason why my Mavic never talks to DJI.
Would you really trust your information to the chicoms?

AereaArte527 · Nov 19, 2017

New MVP owner here with concerns about privacy

First thoughts are:
How do I keep my videos and stills private if I edit them with the Go 4 app?
How do I keep my Mavic from sending my location and my ID private?
Do I have to use the Go 4 edit software in my Crystalsky?

I’ve been routing though this forum for answers and any insight would be appreciated.

Xtreme Drone Pilot · Nov 19, 2017

AereaArte527 said:
New MVP owner here with concerns about privacy

First thoughts are:
How do I keep my videos and stills private if I edit them with the Go 4 app?
How do I keep my Mavic from sending my location and my ID private?
Do I have to use the Go 4 edit software in my Crystalsky?

I’ve been routing though this forum for answers and any insight would be appreciated.

The simplest solution is to turn off WiFi/cellular. You won't have maps, so be it.

On Android, however (and of course, on CrystalSky), the app has a permission to run on startup, so even if you turn off the Internet for the flight, it can send the payload with your data next time you connect to the Internet. Go 4 is always running and always watching you! Make sure to force stop it in Application Manager.