14 DAY TRIAL // A security researcher from Israel found that the passwords for the GoPro WiFi networks can be easily retrieved through the reset mechanism available from the vendor’s servers.
The footage stored by GoPro cameras on the SD card can be viewed and managed via a mobile app connected via a wireless ad-hoc network set up by the camera.
WiFi SSID and password available in plain text
Ilya Chernyakov tried using one such device, but he had no password to connect to it from the mobile.
As such, he initiated a password reset process, which for some camera models consists in retrieving a ZIP archive that contains the firmware and a configuration file with the password and the name (SSID - service set identifier) of the wireless network.
However, it appears that the URL the archive is retrieved from can be manipulated to access someone else’s wireless settings.
This is possible because the data is saved in folders created sequentially and whose names are available without any obfuscation in the update link, according to the information provided in a blog post by Chernyakov.
Problem appears to be fixed
He provides the link in a blog post, and at the moment of writing this article, the archive could still be downloaded, suggesting that GoPro took no action to eliminate the issue.
However, in an update on Tuesday the researcher informed that the problem no longer existed. At the moment, changing the folder number for update files of other customers causes an error message to be displayed.
If the issue has indeed been solved, the vendor has done it silently. On GoPro’s website, the latest firmware update available is from February 10, 2015, for the HERO3+ camera model.
Researcher creates PoC Python script
Chernyakov says that he created a Python script as a proof-of-concept (PoC) for exploiting the flaw en masse and obtaining the WiFi information. The code is designed to plow through the update links and extract the necessary wireless details, placing them in a CSV file.
The researcher says he could extract no less than 1,000 different names and passwords for different wireless networks.
Such a security oversight from GoPro could be exploited by an attacker roaming among gatherings of extreme sports lovers and access or remove footage from the cameras.
“I decided not to attack the users. It takes time driving around snowboarders and divers, looking for Wi-Fi networks of the GoPro cameras. Another reason is ethics of course: we are dealing with personal data, and some people may be insulted,” says the researcher in a blog post.