DJI Mavic, Air and Mini Drones
Friendly, Helpful & Knowledgeable Community
Join Us Now

DJI left the private key for its dot-com's HTTPS certificate exposed on GitHub for up to four years

I was just about to post this, you beat me by 30 minutes. :)

Glad I never registered more than email address with these guys (DJI).

“I had seen unencrypted flight logs, passports, drivers licenses, and identification cards,” Finisterre said,
Click to expand...
 
  • Like
Reactions: wsteele and harryb
Yeah, it came across my news feed yesterday, but didn't post -- thinking that maybe someone with more developer knowledge than me (ie @gnirtS) would post with comments.
 
I do web programming, and putting the SSL private key out there, is like keeping your safe combo taped to the front of it. Using the SSL private key allows a person to decrypt the "conversation". The data that goes back and forth. When you hit HTTPS, the S means it's encrypted with a key. What DJI did, was accidentally leave their key on GITHUB (public) for two years.

So when you sent your credit card info, and driver license to them, if someone was intercepting your data packets, they could decrypt them and see what info was exchanging.

That's the gest of it. Pretty flagrant security incident IMO.
 
  • Like
Reactions: born2drone, Hexagon, Slayerstwin and 1 other person
Thought the driving licence passport and ID cards info was something different that was just on a unsecured server
 
sar104 said:
Right - I can't figure out who would have provided that kind of information to DJI.
Click to expand...
I'm wondering that as well. I've never given them more than an e-mail address, and I'm commercially certified.
 
He learned through a DJI modders' Slack channel that some DJI AWS accounts were set to be publicly accessible, and the "buckets" included "all attachments to the service e-mails they receive… images of damaged drones… receipt and other personal data… and 'occasional photos of people cut by propellers.'"
 
sar104 said:
Right - I can't figure out who would have provided that kind of information to DJI.
Click to expand...
When you request a 'red zone' NFZ unlock by DJI's flysafe, an ID was/is necessary to submit.
Maybe these were ID's from those requests.
 
Keule said:
When you request a 'red zone' NFZ unlock by DJI's flysafe, an ID was/is necessary to submit.
Maybe these were ID's from those requests.
Click to expand...

That is worryingly plausible. I've never used it, but the custom unlock request for restricted zones does require ID.

Forms of Identification: Please submit documentation that identifies your name. Examples of such documentation include but are not limited to a driver’s license, the front of a major credit card, a national or state identification card, a student ID card, etc.
 
Of course hackers already have all of this info via the Equifax breach...
 
I do wonder if this serious breach of data through carelessness is enough for a class action. Not saying I'm going to start one, but some people are probably seriously compromised from this incompetence on their part.
 
mojpoj said:
I do web programming, and putting the SSL private key out there, is like keeping your safe combo taped to the front of it. Using the SSL private key allows a person to decrypt the "conversation". The data that goes back and forth. When you hit HTTPS, the S means it's encrypted with a key. What DJI did, was accidentally leave their key on GITHUB (public) for two years.

So when you sent your credit card info, and driver license to them, if someone was intercepting your data packets, they could decrypt them and see what info was exchanging.

That's the gest of it. Pretty flagrant security incident IMO.
Click to expand...

Holy (bleeeep)!
 
Just one more reason why my Mavic never talks to DJI.
Would you really trust your information to the chicoms?
 
New MVP owner here with concerns about privacy

First thoughts are:
How do I keep my videos and stills private if I edit them with the Go 4 app?
How do I keep my Mavic from sending my location and my ID private?
Do I have to use the Go 4 edit software in my Crystalsky?

I’ve been routing though this forum for answers and any insight would be appreciated.
 
AereaArte527 said:
New MVP owner here with concerns about privacy

First thoughts are:
How do I keep my videos and stills private if I edit them with the Go 4 app?
How do I keep my Mavic from sending my location and my ID private?
Do I have to use the Go 4 edit software in my Crystalsky?

I’ve been routing though this forum for answers and any insight would be appreciated.
Click to expand...

The simplest solution is to turn off WiFi/cellular. You won't have maps, so be it.

On Android, however (and of course, on CrystalSky), the app has a permission to run on startup, so even if you turn off the Internet for the flight, it can send the payload with your data next time you connect to the Internet. Go 4 is always running and always watching you! Make sure to force stop it in Application Manager.
 
Last edited:

Similar threads

Yaros
DJI Mapper - A software to make mapping DJI & Litchi Waypoint Missions
Replies
22
Views
9K
Control Apps - DJI, Litchi, Autopilot, etc...
Yaros
Yaros
P
How to change from CE signal to FCC?
Replies
8
Views
5K
Mini 2 SE
Felix le Chat
Felix le Chat
Theta
OpenAthena™ for Android Beta release, new AutoDEM feature
Replies
3
Views
792
General Discussions
anotherlab
anotherlab
FLDave
SOLD DJI Air 2s Fly More Combo plus more accessories. $500. Local only.
Replies
0
Views
819
Classifieds
FLDave
FLDave
A
"Drone Rotating Left After Calibration on DJI Mini 2—Any Fixes?"
Replies
5
Views
1K
Mini 2
Meta4
M
Lycus Tech Mavic Air 3 Case

DJI Drone Deals

1. NEO
2. Flip
3. Mini 4k
4. Mini 4 Pro
5. Air 3s
6. Avata 2
7. Mavic 3 Pro

New Threads

Members online

Total: 1,132 (members: 19, guests: 1,113)

Forum statistics

Threads
136,765
Messages
1,620,975
Members
165,423
Latest member
krizwit
Want to Remove this Ad? Simply login or create a free account