Now that Wi-Fi network functionality is finding its way into more stills and video cameras, it is easy to overlook potential network vulnerabilities. An Israeli information security expert discovered a weakness in GoPro’s firmware update mechanism that allowed him to harvest over a thousand user log-in details. But don’t panic – the expert, Ilya Chernyakov, indirectly informed GoPro and a fix is on its way.
A strength is also a weakness
The ultimate source of the vulnerability is in users’ ability to control their GoPros via an app. This can be regarded as a strength and it requires the camera to run its own Wi-Fi network and users need to connect their devices via that camera-based network.
But what if you forget your Wi-Fi log-in details as so many of us tend to do? The answer lies in resetting your camera’ s network username and password. Chernyakov followed GoPro’s directions and discovered the weakness in the system. The zip file he downloaded as part of the resetting process included the camera’s unique identification number. All he needed to do to obtain log-in details for thousands of other GoPro cameras was change the ID number. He did exactly that with the help of a Python script and compiled a list of other users’ log-in names and passwords.
Human nature follows similar patterns and most of us re-use usernames and passwords across a range of devices, networks and accounts. Find out a user’s log-in details for the GoPro and you may well have it for their computer and maybe even for their online banking. That is where the real problem resides.
When the implications of all this dawned on Mr Chernyakov, he informed the United States Computer Emergency Readiness Team aka US-CERT at the Department of Homeland Security and the latter would have notified GoPro.
The assumption is that a fix will be in the works and available soon. We suggest you keep an eye on the GoPro website and social media accounts over the next few days.
Flaw in GoPro update mechanism reveals users' Wi-Fi passwords
Via Help Net Security:
A vulnerability in the update mechanism for the wireless networks operated by GoPro cameras has allowed a security researcher to easily harvest over a 1,000 login credentials (including his own).
The popular rugged, wearable cameras can be controlled via an app, but in order to do so the user has to connect to the camera's Wi-Fi network.
Israel-based infosec expert Ilya Chernyakov discovered the flaw when he had to access the network of a friend's camera, but the friend forgot the login credentials.
“In order to reset your Wi-Fi settings you need to follow the directions on the GoPro website. It is pretty simple procedure, with Next -> Next -> Finish that ends up with a link, to a zip file. When you download this file, you get a zip archive which you supposed to copy to a SD card, put it in your GoPro and reboot the camera,” he explained in a blog post. gopro.com/
After going through this process, he received the zip archive, and in it he found a file that contained the desired settings for the camera, including the network's login credentials in plain text. gopro.com/
But the download link for the zip archive revealed more than it should…
Read full article at Help Net Security “Flaw in GoPro update mechanism reveals users' Wi-Fi passwords”
|Note: it is our policy to give credit as well as deserved traffic to our news sources – so we don't repost the entire article – sorry, I know you want the juicy bits, but I feel it is only fair that their site get the traffic and besides, you just might make a new friend and find an advertiser that has something you've never seen before|
(cover photo credit: snap from Help Net Security)