DJI Responds to Bug Bounty Issues, SSL & AWS Leaks and ICE Memo

DJI has just released an extensive statement regarding the recent raft of cybersecurity stories enveloping the popular drone manufacturer.

You can read more about the Bug Bounty program here.

Here it is…

Statement About DJI’s Cyber Security and Privacy Practices

Recent news and blog coverage of DJI has raised a number of key questions about DJI’s practices regarding cybersecurity and privacy. We recognize that there are several reasonable concerns brought up about DJI’s record in this space, so we’d like to set the record straight on the current state of DJI’s security efforts.

1. SSL Certificate

In early September, DJI was notified that its SSL Certificate for the DJI website had been compromised. Immediately upon receiving this report, DJI revoked this certificate and replaced it with a new certificate.

Based on its investigation, DJI has no reason to believe that customer data has been compromised as a result. As a part of responsible disclosure to our customers, we have been working with an independent cyber forensics company to confirm our findings. We will continue monitoring the activities related to the expired SSL certificate and alert relevant customers if there is any evidence that their data integrity might have been impacted.

2. AWS Server Data

DJI received a report from an independent security researcher that an AWS server repository was accessible by unauthorized parties. We took this issue very seriously, and fixed it within a day of receiving the report.

After doing an internal audit, we identified the DJI developers responsible for this error, and took immediate disciplinary actions against them. We terminated their employment because we considered their behavior inexcusable and not in line with company policy. We also reduced the number of people who had authorization to change the public and private settings of our servers to prevent this situation from happening in the future. In addition, DJI further enhanced security measures and employee training to prevent similar incidents from occurring again.

Similar to the SSL Certificate issue we have engaged a third party cyber forensics firm to investigate this incident. Based on our analysis so far, only one party was able to download data from the server, including personal information of our developers. The investigation is ongoing, and we will notify customers if evidence suggests that the data has been misused.

3. Bug Bounty Program

DJI created the DJI Security Response Center (DSRC) to provide a channel for independent researchers to report issues that may impact the security of DJI’s products as a part of our focus on addressing data integrity.

Since announcing the DJI Bug Bounty program in August 2017, DJI has rewarded almost a dozen security researchers who have discovered potential vulnerabilities and received payment for their contributions after they complied with the program’s terms.

Claims that we have threatened one of the participants in the program, or required that he remain silent about his discovery, are false. The record of email exchanges and communication with the person in question shows that DJI continued negotiating the terms of the bounty in good faith with the participant until he chose to walk away from the program. While the participant did receive an unsigned draft letter via email expressing DJI’s concern about activities outside the program and potentially in violation of applicable laws, he did not complain to DJI when he received it, and continued negotiating terms of his bounty for two subsequent weeks.

The last version of the terms DJI sent to this person provided for a limited, 90 day confidentiality period in which DJI could address the security vulnerability and provide any required legal notices, after which point he would be free to disclose to the public the facts about his discovery.  This person agreed in principle to this provision, as well as the other main provisions of the last draft sent to him.  While DJI waited two weeks for this person’s final comments and proposed revisions to this latest version of the terms, the person unilaterally decided to terminate negotiations.  Subsequently, he posted the draft letter, the redacted developer information, confidential communications with DJI employees, and published an incomplete and misleading narrative of his negotiation process with DJI.

With the DSRC program, we showed that we have no intention to downplay concerns about data protection. The experience with the one person is an outlier and not representative of a program which has already paid almost a dozen researchers who have worked with us in good faith and who have adhered to the terms of the program.  DJI remains committed to the DSRC program and continues to work together with researchers to help improve the security of our products.

4. ICE Memo

We are aware of a bulletin about DJI issued in August by an agent in the Los Angeles office of U.S. Immigration and Customs Enforcement (ICE).  The bulletin is based on clearly false and misleading claims from an unidentified source.

Several of the key claims made by this unnamed source show a fundamental lack of understanding of DJI, its technology and the drone market. 
Some of the claims made are easily refuted with a few minutes of research. Had this research been done, the unnamed informant would know that:

• Neither DJI drones nor the GO App perform facial recognition when the system is off.  In fact, even when powered on, no DJI product has the ability to “recognize” a face as a particular person for identification purposes.  Advanced new products have “Active Track” algorithms that can track the movement of the shape of a face or the shape of a person to facilitate control of the drone or movement of the camera (when the product is powered on, and Active Track mode is engaged by the user). 
• DJI’s pricing strategy has not caused Parrot or Yuneec to stop production. While many companies in our industry have reduced staff, there are still several companies producing new models of drones every year.
• DJI does not sell products at a loss or cheaper in the United States than in China. Pricing information has been and remains publicly available on DJI’s website. For example, through November, the Spark was $499 in the US and RMB 3,299 ($500) in China.

Based on these easily disproved claims, the statement makes several other false or misleading claims about our technology, how we manage data and our relationship with the Chinese government.

DJI does strive to comply with local laws and regulations in each country where its drones operate and to facilitate compliance by our customers. To the extent that there are location-specific rules and policies within China, we ensure that our systems comply with these rules, including the need to register or include no-fly zones on board. In compliance with the Chinese regulation, DJI utilizes the user’s IP address, GPS location, and MCC ID to determine if a drone is being operated in China. If so, DJI provides the customer with the features necessary to comply with Chinese regulations and policies. Otherwise, DJI provides no information about or data collected by the drone to the Chinese government.