DJI launches bug bounty program to stop homegrown hacking

The arms race has gained pace with DJI offering cash rewards for vulnerability reports.

 

 

screen-shot-2017-08-29-at-06-33-43.jpg
DJI

 

 

 

DJI is offering thousands of dollars to researchers who submit bug reports for its drone software in an attempt to stifle the homegrown hacking community.

On Monday, the Chinese drone maker launched a bug bounty program designed to “address software concerns” prompted by the recent interest in homebrew hacking and manipulation of the firm’s products.

Earlier this year, it emerged that DJI was in a constant battle with enthusiastic customers that were altering the firmware of products including the Ronin and X5 drone lines to circumvent no-fly zones and imposed restrictions on the craft’s altitude and speed.

From Pastebin to Facebook discussion groups, it is not difficult to find how-to guides and instructions on methods to dance around DJI restrictions, including the No Fly Zone (NFZ), originally intended to prevent hobbyists from flying their drones into dangerous or sensitive areas, such as airports and military bases.

Some customers have complained that some NFZ areas are being geofenced without any need, and so have turned towards ways to remove the safety net such as through websites which offer “packs” of software that disables everything from NFZ to flying restrictions.

This trend is likely a constant worry for the drone maker.

Should one of its drones end up colliding with a plane in an NFZ area, for example, injury — and lawsuits — are possible.

As the US military’s ban on DJI products highlights, until the company gets a handle on its security, the problem is also hurting DJI’s reputation and finances.

The company’s new bug bounty program will offer financial rewards ranging from $100 to $30,000, depending on the severity of the vulnerability. The “Threat Identification Reward Program” is described as a means to “work with researchers and others to responsibly discover, disclose and remediate issues that could affect the security of DJI’s software.”

“Security researchers, academic scholars and independent experts often provide a valuable service by analyzing the code in DJI’s apps and other software products and bringing concerns to public attention,” said Walter Stockwell, DJI Director of Technical Standards. “DJI wants to learn from their experiences as we constantly strive to improve our products, and we are willing to pay rewards for the discoveries they make.”

DJI appears to have rushed to set up the infrastructure required for such a program, which may give the company access to bugs used by the community to circumvent restrictions on geofencing and flight altitude limits.

The Chinese firm acknowledged there has been no avenue for researchers to report bugs before, and even now, there are no real guidelines or procedures in place.

“We want to engage with the research community and respond to their reasonable concerns with a common goal of cooperation and improvement,” Stockwell said. “We value input from researchers into our products who believe in our mission to enable customers to use DJI products that are stable, reliable and trustworthy.”

DJI is working on a website presently which will contain the program’s terms, but in the meantime, asks researchers to report their findings to bugbounty@dji.com.

Comments are closed.

%d bloggers like this: