Security researchers have identified it possible for cybercriminals to hack into your GoPro, the popular action camera, allowing hackers to secretly activate the camera or microphone and covertly stream or record it to their device.
Researchers at Pen Test Partners revealed just how easy it is to hack into GoPro cameras and spy on people. The company issued a warning to all GoPro owners, saying hackers can easily hijack the camera and take over the device to spy on you.
According to a video on BBC, the security firm is shown hacking into a GoPro Hero4 camera, where researchers were allowed to secretly eavesdrop on the conversation through the GoPro device. Further more, researchers also had full access to files and videos stored on the device, leaving them susceptible to theft or deletion. This all occurred while the GoPro device appeared to be turned off.
The security firm said hackers are able to run a password combination tool, allowing them to break into the protected device in mere seconds. However, GoPro takes zero accountability for this, stating it’s the users password choice, and if insecure, it can be cracked.
Ken Munro, a partner at Pen Test Partners, said the cameras are setup via a wireless connection and can unknowingly be left on even after you press the power button to turn off the camera. GoPro devices even have their own wireless connection, allowing them to be connected to various devices.
Munro debuted his research to BBC, showing how the recording was being streamed from the GoPro onto his mobile phone. He also demonstrated how he was able to hijack the device, but turn off the indicator light so that the end user would not know the GoPro camera started secretly recording.
To take control of the GoPro camera, a hacker would first need to wake the device then begin to intercept and crack the WiFi key found on the device, Munro said. The key, which needs to be stolen and cracked, is encrypted and setup by the end user when choosing to connect the device to another device, such as a smartphone or tablet.
Munro was able to capture the key with a piece of commercial software. Security researchers were then able to guess the key’s password within just a few seconds with a piece of free online software. While using the software, Munro was able to crack the user set password of ‘sausages’ in mere seconds. The free software researchers used had the ability to test thousands of passwords per second.
As there isn’t really a way to mitigate the issue, the only protection Munro has advised is that GoPro users set a strong password if they wish to keep their device and privacy out of the hands of hackers.
Munro added that GoPro needs to make a stronger effort to encourage users to use a strong password between 8-16 characters long and the password strength must be unique and strong as well.
“We follow the industry-standard security protocol called WPA2-PSK (pre-shared key) mode,” a GoPro spokesperson told BBC when speaking on the security of their devices. “Wi-fi-enabled devices must provide the user’s password to access the Hero4 wi-fi network. This is the same as other wi-fi networks using that protocol.”
“We require our customers to create a password 8-16 characters in length; it’s their choice to decide how complex they want it to be. As is true of all password-protected devices and services, if a password is easily guessable, a user is more prone to someone predicting what it is,” GoPro added.