Story image

ESET asks: Is your GoPro camera secretly spying on you?

08 Jun 15

BBC News report has once again highlighted the importance of using hard-to-crack passwords, after researchers revealed just how easy it could be for hackers to break into GoPro cameras – and use them to secretly spy upon you.

The problem is not so much with the popular GoPro camera itself, but with the passwords users choose when they set up the devices.

When you first use a GoPro camera, chances are that you will want to remotely control it from your smartphone, and you’re made to change the device’s default WiFi password to something else.

That’s certainly a sensible step.

The problem is that many users, particularly because they are configuring the camera’s settings from a mobile phone app, won’t use a complex lengthy password containing funny characters and jumbled up letters and numbers.

Instead, chances are, they will choose a simple password like “Sausages”.

And, as Ken Munro of Pen Test Partners demonstrated to the BBC, a password like that can be cracked in a couple of seconds by using readily-accessible databases of dictionary words and commonly-used passwords.

In short, sausages – and other easy-to-crack passwords – should be off the menu.

Because if a hacker manages to crack your GoPro’s password then they can access your GoPro anytime you like if they are in Wi-Fi range, turning off the LED indicator so you cannot tell that it is watching you, and disabling any bleeps designed to tell you that filming has begun.

Furthermore, a hacker could access any recordings you have previously made.

Finally, and this is the real cherry on the pie, a hacker can do all this even if your GoPro camera is switched off.

The problem there is that when you switch your GoPro camera off it isn’t *completely* off, unless you had turned off its WiFi as well beforehand (a good idea anyway, as it will help save battery life).

When confronted with the demonstration, GoPro issued a statement reminding customers of the importance of strong passwords:

“We follow the industry-standard security protocol called WPA2-PSK (pre-shared key) mode. Wi-fi-enabled devices must provide the user’s password to access the Hero4 wi-fi network. This is the same as other wi-fi networks using that protocol.”

“We require our customers to create a password 8-16 characters in length; it’s their choice to decide how complex they want it to be. As is true of all password-protected devices and services, if a password is easily guessable, a user is more prone to someone predicting what it is.”

The message then? For all of your devices, whether a GoPro camera or not, you should use unique, hard-to-crack passwords.

If, after reading this, you feel it might be wise to change your GoPro’s password, you can follow the advice on the GoPro website.

Of course, unless you have a brain the size of a planet, you’re going to find it hard to both dream up sufficiently hard-to-crack passwords *and* remember them. My recommendation is to use password management software which will do the job for you. Don’t just use these kind of programs to remember your website passwords – you should also use strong, hard-to-crack passwords for all apps and devices which require them.

And if you are using a GoPro camera, please remember to disable WiFi whenever the device is switched off.

By Graham Cluley, We Live Security

To learn more about ESET, please visit their website. 

NZ Internet Task Force joins iSANZ Hall of Fame
NZITF chair Barry Brailey and former chairs Mike Seddon and Paul McKitrick received the award in Auckland last week.
Quantum computing: The double-edged sword for cybersecurity
Quantum computing is quickly moving from science fiction to reality.
Three ways to achieve data security whilst enabling BYOD
"A mobility strategy is now more important than ever before, that said, selecting the right one is often no small task."
How IoT and hybrid cloud will change in 2019
"Traditional VPN software solutions are obsolete for the new IT reality of hybrid and multi-cloud."
WatchGuard’s eight (terrifying) 2019 security predictions
The next evolution of ransomware, escalating nation-state attacks, biometric hacking, Wi-Fi protocol security, and Die Hard fiction becomes reality.
GCSB's CORTEX project scoops iSANZ Award
“I believe this award is particularly significant as it is acknowledgement from our peers in the information security industry and from across the private sector."
NZ firms lack cybersecurity confidence, HP survey says
Out of 434 of New Zealand’s small and large businesses, only half (50%) feel confident that they would be able to cope if they experienced a significant cybersecurity breach.
SonicWall secures hybrid clouds by simplifying firewall deployment
Once new products are brought online in remote locations, administrators can manage local and distributed networks.