Hacked the drone - get grandma: DJI pays hackers for found vulnerabilities


DJI, the world leader in drones production, announced that he was ready to pay from $ 100 to $ 30,000 for the “vulnerabilities” found. While the site with a detailed description of the “hunt for bugs” in development, you need to write about the holes found by mail - bugbounty@dji.com

DJI Technical Standards Director, Walter Stockwell, said that instead of fighting hackers, you need to use their achievements and accomplishments in order to move toward a common goal within the company's mission.

“I’m sure, Monsignor, finally understood.”
- “Slum Saints”

In fact, the DJI leadership began to move after several loud jambs with cyber-vulnerabilities and a "ban" on the part of the US military.


Recall that recently the American warriors realized that the drones are Chinese and the whole infa is processed in the cloud of a potential enemy.

Senior US military ordered to remove all the drones from DJI, remove all the applications of this company, remove the batteries and storage devices from the devices .

The response of the DJI, to satisfy the military - the creation of offline-mode, when data from the drone is not transmitted to the cloud.

“We are pleased to work with various organizations directly, including the US Army, which has concerns about cyber security. We will try to contact the US Army in order to clarify this situation and find out what is meant when the military speak of "cyber vulnerabilities." - say PR DJs.


Even civilian hackers of a person find vulnerabilities in batches.

Kevin Finistère reported a vulnerability that allows remote access to the DJI Go application and tracking the GPS coordinates of users.

Lanier Watkins of Johns Hopkins University said that he (we read: his students) found at least three vulnerabilities in DJI products in a year and a half, but DJI did not respond to their bug reports.

The most adventurous bug seekers (Russians) even do business on it . They release the drones "from the shackles" that their manufacturers have hung on them.

"... now they are out of work, since their entire set of hacks (for altitude, for no-fly zones and for speed limits) can now be installed for free and not spend $ 600."
- the user writes lohmatij in the comments .

DJI Ultimatum

DJI's counter strike is an order to update software for Spark drones that prevents jailbreaks and the removal of potentially cracked old firmware versions from everywhere. Until September 1, the notice can be ignored, but at midnight the drone will turn into a pumpkin.

The new version of the firmware fixed errors in the management. So, now the connection to the device is more stable, and the battery can reduce power consumption during the flight.
To update the firmware, you can use the DJI GO 4 mobile application or the Assistant 2 program.

Bug bounty

Bug Bounty is a flash mob for hackers and those who consider themselves so.


People can be recognized and rewarded for finding bugs, especially for exploits and vulnerabilities.

Bug Bounty will allow developers to detect and fix bugs before the general public finds out about them, preventing incidents of massive abuse. Bug bounty programs were implemented in Facebook, Yahoo !, Google, Reddit, Microsoft, Pentagon, etc.

If you find a serious bug in the DJI drone firmware, then now you can absolutely honestly get your deserved $ 100 instead of climbing the exchanges on the darknet and trying to build your find for hundreds of bitcoins.

Source: https://habr.com/ru/post/406341/

All Articles