The company’s private keys were exposed to the public at the beginning of 2018, because of this, any user with access to the key, and with the required skills and knowledge, could have acceded to the company’s encrypted flight control firmware, as well as eliminate some restrictions on the drones.
Li Zhanbin, the employee responsible for the leaking, worked in DJI creating code for a drone control platform, as well as in the programming of devices used in agricultural machinery systems, the specialists in cybersecurity mentioned.
The employee leaked 4 company’s source code repositories by opening an account on GitHub, loading the code in a public repository and making it accessible to any user on this platform. The employee also leaked an SSL key for the company’s website, which could spoof this site and decrypt communication between the company’s devices and its servers in China.
The programmer argues that he accidentally shared these private keys, adding that, after discovering his error, he immediately removed the code from GitHub and reported the incident to law enforcement and the company, adding that he was willing to face the legal consequences of his mistakes.
Cybersecurity specialists from the International Institute of Cyber Security (IICS) confirmed that Li Zhanbin was sentenced to six months in prison, in addition to paying a fine equivalent to $30k USD for revealing trade secrets. However, the company has mentioned that the losses caused by this leak of confidential intellectual property have caused damages of about $170k USD, five times the value of the imposed fine.
The company still does not know if any user was able to access the filtered material during the time that the repositories remained exposed to GitHub users; further reports on the incident will be expected over the next few days.