Slashdot Mirror

← Back to Stories (view on slashdot.org)

Flaw In GoPro Update Mechanism Reveals Users' Wi-Fi Passwords

Posted by timothy on from the oopsie dept.

An anonymous reader writes A vulnerability in the update mechanism for the wireless networks operated by GoPro cameras has allowed a security researcher to easily harvest over a 1,000 login credentials (including his own). The popular rugged, wearable cameras can be controlled via an app, but in order to do so the user has to connect to the camera's Wi-Fi network. Israel-based infosec expert Ilya Chernyakov discovered the flaw when he had to access the network of a friend's camera, but the friend forgot the login credentials.

6 of 35 comments (clear)

  1. Sounds familiar by Phreakiture · · Score: 2

    This hack sounds a lot like the one that Weev used to extract info from AT&T. Apparently, GoPro didn't learn from AT&T's mistakes.

    --
    www.wavefront-av.com
  2. Re:Must be powered by linsux by Phreakiture · · Score: 2

    Maybe, maybe not, but nothing about using Linux (FTFY) forces your URLs to be sequentially numbered.

    --
    www.wavefront-av.com
  3. Sweet! by Greyfox · · Score: 2

    This opens an entire new world of free amateur porn and cat videos! It's like the Internet has been invented all over again!

    --

    I'm trying to teach myself to set people on fire with my mind... Is it hot in here?

  4. Who Cares? by sexconker · · Score: 3, Interesting

    Anyone who's ever updated a Wi-Fi enabled GoPro knows about this.

    When I last did it, the website gave me 2 methods for doing the update - the dummy version where you give them your serial, network name, and password and they spit out the file with the plaintext Wi-Fi password for you, and the not-so-dummy version where you handle your own shit. I don't know if that's changed, but the end result is the same - most users send and receive plaintext network passwords to GoPro and anyone who wants to can update their GoPro Wi-Fi password by booting it with that (modified) update file in the root directory of the SD card.

    Further, who gives a fucking shit? The range on the GoPro's Wi-Fi is so short that someone within Wi-Fi range is a few steps away from physical access anyway., and you only ever use the Wi-Fi when you're actively using the GoPro - you would know immediately when someone connected to it and fucked with it.

    1. Re:Who Cares? by ColdWetDog · · Score: 2

      Really. For all the issues with GoPro's firmware (and they are legion), this really doesn't rise above the background. If you are using a WiFi enabled GoPro for anything resembling a secure system, you are doing something very wrong.

      --
      Faster! Faster! Faster would be better!
  5. Poor QA from GoPro is par for the course by sdguero · · Score: 4, Interesting

    tl;dr GoPro is a shady company that screwed me and a bunch of other customer over witt poor QA
    After working with GoPro support, engineering, and getting an email from their CEO blaming the issue on everything from my computer, to SanDisk cards, to a firmware problem; I finally gave up on that company. They wasted over 40 hours of my life on that stupid camera. And while I eventually got a store credit for it (after 3 exchanges, tHank you Best Buy!) I'm still stuck with $100 in accessories and I have sworn never to do business with GoPro again.