GoPro update mechanism flaw discovered that enables Wi-Fi passwords to be harvested
A security researcher has discovered a flaw with GoPro's software update mechanism that enables users to harvest the Wi-Fi passwords of other users' GoPro cameras.
The flaw was discovered by Israel-based Ilya Chernyakov, who was trying to access his friend's GoPro wearable camera using the app.
In order to control a GoPro remotely, the user has to login to the Wi-Fi network given off by the GoPro camera.
However Chernyakov's friend had forgotten the login details for the camera's Wi-Fi network, so Chernyakov had to go through the standard procedure of resetting the Wi-Fi settings on the official GoPro website.
"In order to reset your Wi-Fi settings you need to follow the directions on the GoPro website. It is pretty simple procedure, with Next -> Next -> Finish that ends up with a link, to a zip file," he explained in a blog post.
"When you download this file, you get a zip archive which you're supposed to copy to a SD card, put it in your GoPro and reboot the camera."
Now the interesting thing is that the link given to users to download the zip archive to fix the Wi-Fi password problem, can be manipulated. For example with the link:
http://cbcdn2.gp-static.com/uploads/firmware-bundles/firmware_bundle/8605145/UPDATE.zip
Chernyakov discovered that if he changed the number in the URL, he could download other zip archives, which each contain the network's login credentials in plain text.
By using a Python script, he was able to download 1,000 archive files and compile a list of Wi-Fi names and passwords.
Of course, it's not as easy to hack into people's GoPro cameras as it would be with a device that is mostly stationery like a PC or smart fridge.
"It takes time driving around snowboarders and divers, looking for Wi-Fi networks of the GoPro cameras. Theoretically, though, it should be a simple code to write," wrote Chernyakov.
"All you need is to check for each network that is near you against the list from the GoPro website, and if it is there, get all of the files."
He advises that in order to better protect users' data, GoPro needs to delete the data from the server after the user downloads the new Wi-Fi instructions.
Chernyakov was unable to contact GoPro, so he let US-CERT, a part of the US Department of Homeland Security know instead, and has been told today, 4 March, that GoPro's security engineers have sorted out the problem.
IBTimes UK has contacted GoPro for comment on the issue.
© Copyright IBTimes 2024. All rights reserved.