DJI drone firmware exposes private keys on Github for years

~ hucktech

As reported by the Register, security researcher Kevin Finisterre discovered the Chinese firm had left the private keys of the DJI HTTPS domain on GitHub, exposed for all to see for roughly four years. To make matters worse, DJI had also made AWS credentials and firmware AES keys available for anyone to search for through the GitHub repository.[…]Earlier this year the US Army issued a blanket ban on the use of DJI products by its personnel. It gave no reason for doing so, other than unspecified “cyber vulnerabilities,” and was rapidly followed in doing so by the Australian military. Several British police forces also use DJI drones for operations, in place of helicopters.[…]

https://www.theregister.co.uk/2017/11/16/dji_private_keys_left_github/

http://www.zdnet.com/article/bug-bounty-hunter-reveals-dji-ssl-firmware-keys-have-been-public-for-years/

http://www.digitalmunition.com/WhyIWalkedFrom3k.pdf

Published by hucktech

Leave a Reply

Please log in using one of these methods to post your comment:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s