14 DAY TRIAL // Researchers at a security firm showed how a weakly protected connection between a GoPro camera and a smartphone can be exploited by an attacker to turn the recording device into a full-fledged spying gadget.
Ken Munro from the UK-based penetration testing company Pen Test Partners conducted the experiment, which led to taking complete control of a GoPro Hero4 model after cracking the password for inter-device Wi-Fi connectivity.
Cracking passwords and privacy
The success of the demonstration did not rely necessarily on a vulnerability in the camera or the software powering it, but in the human element, who in many cases sets up weak passwords, for convenience reasons.
GoPro cameras can be controlled from a smartphone, the link between the two being established wirelessly, based on a user-defined password. However, many users disregard the importance of this connection and protect it with easy to guess strings.
Munro showed the BBC reporters how quick and easy it is to crack a weak password for a camera in range and guessed one in less than a minute. This was achieved via a dictionary attack, which ran multiple words until a matching one was found.
From there, Munro was able to manipulate the device and make it stream both audio and video to his smartphone, keeping the recording light turned off, thus not alerting the owner of the surreptitious activity.
A strong password is key to avoiding unwanted eavesdropping
In GoPro cameras, even if the gadget is turned off by pressing the power button, Wi-Fi functionality can still be active, allowing for a connection with a smartphone.
This is how the cameras have been set up to work, and the practice is common for extending battery life. There is an indication that Wi-Fi is running, though, as the corresponding LED light flashes at a regular interval.
With the device still open for connection, the Wi-Fi key can be intercepted with freely available software, and then the cracking activity can start.
Regardless of the asset they protect, a password should be as strong and as long as possible. A combination of upper/lower case characters, symbols, numbers in a string of 16 characters is considered secure enough, although the current standard moves towards phrases.
GoPro says that the recommendation for its customers is to create a password between 8 and 16 characters, but in the end, its complexity depends entirely on the user.