Drone Manufacturer DJI Leaves SSL Key Exposed on Public Repository

Dà-Jiāng Innovations Science and Technology Co., Ltd (DJI), one of the largest drone manufacturers in the world, was the subject of an information exposure incident when a researcher discovered that it left the private key for its HTTPS certificate on GitHub for four years.

Researcher Kevin Finisterre discovered the key out in the open, in a public GitHub repository used by DJI. Information found in the repository included AWS account credentials, AES encryption keys as well as public AWS S3 buckets. According to Finisterre, it also included Personally Identifiable Information (PII).

DJI has already acknowledged the incident and has announced that it will be working to assess and address the issue. In addition, the affected HTTPS certificate was already revoked in September.  The company launched a bug bounty program a few months ago, offering rewards to individuals or groups that manage to find bugs involving DJI software. Finisterre was one of the researchers involved with the program, which would have offered a $30,000 reward to Finisterre. However, disagreements with some of the program’s s policies led to the public disclosure of the discovery, which was among the details Finisterre including in an 18-page PDF report.

This isn’t the first time incorrect cloud service configuration settings have led to potential information breaches. Many companies using the cloud fail to cover all aspects of security – even obvious ones, leading to information being exposed in the open. Something as simple as poor configuration of cloud services can cause data loss.

Organizations need to understand that securing their cloud infrastructure is not something that should be left to the service provider alone, as it is a shared responsibility that needs the cooperation of both the organization and their provider. This includes securing everything stored in the cloud. By placing more emphasis on the shared responsibility model, organizations can avoid embarrassing and potentially damaging situations such as this one.

Cloud-centric solutions such as Trend Micro™ Hybrid Cloud Security, which delivers a blend of cross-generational threat defense techniques that have been optimized to protect physical, virtual, and cloud workloads, can help organizations hold up their end of the shared responsibility model. It also features Trend Micro™ Deep Security™, the market share leader in server security, protecting millions of physical, virtual, and cloud servers around the world. 

HIDE

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.