Imagine a criminal taking control of your GoPro action camera and then using it to spy on you. It may raise serious security and privacy concerns, but it could happen for real. The Buckingham-based security firm Pen Test Partners demonstrated to BBC News how a hacker could gain access to a Hero4 camera that is turned off. The criminal could then secretly watch or eavesdrop on users. Surprisingly, hackers can also view or delete existing videos.
GoPro Hero4 has an extra layer of security, but…
Ken Munro of Pen Test Partners said that GoPro cameras are setup such that the camera may still be connected to a WiFi network even after it has been turned off. GoPro has added an extra layer of security to its latest Hero4 action cameras. When you connect to Hero4 for the first time, it requests a one-time code that appears on the GoPro screen. It should offer much better security.
However, the problem is that once you have paired with one mobile device, it will “talk to any WiFi service.” Munro said it was shocking. The pairing should be applicable to each WiFi device you connect to it. Munro demonstrated how hackers could wake the Hero4 camera up, switch off its flashing red recording lights, and live stream what the GoPro camera could see on his own smartphone.
GoPro should encourage users to create stronger passwords
He said a hacker will have to crack the encrypted WiFi key that the user sets up while connecting the camera to a mobile device. He cracked the key using a laptop and a free specialist software. A number of software programs freely available on the Internet can guess simple passwords within minutes. In this case, the user’s password was “Sausages,” which the free software guessed in less than a minute.
That means it is not entirely GoPro’s fault. Munro said the San Mateo-based action camera maker should encourage users to set stronger passwords. In a statement to BBC, GoPro said it follows the WPA-2 PSK, which is an industry-standard security protocol. The company requires its customers to create 8-16 characters long passwords. It is up to users how complex they want their passwords to be.
