Flaw In GoPro Update Mechanism Reveals Users' Wi-Fi Passwords

An anonymous reader writes A vulnerability in the update mechanism for the wireless networks operated by GoPro cameras has allowed a security researcher to easily harvest over a 1,000 login credentials (including his own). The popular rugged, wearable cameras can be controlled via an app, but in order to do so the user has to connect to the camera's Wi-Fi network. Israel-based infosec expert Ilya Chernyakov discovered the flaw when he had to access the network of a friend's camera, but the friend forgot the login credentials.

Re:

[Phreakiture]

Maybe, maybe not, but nothing about using Linux (FTFY) forces your URLs to be sequentially numbered.

Re:

[Kagetsuki]

While your genaralization of GoPro users is probably over 90% accurate they are actually amazingly good action cameras. I use one myself for a variety of motorsports. Eg:
https://www.youtube.com/watch?... [youtube.com]
Carting requires you to find the fastest line around a course. I use the GoPro video and check my lap times with different lines. What's great about it is the video is very clean - the GoPro has extra processing hardware that cleans up jitters and keeps the colors clean whereas a normal video camera you'll g

Sounds familiar

[Phreakiture]

This hack sounds a lot like the one that Weev used to extract info from AT&T [huffingtonpost.com]. Apparently, GoPro didn't learn from AT&T's mistakes.

Free Wifi pwds...

[MobSwatter]

That's not a bug, it is one of the new NSA features! This should translate to; If you own a GoPro, you clearly could be a terrorist!

Flaw in NSA backdoor

[Anonymous Coward]

NSA, stop making your backdoors so obvious!

Sweet!

[Greyfox]

This opens an entire new world of free amateur porn and cat videos! It's like the Internet has been invented all over again!

Re:

[Anonymous Coward]

It's like the Internet has been invented all over again!

They're calling it "The Internet of (Broken) Things" this time, and calling password recovery a feature.

Should be fixed

[Anonymous Coward]

US-CERT was already able to quickly locate the GoPro Security Engineers.

Who Cares?

[sexconker]

Anyone who's ever updated a Wi-Fi enabled GoPro knows about this.

When I last did it, the website gave me 2 methods for doing the update - the dummy version where you give them your serial, network name, and password and they spit out the file with the plaintext Wi-Fi password for you, and the not-so-dummy version where you handle your own shit. I don't know if that's changed, but the end result is the same - most users send and receive plaintext network passwords to GoPro and anyone who wants to can update their GoPro Wi-Fi password by booting it with that (modified) update file in the root directory of the SD card.

Further, who gives a fucking shit? The range on the GoPro's Wi-Fi is so short that someone within Wi-Fi range is a few steps away from physical access anyway., and you only ever use the Wi-Fi when you're actively using the GoPro - you would know immediately when someone connected to it and fucked with it.

Re:

[ColdWetDog]

Really. For all the issues with GoPro's firmware (and they are legion), this really doesn't rise above the background. If you are using a WiFi enabled GoPro for anything resembling a secure system, you are doing something very wrong.

Re:

[AK Marc]

Also, anyone with a WiFi GoPro turns of the WiFi, if they aren't actively looking at it all the time because WiFi kills the battery. The people who bought a WiFi one so they could start and stop the camera with the remote for each run will leave it on, but what could someone do with the WiFi password? Screw up a single recording out of the thousands for the day? Watch what the camera is doing without permission? Mythbusters uses them for the multi-angles from a crash vehicle, but it's not like they are

Re:

[AK Marc]

If you sniff someone's password, if they re-use it places, you could track them down online and try email or bank accounts with that password. If you don't re-use passwords, the worst they could do is delete your card.

Re:

[jeffmeden]

The range on the GoPro's Wi-Fi is so short that someone within Wi-Fi range is a few steps away from physical access anyway., and you only ever use the Wi-Fi when you're actively using the GoPro - you would know immediately when someone connected to it and fucked with it.

Someone else nearby might download the footage and see what i'm looking at with my gopro! Oh wait...

Re:

[drinkypoo]

The range on the GoPro's Wi-Fi is so short that someone within Wi-Fi range is a few steps away from physical access anyway.,

So I place a USB wifi stick at the focal point of a baby satellite dish and point it at your camera, cheap and easy

Poor QA from GoPro is par for the course

[sdguero]

tl;dr GoPro is a shady company that screwed me and a bunch of other customer over witt poor QA
After working with GoPro support, engineering, and getting an email from their CEO blaming the issue on everything from my computer, to SanDisk cards, to a firmware problem; I finally gave up on that company. They wasted over 40 hours of my life on that stupid camera. And while I eventually got a store credit for it (after 3 exchanges, tHank you Best Buy!) I'm still stuck with $100 in accessories and I have sworn never to do business with GoPro again.

Bad SD cards exist

[ashpool7]

They're even branded SanDisk.

Anyway, Hero 3+ Black fell out of the sky on a quad (some sort of software bug in the battery) a month after purchase and GoPro replaced it, even though they were under zero obligation to do so.

YMMV

Re:

[Kagetsuki]

I only paid one-way shipping on the RMA, which wasn't so much. You had to pay to get yours fixed/replaced?

Re:

[drafalski]

Their poorly made handlebar mounts are apparently well-known for snapping. Wish I'd seen the reviews on them before mine snapped at speed and destroyed my camera when it smashed apart on the pavement.

At least they offered me a minor discount on purchasing a newer and more expensive camera... Didn't bother taking them up on that.

Re:

[thegarbz]

Par for what course? For the most part reviews on the GoPro have been overwhelmingly positive. For the most part they are far better than the competition both in performance and in construction.

My own personal experience has been flawless. I've taken my go pro to -40degC. I've taken it into an confined space firefighting exercise and despite the protective casing melting it worked beautifully. I've dropped it from the 3rd flaw of my apartment inside the protective casing, and it survived a very high quad cr

Re:

[Kagetsuki]

I wonder if they have improved. I got a Hero 3+ Black which had issues in very cold weather - I sent one e-mail, they sent me an RMA form, I sent it out and a week later had a brand new unit. This was maybe 5 months ago - so fairly recent; and it was with support in east Asia so it could be a difference between support teams as well.

BTW don't discredit accusations of a bad SD card - I've had a few SD cards go bad on me that caused some crazy issues including me bricking a Zaurus during a firmware update.

Awful commentary

[LordLimecat]

I know this is slashdot, but do all of the comments have to be so hopelessly trite? Surely there are easier ways to get positive moderation than regurgitating soundbites about NSA and Linux.