Github shrugs off drone maker DJI’s crypto key DMCA takedown effort
Github rejected a DMCA takedown request from Chinese drone-maker DJI after someone forked source code left in the open by a naughty DJI developer, The Register can reveal.
This included AES keys permitting decryption of flight control firmware, which could allow drone fliers with technical skills to remove geofencing from the flight control software: this software prevents DJI drones from flying in certain areas such as the approach paths for airports, or near government buildings deemed to be sensitive.
Though the released key is not for the latest firmware version, The Register has seen evidence (detailed below) that drone hackers are already incorporating it in modified firmware available for anyone to download and flash to their drones.
DJI declined to comment for this article. Github ignored The Register’s invitation to comment.
Read the small print carefully
While the keys themselves were left online for “two to four years”, as we previously reported, DJI only noticed the public repo forks in December, submitting a takedown request that month.
“It has come to our attention that some of our confidential and proprietary information has been posted on your website by unauthorized parties. These [sic] information has not been and would not be posted online by us, and includes but is not limited to our code related to our internal systems and confidential information of our websites,” said the company in its DMCA (Digital Millennium Copyright Act, an American copyright enforcement law) notice to Github.
In fact the people who posted the keys to DJI’s kingdom, as well as source code for various projects, were DJI devs. The company said in a later statement that they were sacked.
The code was forked by drone researcher Kevin Finisterre, who submitted a successful rebuttal to the takedown request on the grounds that Github’s terms and conditions explicitly permit forking of public repos.
“DJI mistakenly marked code repositories as public subsequently granting license for anyone to fork said repos. This accident can be evidenced by their press release,” wrote Finisterre, linking to a DJI statement.
Section 5 of Github’s terms of service states:
By setting your repositories to be viewed publicly, you agree to allow others to view and “fork” your repositories (this means that others may make their own copies of Content from your repositories in repositories they control). If you set your pages and repositories to be viewed publicly, you grant each User of GitHub a nonexclusive, worldwide license to use, display, and perform Your Content through the GitHub Service and to reproduce Your Content solely on GitHub as permitted through GitHub’s functionality (for example, through forking).
Finisterre told us:
“They had 10 days to present GitHub with a legal notice preventing me from keeping the forks, they failed to do so. MLK (Martin Luther King) Day was technically day 10, but it was a holiday, so the following day GitHub opened the repos back up.”
Forking publicly available code is as old as the internet. That DJI fell victim to this because it evidently didn’t understand how Github’s ToS worked is concerning, particularly given the implications of users being able to disable flight restrictions at will. While DJI presents itself to the world as a responsible manufacturer with enough control over its products to fend off impending government regulation, shoddy developer practices are publicly undermining that position and making the company’s statements on drone control much less credible.
Drone hackers have already begun distributing modded firmware for DJI’s popular Phantom drones, as we can see on – where else? – Github:
As posted on Github in a public repo for world+dog to view
Original caption: “The key for encryption type 1 was published by Dji, so adding it to the code. Firmwares will now be automatically decrypted during extraction, and encrypted when adding to package”
What are the lessons here? Train your people in how Github works; check, check and check again that your private repos really are set to private; and, above all, don’t put encryption keys on the internet. Ever.