Sunday, March 1, 2015

GoPro update mechanism exposes multiple users Wi-Fi passwords




GO PRO USERS: Change your Wi-Fi passwords!

Like NOW!




One of the most awesome things that happened in the last couple of years is, without a doubt a GoPro cameras. Those little cameras are indestructible. They throw them from airplanes, send them to space crash in the cars and they keep working.


Password Reset

Recently, I took a GoPro from my friend and turns out that there is a mobile app that can control the camera. It requires a user to connect to the wireless network operated by the camera, and the app gives you the access to cool features like viewing the files on the camera's SD card and starting the recording. My problem was, that my friend did not remember the password for the camera, and therefore I decided to use the GoPro password reset the passwords

In order to reset your Wi-Fi settings you need to follow the directions on the GoPro website http://gopro.com/support/articles/wi-fi-name-password. It is pretty simple procedure, with Next -> Next -> Finish that ends up with a link, to a zip file. When you download this file, you get a zip archive which you supposed to copy to a SD card, put it in your GoPro and reboot the camera.

When I opened the archive it revealed a file named “settings.in” which contained the desired settings for the camera.




















The Link

Let’s look at the link:
http://cbcdn2.gp-static.com/uploads/firmware-bundles/firmware_bundle/8605145/UPDATE.zip

Notice that there is a number in the link, which acts like a token to tell one file from another,I marked it in bold. All you need to do, to access someone else’s Wi-Fi settings is to change this number. I tried changing this number to +/- 1 and got other people's files. 

Proof of Concept

To make sure that the attack is possible, I wrote a small python script, that runs on a range of the urls, extracts the settings from the response and puts them into a csv file.
There was no complications, nor noticeable shape limiting for downloading those zip file so I was able to create a list of 1000 Wi-Fi names and passwords, including my own.



The attack

I decided not to attack the users. It takes time driving around snowboarders and divers, looking fro a Wi-Fi networks of the GoPro cameras. Another reason is ethics of course: we are dealing with personal data, and some people may be insulted.

Theoretically, though, it should be a simple code to write. All you need is to check for each network that is near you against the list from the GoPro website, and if it is there, get all of the files.


Conclusion

GoPro made a very cool product. Lots of people love it and use it every day, so GoPro should protect our data and settings. 

As a quick mitigation I would consider replacing the number in the URL with a GUID or some other type of random value to make it harder to guess the links.

It is crucial to delete this kind of data from the server after the user downloads it or just delete them after an hour or two. 

Unfortunately, I could not reach the GoPro people in order to alert them about the issue, hopefully US-CERT will find a way to do that



Update

US-CERT was able to quickly locate the GoPro Security Engineers. Thank them for that.


Update 2 

4/03/2015: seems that the problem have been fixed.