Institute For Ethical Hacking Course and Ethical Hacking Training in Pune – India
Extreme Hacking | Sadik Shaikh | Cyber Suraksha Abhiyan
Credits: BCC
Drone maker DJI has accused a cyber-security researcher of hacking its servers.
Kevin Finisterre claims that he accessed confidential customer data after finding a private key publicly posted on code-sharing site Github.
He approached the firm, which offers a “bug bounty” reward of up to $30,000 (£23,000) for security weaknesses discovered in its systems.
DJI said the server access was “unauthorised”.
The data Mr Finisterre was able to see included “unencrypted flight logs, passports, drivers licences and identification cards”, he said.
Despite initially offering him the money, in a statement DJI has now accused Mr Finisterre of refusing to agree to the terms of its bug bounty programme “which are designed to protect confidential data and allow time for analysis and resolution of a vulnerability before it is publicly disclosed”.
It added: “DJI takes data security extremely seriously, and will continue to improve its products thanks to researchers who responsibly discover and disclose issues that may affect the security of DJI user data and DJI’s products.”
It added that it would continue to pay bug bounties in exchange for reports.
- How to make money hunting cyber-bugs
- Drone maker boosts privacy after army ban
Mr Finisterre, an independent security researcher, said DJI tried to make him sign a non-disclosure agreement.
He also published an email from DJI telling him that security issues with servers were included in the bug bounty programme.
‘Freedom of speech’
He said it was almost a month after he sent his report before the full terms were shared with him, and that he believed they “posed a direct conflict of interest to many things including my freedom of speech”.
One of the clauses stated that he could not publicly disclose his research without written consent from DJI, according to emails from the firm he has published in his report.
Typically, security researchers will share their findings with a company, give the firm a time frame in which to fix identified bugs, and then publish their work.
The bug bounty scheme is offered by many large tech firms as an incentive for people to share security weaknesses rather than exploit them.
Cyber-security expert Prof Alan Woodward from Surrey University said DJI’s actions were “outrageous”.
“Cyber-security is one of those areas where there is no government organisation or central body or standards agency holding these people to account. It’s ethical hackers and security researchers,” he said.
“The public has a right to know when there’s a security problem.”
www.extremehacking.org
Sadik Shaikh | Cyber Suraksha Abhiyan, Ethical Hacking Training Institute, CEHv9,CHFI,ECSAv9,CAST,ENSA, CCNA, CCNA SECURITY,MCITP,RHCE,CHECKPOINT, ASA FIREWALL,VMWARE,CLOUD,ANDROID,IPHONE,NETWORKING HARDWARE,TRAINING INSTITUTE IN PUNE, Certified Ethical Hacking,Center For Advanced Security Training in India, ceh v9 course in Pune-India, ceh certification in pune-India, ceh v9 training in Pune-India, Ethical Hacking Course in Pune-India