GoPro Wi-Fi issues could mean stolen video, or worse…
Following our coverage on the BBC this morning here’s the lowdown on what we found.
GoPro cameras are great, no arguing with that. Using an app you can hook your GoPro up to your Android/Windows/Apple phone or tablet to watch stored video, or to control the GoPro remotely. Pretty cool, right?
The problem is that it’s not just you who can control your GoPro. With a certain amount of know-how and an understanding about password setting behaviour it’s possible to hijack someone else’s GoPro.
In the set up process (you know, the part that most people rush through so that they can start using their device ASAP), the wireless connection between the GoPro and the mobile device forces you to change the password. Bearing in mind the aforementioned haste, and the fact that most passwords set using mobile devices are dreadfully inadequate, A LOT of passwords are going to be weak, very weak.
In a situation where complexity is not enforced, and the minimum password length is 8 characters, people will tend towards setting simple dictionary passwords as their Wi-Fi key. Using the Rockyou.txt dictionary and a single graphics processor (GPU) we ran through the entire 30 Million word list in around 60 seconds, adding a few more GPUs would shrink that time considerably. When we ran it against our GoPro our silly passwords of ‘pointless’ and ‘Sausages’ took nearly zero and 3 seconds respectively to crack the password.
So, for a GoPro 3 and earlier models, as long as we’re in Wi-Fi range of your camera, it takes just a matter of seconds to get access to it.
The latest GoPro, version 4, has an extra layer of security. A bit like Bluetooth pairing, when you first connect to the camera over Wi-Fi, it requests a one-time code that is displayed on the GoPro screen. An excellent idea that should offer much better security.
Except, once you’ve paired ONE mobile device with the tablet, it will talk to ANY Wi-Fi device. Yes, really. We were gobsmacked!
This shouldn’t be possible – the pairing process should apply to each Wi-Fi device that you try to connect to it.
Now the scary bit
GoPro offer a variety of add-ons for their cameras, one of the most popular is the remote control, however you can also use your phone as a remote to see what the device sees in real time and to start and stop video or change settings.
All of these work over the Wi-Fi connection and sent their commands to the GoPro over an HTTP channel. This means that it’s trivial for an attacker to send the same commands from their own browser to remotely control the device.
When you connect to the GoPro over wireless, the GoPro will always have an IP address of 10.5.5.9 which makes it nice and easy to connect to. At this point we can simply steal your videos and photos by connecting to http://10.5.5.9 which presents a website with a link to download the data straight from the SD card.
However, we’ve discovered more nefarious attacks, which can do more than simply steal data.
The first port of call would be the http://10.5.5.9:8080/gp/gpControl/ address. Connecting to this provides a substantial amount of information about the device, including how it expects commands to be issued to it. Using the information provided by that page, it was trivial to work out how to turn off the LEDs and the beeps that would potentially alert the victim to our voyeuristic intent.
For example, on the hero 4 black, the URL to turn off beeps is:
In this case, 56 is the value for ‘beeps’ and 2 is the value for ‘off’ (gained from the gpControl page earlier).
Similarly, the command to turn off LEDS is:
From here we can start and stop recording using the following commands:
Start recording http://10.5.5.9:8080/gp/gpControl/command/shutter?p=1
Stop recording http://10.5.5.9:8080/gp/gpControl/command/shutter?p=0
We can even get it to stream its content to us using “execute?p1=gpStream&c1=start”:
…and can then watch and listen in real-time using a player such as VLC or FFplay.
“But I turned my GoPro off” I hear you say.
Well, here’s the thing. GoPros have a nice big shiny power button on the front, and most people assume that it will kill the device and all its functionality, hidden or otherwise. The trouble is that unless you have explicitly turned off the wireless function using the smaller settings button on the side, then I’m afraid your device will still be listening, ready to take instruction.
We can wake it up using a ‘Wake on LAN’ packet and carry out the attacks exactly as described above. For this attack we only need to know the MAC of the device. This information is trivial to find as its included in all the wireless broadcasts from the device. We can then use any WoL tool, such as wol-e on Kali Linux:
Yes, but what about in the Real World?
Our research, and the research of others that we’ve built on, isn’t theoretical. You can crack the PSK and steal video from a target device. Depending on what they’ve been recording you could have something very saleable on your hands.
A more complex attack would be to find/pick a user and crack their PSK (easily done as we’ve seen earlier). You’d then associate your device with their GoPro and, using the commands in the built in web server, put the GoPro into stealth mode by turning off all beeps and lights. If (like most) people they’ve left their mobile phone’s Wi-Fi on you can work out where they are likely to be later on, from the wireless probing looking for specifically named APs e.g. “Chalet Edelweiss”. You find your victim later on, turn their GoPro on over Wi-Fi and use it as a spy camera.
What should you do?
The simple answer to this one is just don’t set weak Wi-Fi passwords; complex passwords are the order of the day here.
We’d like GoPro to start forcing the setting of strong PSKs in the mobile app too, to override the basic requirements of WPA.
GoPro should investigate the pairing issue too – unless we’ve misunderstood the process, we shouldn’t be able to connect devices to the camera without pairing each and every new device.
Finally, before turning your GoPro off, push the Wi-Fi button on the side for 3 seconds. That turns off Wi-Fi.