Chinese dev jailed and fined for posting DJI’s private keys on Github
Institute For Ethical Hacking Course and Ethical Hacking Training in Pune – India
Extreme Hacking | Sadik Shaikh | Cyber Suraksha Abhiyan
Credits: The Register
A Chinese software developer who previously expressed suicidal thoughts has been jailed after putting one of drone company DJI’s AES private keys onto Github in plain text.
That key, as we revealed at the time in January 2018, allowed world+dog to decrypt DJI’s encrypted flight control firmware, paving the way for the curious and the malicious alike to bypass geofencing and other performance restrictions on their DJI drones.
Also disclosed in plain text was a wildcard SSL key for *.dji.com, giving anyone with the right skills the ability to spoof DJI’s website and decrypt encrypted comms between DJI drones and the company’s own servers in China.
Local Chinese-language reports indicated that the Shenzhen Municipal People’s Procuratorate – the local version of the Crown Prosecution Service – successfully prosecuted the developer in early April, before the Shenzhen District Court. One summary said: “The employee was sentenced to six months in prison for infringement of trade secrets. The penalty is 200,000 yuan” (just under £23,000).
Damage caused to DJI was allegedly said to be 1.164m yuan, or around £134,000.
“I am the stupid guy who unintentionally shared the DJI SSL keys and firmware AES keys on the github. I in total shared 4 repositories named ‘spray-system’, ‘Management-platform’, ‘real_time_serve_v1’ and ‘real_time_serve’,” read an email from the jailed dev, Li Zhanbin, forwarded to The Register by infosec researcher Kevin Finisterre.
Finisterre was the one who originally spotted the carelessly shared key on Github. Zhanbin, the Chinese dev, had asked for help in dealing with the Chinese police.
In a later email, Zhanbin said he had been dismissed from DJI on 26 January 2018, adding: “I was born in a very poor village; I stud[ied] hard all the time, I finally got into …university. It is a very happy thing to me and my parents. BUT now all the things are done. I am done. I will go to jail, and I have to take this stain … in my life. My girlfriend begin to break up with me, woooo, my family are broken. Fuck!!! What are terrible things! Maybe the only thing I can do now is to die; it is so hard. I need to be free.”
Local reports, apparently quoting the Chinese state prosecutors, quoted the dev as having written on Twitter: “There is no intention to disclose the secrets of Dajiang” and “I regret that I have no legal awareness, and I am willing to bear the corresponding legal responsibilities.”
A DJI spokesman told The Register: “DJI does not comment on legal matters involving current or former employees. Our company policy is that we do not discuss specific employment issues in the media.”
www.extremehacking.org
Sadik Shaikh | Cyber Suraksha Abhiyan, Ethical Hacking Training Institute, CEHv10,CHFI,ECSAv10,CAST,ENSA, CCNA, CCNA SECURITY,MCITP,RHCE,CHECKPOINT, ASA FIREWALL,VMWARE,CLOUD,ANDROID,IPHONE,NETWORKING HARDWARE,TRAINING INSTITUTE IN PUNE, Certified Ethical Hacking,Center For Advanced Security Training in India, ceh v10 course in Pune-India, ceh certification in pune-India, ceh v10 training in Pune-India, Ethical Hacking Course in Pune-India
The post Chinese dev jailed and fined for posting DJI’s private keys on Github appeared first on Extreme Hacking | Sadik Shaikh | Cyber Suraksha Abhiyan | Hackers Charity.
from Extreme Hacking | Sadik Shaikh | Cyber Suraksha Abhiyan | Hackers Charity http://bit.ly/2vrK1Rl
Comments
Post a Comment