Amateur and professional photographers alike love the GoPro, a durable little camera that users can control remotely to record just about anything on Earth. As it turns out, though, cybercriminals may love the GoPro as well. A new report suggests that GoPros may be eminently crackable, and that a weak password could lead to unprecedented control over the devices.
Pen Test Partners, a security firm based in Middle Claydon, England, brought its findings to the BBC, and explained that a poor password could let malefactors take remote control of a GoPro through a Web browser. This isn't just a password-strength issue: once he or she has the password, a savvy intruder could manipulate a GoPro on a very fine level in order to steal photos and videos, or even stream a live feed in real time.
To test the GoPro's security, Pen Test Partners researchers tried to brute-force their way into the GoPro from a laptop on the same Wi-Fi network. Using "pointless" and "Sausages" as test passwords, and a regular graphics card to run password-cracking software on the laptop, the researchers were able to get in within seconds.
Fair enough, you might say, but insecure passwords are hardly unique to GoPros. While that's true, the fact remains that once in, a malefactor could wreak an unusual amount of havoc with a compromised GoPro. Whereas other devices might have secondary security features, such as pairing codes, the GoPro seems to takes a more lackadaisical approach.
Beginning with the latest model of camera, the Hero4, pairing a GoPro with a Wi-Fi network does require a pairing number, provided by the camera itself, but it makes a user input this number only once. Once the number is entered, the GoPro can communicate with any device on the same Wi-Fi network.
Malicious users can send commands to a GoPro via HTTP, meaning that any Web browser can help accomplish the task. Just by manipulating the URL bar, an unauthorized user can make the GoPro beep incessantly, start a recording, access its stored photos and videos or even tell it to start streaming. (This is obviously problematic for users who keep their GoPros in their bedrooms.)
Even turning off the GoPro is not necessarily a barrier to foul play. Once an intruder has accessed a GoPro, he or she can tell it to "wake from sleep" as long as Wi-Fi is still enabled, provided that he or she has the device's MAC address, a unique networking number. The MAC address is, of course, one of many things a user can access through HTTP commands.
"Wi-Fi-enabled devices must provide the user's password to access the Hero4 Wi-Fi network," GoPro told the BBC. "We require our customers to create a password 8-16 characters in length; it's their choice to decide how complex they want it to be. As is true of all password-protected devices and services, if a password is easily guessable, a user is more prone to someone predicting what it is."
Having remote features accessible is usually a good thing, but the GoPro's are arguably too open and too prone to exploitation. On the other hand, savvy users could argue that setting strong passwords is a necessity, regardless of device, and that complex passwords usually can't be brute-forced. Indeed, Pen Test Partners' primary recommendation is to employ a strong Wi-Fi password.
Users can also turn off their GoPros' Wi-Fi by holding down the button on the camera's left side for three seconds when the device is not in use. There's no evidence that malefactors have taken advantage of the GoPro's vulnerabilities in the wild, but given its relative simplicity, a little caution could go a long way.