GO PRO USERS: Change your Wi-Fi passwords!
Like NOW!
Like NOW!
One of the most awesome things that happened in the last couple of years is, without a doubt a GoPro cameras. Those little cameras are indestructible. They throw them from airplanes, send them to space crash in the cars and they keep working.
Password Reset
Recently, I took a GoPro from my friend and turns out that there
is a mobile app that can control the camera. It requires a user to connect to
the wireless network operated by the camera, and the app gives you the access
to cool features like viewing the files on the camera's SD card and starting
the recording. My problem was, that my friend did not remember the password for
the camera, and therefore I decided to use the GoPro password reset the
passwords
In order to reset your Wi-Fi settings you need to follow the
directions on the GoPro website http://gopro.com/support/articles/wi-fi-name-password.
It is pretty simple procedure, with Next -> Next -> Finish that ends up
with a link, to a zip file. When you download this file, you get a zip archive
which you supposed to copy to a SD card, put it in your GoPro and reboot the
camera.
When I opened the archive it revealed a file named
“settings.in” which contained the desired settings for the camera.
The Link
Let’s look at the link:
http://cbcdn2.gp-static.com/uploads/firmware-bundles/firmware_bundle/8605145/UPDATE.zip
Notice that there is a number in the link, which acts like a
token to tell one file from another,I marked it in bold. All you need to do, to access someone else’s Wi-Fi settings is to change this number. I tried changing this number to +/- 1 and got other people's files.
Proof of Concept
To make sure that the attack is possible, I wrote a small python script, that runs on a range of the urls, extracts the settings from the response and puts them into a csv file.
There was no complications, nor noticeable shape limiting for
downloading those zip file so I was able to create a
list of 1000 Wi-Fi names and passwords, including my own.
The attack
I decided not to attack the users. It takes time driving around snowboarders and divers, looking fro a Wi-Fi networks of the GoPro cameras. Another reason is ethics of course: we are dealing with personal data, and some people may be insulted.
Theoretically, though, it should be a simple code to write. All you need is to check for each network that is near you against the list from the GoPro website, and if it is there, get all of the files.
Conclusion
GoPro made a very cool product. Lots of people love it and
use it every day, so GoPro should protect our data and settings.
As a quick
mitigation I would consider replacing the number in the URL with a GUID or some
other type of random value to make it harder to guess the links.
It is crucial to delete this kind of data from the server
after the user downloads it or just delete them after an hour or two.
Unfortunately, I could not reach the GoPro people in order to alert them about the issue, hopefully US-CERT will find a way to do that
Update
US-CERT was able to quickly locate the GoPro Security Engineers. Thank them for that.
Update 2
4/03/2015: seems that the problem have been fixed.
