A Bug Bounty Hunter Gets Threatened With CFAA For Sharing Evidence

A Chinese drone manufacturing company called DJI had their private keys both the “wildcard” certificate for all the company’s web domains and the keys to cloud storage accounts on Amazon Web Services exposed publicly in code posted to GitHub by company developers for years.

Kevin Finisterre used this data to reach important private information uploaded by DJI customers such as images of flight logs, government IDs and passports, even associated with military domains. When he found out there was a bounty program by the company, he applied for it. The program was launched after the US army issued a ban on using DJI drones for any military purpose due to ‘operational security’ concerns. Firmware of DJI drones were also hacked, reports said.

DJI appreciated the finding by Finisterre of the company’s SSL certificates and firmware encryption keys having been exposed via GitHub for years and rewarded the bounty hunter with $30,000 top prize. However, after exchanging 130 email messages with the IT department of the company and communicating with the legal department which offered no legal protection for Finisterre’s research about the exposed data, the company stated if the bounty hunter did not destroy all his findings he was going to face prosecution under the CFAA. Finisterre did not accept the agreement since it included a threat and also being silenced, he decided to go public about it. He got called a ‘hacker’ for this and company acted as if they barely knew who he was despite the 130 exchanged email messages concerning the exposed data.

DJI’s Phantom brand quadcopter drone

As you all will remember, last April, Marcus Hutchins, a British cybersecurity researcher, was arrested by the FBI at a Las Vegas airport while he was returning home from the annual Def Con hacking conference. He was the researcher who discovered a hidden ‘kill switch’ for Wannacry to stop this worldwide ransomware attack which resulted in a lot of damage. The authorities blamed him by being a part of this attack as the creator of the Kronos malware that caused the attack.

Cases like these are discouraging for security researchers towards finding out about a problem and reporting it. While the issue got resolved in both cases by researchers, they were threatened, silenced and even got punished with a trial for a jail time.

There is a high threat by drones used by the military on areas where civilians live, causing many lost lives. When the sensitive data cannot be protected, it would even be more dangerous by any malicious attacks. Security researchers are an important part for preventing such threats.

Sources:

http://www.realclearlife.com/technology/marcus-hutchins-wannacry-ransomware-arrested/

https://www.buzzfeed.com/kevincollier/wannacry-malware-hero-likely-considering-plea-deal-on

https://arstechnica.com/information-technology/2017/11/dji-left-private-keys-for-ssl-cloud-storage-in-public-view-and-exposed-customers/

https://www.techdirt.com/articles/20171117/11504938638/drone-maker-dji-offers-bug-bounty-program-then-threatens-bug-finder-with-cfaa.shtml

https://www.thebureauinvestigates.com/stories/2017-01-17/obamas-covert-drone-war-in-numbers-ten-times-more-strikes-than-bush

http://www.independent.co.uk/news/world/americas/us-politics/donald-trump-civilian-deaths-syria-iraq-middle-east-a7649486.html

Leave a Reply

Your email address will not be published. Required fields are marked *