Flaw in GoPro update mechanism reveals users’ Wi-Fi passwords
A vulnerability in the update mechanism for the wireless networks operated by GoPro cameras has allowed a security researcher to easily harvest over a 1,000 login credentials (including his own).
The popular rugged, wearable cameras can be controlled via an app, but in order to do so the user has to connect to the camera’s Wi-Fi network.
Israel-based infosec expert Ilya Chernyakov discovered the flaw when he had to access the network of a friend’s camera, but the friend forgot the login credentials.
“In order to reset your Wi-Fi settings you need to follow the directions on the GoPro website. It is pretty simple procedure, with Next -> Next -> Finish that ends up with a link, to a zip file. When you download this file, you get a zip archive which you supposed to copy to a SD card, put it in your GoPro and reboot the camera,” he explained in a blog post.
After going through this process, he received the zip archive, and in it he found a file that contained the desired settings for the camera, including the network’s login credentials in plain text.
But the download link for the zip archive revealed more than it should:
The number contained in it, which identifies this particular camera, can be easily changed, and the new URL will lead to other zip archives, containing plain-text login credentials for Wi-Fi networks of other cameras in use around the world.
Chernyakov tested the attack with the help of a Python script, downloaded a thousand of these archive files, and compiled a list of Wi-Fi names and passwords.
He didn’t do it to attack users. “It takes time driving around snowboarders and divers, looking fro a Wi-Fi networks of the GoPro cameras,” he noted, effectively explaining the limits of such an attack.
But a list like the one he compiled – or a more extensive one – could be used by attackers to brute-force their way into other networks or online services. After all, it’s a well known fact that many users re-used their login credentials over and over again.
Chernyakov notified US-CERT of this flaw, and they notified GoPro, so a fix is probably already in the works.
“As a quick mitigation I would consider replacing the number in the URL with a GUID or some other type of random value to make it harder to guess the links,” says Chernyakov, adding that it would be a good idea to delete this kind of data from the server after the user downloads it.