Slashdot Mirror

← Back to Stories (view on slashdot.org)

Flaw In GoPro Update Mechanism Reveals Users' Wi-Fi Passwords

Posted by timothy on from the oopsie dept.

An anonymous reader writes A vulnerability in the update mechanism for the wireless networks operated by GoPro cameras has allowed a security researcher to easily harvest over a 1,000 login credentials (including his own). The popular rugged, wearable cameras can be controlled via an app, but in order to do so the user has to connect to the camera's Wi-Fi network. Israel-based infosec expert Ilya Chernyakov discovered the flaw when he had to access the network of a friend's camera, but the friend forgot the login credentials.

35 comments

  1. That's cool by Anonymous Coward · · Score: 0

    I don't own a GoPro

    1. Re:That's cool by Anonymous Coward · · Score: 0

      GoPro cameras are overrated garbage.

    2. Re:That's cool by Anonymous Coward · · Score: 0

      Id go for sony, monoprice or a used canon dslr

    3. Re:That's cool by Anonymous Coward · · Score: 0

      Hell, a Polaroid Cube is a better action camera than the GoPro.

  2. Sounds familiar by Phreakiture · · Score: 2

    This hack sounds a lot like the one that Weev used to extract info from AT&T. Apparently, GoPro didn't learn from AT&T's mistakes.

    --
    www.wavefront-av.com
  3. Re:Must be powered by linsux by Phreakiture · · Score: 2

    Maybe, maybe not, but nothing about using Linux (FTFY) forces your URLs to be sequentially numbered.

    --
    www.wavefront-av.com
  4. Free Wifi pwds... by MobSwatter · · Score: 1

    That's not a bug, it is one of the new NSA features! This should translate to; If you own a GoPro, you clearly could be a terrorist!

  5. Flaw in NSA backdoor by Anonymous Coward · · Score: 1

    NSA, stop making your backdoors so obvious!

  6. Sweet! by Greyfox · · Score: 2

    This opens an entire new world of free amateur porn and cat videos! It's like the Internet has been invented all over again!

    --

    I'm trying to teach myself to set people on fire with my mind... Is it hot in here?

    1. Re:Sweet! by Anonymous Coward · · Score: 1

      It's like the Internet has been invented all over again!

      They're calling it "The Internet of (Broken) Things" this time, and calling password recovery a feature.

  7. Should be fixed by Anonymous Coward · · Score: 1

    US-CERT was already able to quickly locate the GoPro Security Engineers.

  8. Who Cares? by sexconker · · Score: 3, Interesting

    Anyone who's ever updated a Wi-Fi enabled GoPro knows about this.

    When I last did it, the website gave me 2 methods for doing the update - the dummy version where you give them your serial, network name, and password and they spit out the file with the plaintext Wi-Fi password for you, and the not-so-dummy version where you handle your own shit. I don't know if that's changed, but the end result is the same - most users send and receive plaintext network passwords to GoPro and anyone who wants to can update their GoPro Wi-Fi password by booting it with that (modified) update file in the root directory of the SD card.

    Further, who gives a fucking shit? The range on the GoPro's Wi-Fi is so short that someone within Wi-Fi range is a few steps away from physical access anyway., and you only ever use the Wi-Fi when you're actively using the GoPro - you would know immediately when someone connected to it and fucked with it.

    1. Re:Who Cares? by ColdWetDog · · Score: 2

      Really. For all the issues with GoPro's firmware (and they are legion), this really doesn't rise above the background. If you are using a WiFi enabled GoPro for anything resembling a secure system, you are doing something very wrong.

      --
      Faster! Faster! Faster would be better!
    2. Re:Who Cares? by AK+Marc · · Score: 1

      Also, anyone with a WiFi GoPro turns of the WiFi, if they aren't actively looking at it all the time because WiFi kills the battery. The people who bought a WiFi one so they could start and stop the camera with the remote for each run will leave it on, but what could someone do with the WiFi password? Screw up a single recording out of the thousands for the day? Watch what the camera is doing without permission? Mythbusters uses them for the multi-angles from a crash vehicle, but it's not like they are the camera of choice for porn makers, where you could sit outside a porn studio and watch free porn or anything.

      The only thing that could possibly matter about this is people who still haven't heard about password reuse being a bad thing.

      Though, if you were to automate grabbing the pwd and giving the command to wipe data and turn off, it'd be interesting to use in crowds. Everyone with a gopro in a concert would have their footage wiped, or something like that.

      --
      Learn to love Alaska
    3. Re:Who Cares? by jeffmeden · · Score: 1

      The range on the GoPro's Wi-Fi is so short that someone within Wi-Fi range is a few steps away from physical access anyway., and you only ever use the Wi-Fi when you're actively using the GoPro - you would know immediately when someone connected to it and fucked with it.

      Someone else nearby might download the footage and see what i'm looking at with my gopro! Oh wait...

    4. Re:Who Cares? by drinkypoo · · Score: 1

      The range on the GoPro's Wi-Fi is so short that someone within Wi-Fi range is a few steps away from physical access anyway.,

      So I place a USB wifi stick at the focal point of a baby satellite dish and point it at your camera, cheap and easy

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    5. Re:Who Cares? by Anonymous Coward · · Score: 0

      Maybe I am missing something. The GoPro and your phone connect over a unique SSID/wireless connection you specifically setup to communicate between them. An example, when I want to connect my phone to my gopro, I turn it on and then connect my phone to the SSID the gopro is configured to broadcast. What is someone harvesting, the wireless password for the SSID I only use between my GoPro and my phone? Big fking deal. Even if I left my gopro on, what is the risk, someone within range of my GoPro finds it, connects, and deletes my video or copies down my password so they can delete my photos next time I am near by them with the GoPro wireless on? What do you do with the "harvested" passwords. Hey, I have the password of that guy in the blue shirt standing over there's gopro filming his model rocket. Write that down in case we see him again and want to do something with it.

