A Chinese software engineer has been jailed for sharing the private keys of repositories, belonging to the drone-maker company DJI, on GitHub.
The keys in question were exposed publicly in January 2018. Anyone possessing the key along with the right skills and knowledge can decrypt DJI’s encrypted flight control firmware and bypass geofencing and restrictions on DJI drones.
The jailed developer, Li Zhanbin, was an employee of DJI and was responsible for creating codes for both an agriculture-based drone management platform and general programming used in agricultural machinery systems.
He ended up sharing the source code of 4 repositories when he opened an account on GitHub and uploaded the code in a public repo, making it accessible to everyone.
Zhanbin also disclosed a wildcard SSL key for *.dji.com in plain text, using which the drone maker’s website can be spoofed and encrypted communication between DJI drones and their servers in China could be easily decrypted.
The developer in his defense said that he shared the DJI SSL keys and firmware AES keys “unintentionally.” He also deleted the code after realizing his mistake and turned himself in to the authorities, saying that he was willing to bear the “legal consequences” of his actions.
The Shenzhen District Court in China has sentenced Li Zhanbin to six months in prison for exposing trade secrets. The court also fined him 200,000 yuan (under $30,000) for the careless act.
However, DJI claims that the leak of proprietary intellectual property has caused damage of $170,000 in total.
