Serious WiFi security issues discovered in GoPro cameras
Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!Tweet Share on Twitter.
March 6, 2015
It's been revealed late yesterday that hackers can harvest the cleartext SSIDs and passwords of wireless networks accessed by sports cameras made by GoPro.
The GoPro app collects and actually takes down wireless credentials in order that it can be used to log on to and manage the cameras in question.
Security researcher Ilya Chernyakov says that the credentials in question which enable access to the cameras could be mass harvested with a script to easily change a numerical token value within a generated URL.
"All you need to do to access someone else’s Wi-Fi settings is to change that number," said Chernyakov.
"I wrote a small python script that runs on a range of the URLs, extracts the settings from the response and puts them into a csv file," he added.
"There were no complications, nor any noticeable so-called 'shape limiting' for downloading so I was able to create a list of about 1,000 Wi-Fi names and passwords, including my own," he said.
The attacks are limited since hackers can only access the sports cameras. However, Chernyakov says that scripts could be written to check nearby GoPro networks against harvested credentials.
The researcher disclosed those security flaws to U.S. CERT which nudged GoPro into fixing the flaws.
To be sure, tests against a listed link did fail, indicating the direct object reference vulnerability is in fact closed.
"It actually takes quite a bit of time driving around snowboarders and divers, looking for Wi-Fi networks of the GoPro cameras," Chernyakov added.
Whether the waterproof cameras could be used in other extreme situations that could make the harvesting attack more dangerous to GoPro owners isn't known, however.
Source: Ilya Chernyakov.
Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!