SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image
ESET asks: Is your GoPro camera secretly spying on you?
Mon, 8th Jun 2015
FYI, this story is more than a year old

BBC News report has once again highlighted the importance of using hard-to-crack passwords, after researchers revealed just how easy it could be for hackers to break into GoPro cameras – and use them to secretly spy upon you.

The problem is not so much with the popular GoPro camera itself, but with the passwords users choose when they set up the devices.

When you first use a GoPro camera, chances are that you will want to remotely control it from your smartphone, and you're made to change the device's default WiFi password to something else.

That's certainly a sensible step.

The problem is that many users, particularly because they are configuring the camera's settings from a mobile phone app, won't use a complex lengthy password containing funny characters and jumbled up letters and numbers.

Instead, chances are, they will choose a simple password like “Sausages”.

And, as Ken Munro of Pen Test Partners demonstrated to the BBC, a password like that can be cracked in a couple of seconds by using readily-accessible databases of dictionary words and commonly-used passwords.

In short, sausages – and other easy-to-crack passwords – should be off the menu.

Because if a hacker manages to crack your GoPro's password then they can access your GoPro anytime you like if they are in Wi-Fi range, turning off the LED indicator so you cannot tell that it is watching you, and disabling any bleeps designed to tell you that filming has begun.

Furthermore, a hacker could access any recordings you have previously made.

Finally, and this is the real cherry on the pie, a hacker can do all this even if your GoPro camera is switched off.

The problem there is that when you switch your GoPro camera off it isn't *completely* off, unless you had turned off its WiFi as well beforehand (a good idea anyway, as it will help save battery life).

When confronted with the demonstration, GoPro issued a statement reminding customers of the importance of strong passwords:

“We follow the industry-standard security protocol called WPA2-PSK (pre-shared key) mode. Wi-fi-enabled devices must provide the user's password to access the Hero4 wi-fi network. This is the same as other wi-fi networks using that protocol.

“We require our customers to create a password 8-16 characters in length; it's their choice to decide how complex they want it to be. As is true of all password-protected devices and services, if a password is easily guessable, a user is more prone to someone predicting what it is.

The message then? For all of your devices, whether a GoPro camera or not, you should use unique, hard-to-crack passwords.

If, after reading this, you feel it might be wise to change your GoPro's password, you can follow the advice on the GoPro website.

Of course, unless you have a brain the size of a planet, you're going to find it hard to both dream up sufficiently hard-to-crack passwords *and* remember them. My recommendation is to use password management software which will do the job for you. Don't just use these kind of programs to remember your website passwords – you should also use strong, hard-to-crack passwords for all apps and devices which require them.

And if you are using a GoPro camera, please remember to disable WiFi whenever the device is switched off.

By Graham Cluley, We Live Security

To learn more about ESET, please visit their website.