Story image

ESET asks: Is your GoPro camera secretly spying on you?

08 Jun 2015

BBC News report has once again highlighted the importance of using hard-to-crack passwords, after researchers revealed just how easy it could be for hackers to break into GoPro cameras – and use them to secretly spy upon you.

The problem is not so much with the popular GoPro camera itself, but with the passwords users choose when they set up the devices.

When you first use a GoPro camera, chances are that you will want to remotely control it from your smartphone, and you’re made to change the device’s default WiFi password to something else.

That’s certainly a sensible step.

The problem is that many users, particularly because they are configuring the camera’s settings from a mobile phone app, won’t use a complex lengthy password containing funny characters and jumbled up letters and numbers.

Instead, chances are, they will choose a simple password like “Sausages”.

And, as Ken Munro of Pen Test Partners demonstrated to the BBC, a password like that can be cracked in a couple of seconds by using readily-accessible databases of dictionary words and commonly-used passwords.

In short, sausages – and other easy-to-crack passwords – should be off the menu.

Because if a hacker manages to crack your GoPro’s password then they can access your GoPro anytime you like if they are in Wi-Fi range, turning off the LED indicator so you cannot tell that it is watching you, and disabling any bleeps designed to tell you that filming has begun.

Furthermore, a hacker could access any recordings you have previously made.

Finally, and this is the real cherry on the pie, a hacker can do all this even if your GoPro camera is switched off.

The problem there is that when you switch your GoPro camera off it isn’t *completely* off, unless you had turned off its WiFi as well beforehand (a good idea anyway, as it will help save battery life).

When confronted with the demonstration, GoPro issued a statement reminding customers of the importance of strong passwords:

“We follow the industry-standard security protocol called WPA2-PSK (pre-shared key) mode. Wi-fi-enabled devices must provide the user’s password to access the Hero4 wi-fi network. This is the same as other wi-fi networks using that protocol.”

“We require our customers to create a password 8-16 characters in length; it’s their choice to decide how complex they want it to be. As is true of all password-protected devices and services, if a password is easily guessable, a user is more prone to someone predicting what it is.”

The message then? For all of your devices, whether a GoPro camera or not, you should use unique, hard-to-crack passwords.

If, after reading this, you feel it might be wise to change your GoPro’s password, you can follow the advice on the GoPro website.

Of course, unless you have a brain the size of a planet, you’re going to find it hard to both dream up sufficiently hard-to-crack passwords *and* remember them. My recommendation is to use password management software which will do the job for you. Don’t just use these kind of programs to remember your website passwords – you should also use strong, hard-to-crack passwords for all apps and devices which require them.

And if you are using a GoPro camera, please remember to disable WiFi whenever the device is switched off.

By Graham Cluley, We Live Security

To learn more about ESET, please visit their website. 

Interview: Culture and cloud - the battle for cybersecurity
ESET CTO Juraj Malcho talks about the importance of culture in a cybersecurity strategy and the challenges and benefits of a world in the cloud.
Enterprise cloud deployments being exploited by cybercriminals
A new report has revealed a concerning number of enterprises still believe security is the responsibility of the cloud service provider.
Ping Identity Platform updated with new CX and IT automation
The new versions improve the user and administrative experience, while also aiming to meet enterprise needs to operate quickly and purposefully.
Venafi and nCipher Security partner on machine identity protection
Cryptographic keys serve as machine identities and are the foundation of enterprise information technology systems.
Machine learning is a tool and the bad guys are using it
KPMG NZ’s CIO and ESET’s CTO spoke at a recent cybersecurity conference about how machine learning and data analytics are not to be feared, but used.
Seagate: Data trends, opportunities, and challenges at the edge
The development of edge technology and the rise of big data have brought many opportunities for data infrastructure companies to the fore.
Popular Android apps track users and violate Google's policies
Google has reportedly taken action against some of the violators.
How blockchain could help stop video piracy in its tracks
An Australian video tech firm has successfully tested a blockchain trial that could end up being a welcome relief for video creators and the fight against video piracy.