Action video camera vendor GoPro has announced that it is riding into the Tour de France with a promotional video to celebrate being named the official camera of the world's largest annual sporting event with a worldwide television audience of some 4 billion people, but not before the BBC reported how GoPro cameras could be used to spy on their owners.
According to security company Pen Test Partners, it is way too easy to take control of GoPro cameras and one of the partners at the outfit, Ken Munro, showed demonstrated how. He showed the BBC how a GoPro Hero4 could be used to eavesdrop on users, or to view existing video footage and delete it if desired, despite appearing to be switched off. The problem stems from users who had set the device up with simple passwords, then when the camera was put into sleep mode it could still be accessed via a wireless connection and that simple password cracked to give the attacker control.
Of course, as with all such things, it's not quite as black and white as that paragraph might suggest. The user would first have to be using a pretty lame Wi-Fi password which would be set up when the camera was connected to a mobile device such as a smartphone. Secondly, the attacker would have to intercept this encrypted key, and crack it, a standard man-in-the-middle affair but not a typical attack scenario for your average action camera user I would imagine. That said, Ken made his point to the BBC by setting a crappy password of sausages and this was cracked in under 60 seconds.
GoPro insists the security it uses, WPA2-PSK (which is probably what you use on your home Wi-Fi router to be fair) is adequate, and that it requires customers to use a password of between 8 and 16 characters. What it doesn't do is make any demands upon the user in terms of password complexity, so no minimum requirements of character mix. That's where Ken Munro wins and GoPro loses in my never humble opinion.
But it gets worse for GoPro, as now Pen Test Partners has also explained in a blog posting how the GoPro Studio editing software was making update requests using an unencrypted HTTP connection which could enable an attacker on public Wi-Fi to inject a potential fake malicious download code update instead. "It’s fairly easy to add malicious code into pre-existing binaries and therefore we could abuse this to introduce backdoors to the victim whilst also letting them update their GoPro Studio software at the same time" the post warns.
Tim Erlin, Director of Security at Tripwire comments "delivering a malicious update file is certainly not a new type of attack. Validating software in a way that’s effective and usable continues to be a problem for the industry. Users have been tricked into installing malicious software in a variety of ways, from compromise of the actual source to a simple email attachment. To exploit this vulnerability, an attacker would have to control the users DNS resolution, and the user would have to ignore Microsoft’s software validation warnings to install the file. The use of HTTPS isn’t really a fix for this issue, though it increases the difficulty for the attacker. If we assume that a user will click through software validation warnings, an attacker could take control of their internet connection to deliver malicious updates, or simply email them the file to install."