DJI Is Offering Money to Security Researchers to Stop DIY Hackers From Owning Its Drones

The drone maker is offering between $100 and $30,000 to hackers who find and report vulnerabilities in the software of its unmanned aerial vehicles.

|
Aug 28 2017, 4:19pm

Image: hkhtt hj/Shutterstok

Dozens of drone pilots have found ways to get around limitations set up by Chinese maker DJI by hacking their drone's software. Now, DJI wants these hackers to work with the company to get these issues fixed instead.

On Monday, DJI launched a bug bounty program, offering as little as $100 and as much as $30,000 in an attempt to encourage hackers and security researchers to alert the company of bugs and vulnerabilities in its products.

"If a hacker finds an issue we want them to tell us first, let us fix it, and we'll reward you for it," DJI spokesperson Adam Lisberg told Motherboard in a phone call.

Read more: I Watched a Drone Break the World Speed Record

The popular drone maker has been the target of a growing hacker community for months now. These DIY hackers have forced the company into an arms race where they found bugs and exploits, and the company responded by attempting to lock down its drones even more, as Motherboard reported in July. Because of the security issues with its products, the U.S. Army banned the use of DJI drones in August.

Lisberg—who admitted that several security researchers and "self-proclaimed hackers" have been going through the company's code and found bugs in recent months—said that the company has been working with and talking to "various players who have been active in internet forums and the like finding problems and pointing them out to us."

Whether this community of hackers—who "root" or "jailbreak" drones in order to circumvent speed and altitude restrictions, as well as ignore "geofences" that prevent drones from taking off near airports and other sensitive areas—is willing to play ball with DJI remains to be seen.

"I find it funny that DJI, who did not care for security concerns of the community, now comes up with a bug bounty program."

In a Slack channel where drone hackers discuss and disclose bugs in DJI software, some reacted with skepticism to the news of the bug bounty.

"I think bug bounty programs are a good thing in general BUT I find it funny that DJI, who did not care for security concerns of the community, now comes up with a bug bounty program," Andreas Makris, a hacker who goes by the nickname bin4ry, told Motherboard in an online chat.

"We showed them a great deal of security flaws in their products already, and they did not care about bugs, only those bugs/exploits which changed the app behaviour in ways users wanted the app to be," he added. "They only tried to close the door for us to modify it and did not fix the problem itself. So I am REALLY interested if they want to change for real or if this is all only a game to look better in public."

Got a tip? You can contact this reporter securely on Signal at +1 917 257 1382, OTR chat at lorenzo@jabber.ccc.de, or email lorenzo@motherboard.tv

Christopher Vo, the president of the DC Area Drone User Group, a group for drone hobbyists, applauded DJI for launching the program. But he also said he was worried DJI might use the bug bounty as an incentive to stop researchers from disclosing the bugs publicly, which benefits the drone-hacking community.

"People who find bugs may feel compelled to not report them openly because they want to get an incentive," Vo said, "and then DJI never fixes the bugs, the bugs never get reported publicly, and nobody benefits."

For now, DJI is asking friendly hackers to report bugs via email to bugbounty@dji.com but Lisberg told me the company plans on publishing a dedicated webpage for the bug bounty program, that will lay out the program's criteria and conditions.

Get six of our favorite Motherboard stories every day by signing up for our newsletter .

Stories