    6. Re:Who Cares? by AK+Marc · · Score: 1

      If you sniff someone's password, if they re-use it places, you could track them down online and try email or bank accounts with that password. If you don't re-use passwords, the worst they could do is delete your card.

      --
      Learn to love Alaska
  9. Poor QA from GoPro is par for the course by sdguero · · Score: 4, Interesting

    tl;dr GoPro is a shady company that screwed me and a bunch of other customer over witt poor QA
    After working with GoPro support, engineering, and getting an email from their CEO blaming the issue on everything from my computer, to SanDisk cards, to a firmware problem; I finally gave up on that company. They wasted over 40 hours of my life on that stupid camera. And while I eventually got a store credit for it (after 3 exchanges, tHank you Best Buy!) I'm still stuck with $100 in accessories and I have sworn never to do business with GoPro again.

    1. Re:Poor QA from GoPro is par for the course by drafalski · · Score: 1

      Their poorly made handlebar mounts are apparently well-known for snapping. Wish I'd seen the reviews on them before mine snapped at speed and destroyed my camera when it smashed apart on the pavement.

      At least they offered me a minor discount on purchasing a newer and more expensive camera... Didn't bother taking them up on that.

    2. Re:Poor QA from GoPro is par for the course by thegarbz · · Score: 1

      Par for what course? For the most part reviews on the GoPro have been overwhelmingly positive. For the most part they are far better than the competition both in performance and in construction.

      My own personal experience has been flawless. I've taken my go pro to -40degC. I've taken it into an confined space firefighting exercise and despite the protective casing melting it worked beautifully. I've dropped it from the 3rd flaw of my apartment inside the protective casing, and it survived a very high quad crash without a protective casing.

      It is by far the single most well built and durable camera I've ever owned.

      But since you think so poorly of them, what should I be spending my money on instead?

    3. Re:Poor QA from GoPro is par for the course by Kagetsuki · · Score: 1

      I wonder if they have improved. I got a Hero 3+ Black which had issues in very cold weather - I sent one e-mail, they sent me an RMA form, I sent it out and a week later had a brand new unit. This was maybe 5 months ago - so fairly recent; and it was with support in east Asia so it could be a difference between support teams as well.

      BTW don't discredit accusations of a bad SD card - I've had a few SD cards go bad on me that caused some crazy issues including me bricking a Zaurus during a firmware update.

  10. Awful commentary by LordLimecat · · Score: 1

    I know this is slashdot, but do all of the comments have to be so hopelessly trite? Surely there are easier ways to get positive moderation than regurgitating soundbites about NSA and Linux.

    1. Re:Awful commentary by Anonymous Coward · · Score: 0

      Interestingly, the SystemD whine seems to have completely cooled down. As expected, it finally reached the state where it is just silently accepted.

  11. Or you could put a label on the camera :) by Anonymous Coward · · Score: 0

    Almost as good as putting s label on the camera. (That is not what the linked article is about, I just noticed it).
    http://www.computerworld.dk/fil/123483/1000

    http://www.computerworld.dk/art/230493/saadan-overvaager-politiet-din-nummerplade-helt-automatisk

  12. Israel has too many commies by Anonymous Coward · · Score: 0

    What's with all the commies in .il? Shouldn't it be, .ilsu instead?

  13. Bad SD cards exist by ashpool7 · · Score: 1

    They're even branded SanDisk.

    Anyway, Hero 3+ Black fell out of the sky on a quad (some sort of software bug in the battery) a month after purchase and GoPro replaced it, even though they were under zero obligation to do so.

    YMMV

    1. Re:Bad SD cards exist by Anonymous Coward · · Score: 0

      And how much did you pay to have it replaced?

      As far as I see, GoPro has shit customer service. Go look up some company reviews. They have even tried to invoke the DMCA to cover up negative reviews.

      Crap product backed by a crap company I guess.

    2. Re:Bad SD cards exist by Kagetsuki · · Score: 1

      I only paid one-way shipping on the RMA, which wasn't so much. You had to pay to get yours fixed/replaced?

    3. Re:Bad SD cards exist by Anonymous Coward · · Score: 0

      No, because I never got suckered into buying a GoPro. I've known people who were offered "discounts" on their broken GoPros though. Most of them ended up not taking the offer and just bought better cameras instead.

  14. A bit old by Anonymous Coward · · Score: 0

    I've reported this to go-pro around july 2014 ... response was ... no this is not an issue.

    A bit underwhelming

  15. Re:Who really uses these things anyway? by Kagetsuki · · Score: 1

    While your genaralization of GoPro users is probably over 90% accurate they are actually amazingly good action cameras. I use one myself for a variety of motorsports. Eg:
    https://www.youtube.com/watch?...
    Carting requires you to find the fastest line around a course. I use the GoPro video and check my lap times with different lines. What's great about it is the video is very clean - the GoPro has extra processing hardware that cleans up jitters and keeps the colors clean whereas a normal video camera you'll get a blurry mess.

    I'm really not sure how secure you need to keep these things either. The WiFi is really only to control the camera or grab files off of it over the air so I really could care less if someone got the auth credentials to mine.