GoPro Camera May Be Security No-No

Amateur and professional photographers alike love the GoPro, a durable little camera that users can control remotely to record just about anything on Earth. As it turns out, though, cybercriminals may love the GoPro as well. A new report suggests that GoPros may be eminently crackable, and that a weak password could lead to unprecedented control over the devices.

Pen Test Partners, a security firm based in Middle Claydon, England, brought its findings to the BBC, and explained that a poor password could let malefactors take remote control of a GoPro through a Web browser. This isn't just a password-strength issue: once he or she has the password, a savvy intruder could manipulate a GoPro on a very fine level in order to steal photos and videos, or even stream a live feed in real time.

MORE: Best Cameras Available Now

To test the GoPro's security, Pen Test Partners researchers tried to brute-force their way into the GoPro from a laptop on the same Wi-Fi network. Using "pointless" and "Sausages" as test passwords, and a regular graphics card to run password-cracking software on the laptop, the researchers were able to get in within seconds.

Fair enough, you might say, but insecure passwords are hardly unique to GoPros. While that's true, the fact remains that once in, a malefactor could wreak an unusual amount of havoc with a compromised GoPro. Whereas other devices might have secondary security features, such as pairing codes, the GoPro seems to takes a more lackadaisical approach.

Beginning with the latest model of camera, the Hero4, pairing a GoPro with a Wi-Fi network does require a pairing number, provided by the camera itself, but it makes a user input this number only once. Once the number is entered, the GoPro can communicate with any device on the same Wi-Fi network.

Malicious users can send commands to a GoPro via HTTP, meaning that any Web browser can help accomplish the task. Just by manipulating the URL bar, an unauthorized user can make the GoPro beep incessantly, start a recording, access its stored photos and videos or even tell it to start streaming. (This is obviously problematic for users who keep their GoPros in their bedrooms.)

Even turning off the GoPro is not necessarily a barrier to foul play. Once an intruder has accessed a GoPro, he or she can tell it to "wake from sleep" as long as Wi-Fi is still enabled, provided that he or she has the device's MAC address, a unique networking number. The MAC address is, of course, one of many things a user can access through HTTP commands.

"Wi-Fi-enabled devices must provide the user's password to access the Hero4 Wi-Fi network," GoPro told the BBC. "We require our customers to create a password 8-16 characters in length; it's their choice to decide how complex they want it to be. As is true of all password-protected devices and services, if a password is easily guessable, a user is more prone to someone predicting what it is."

Having remote features accessible is usually a good thing, but the GoPro's are arguably too open and too prone to exploitation. On the other hand, savvy users could argue that setting strong passwords is a necessity, regardless of device, and that complex passwords usually can't be brute-forced. Indeed, Pen Test Partners' primary recommendation is to employ a strong Wi-Fi password.

Users can also turn off their GoPros' Wi-Fi by holding down the button on the camera's left side for three seconds when the device is not in use. There's no evidence that malefactors have taken advantage of the GoPro's vulnerabilities in the wild, but given its relative simplicity, a little caution could go a long way.

Marshall Honorof is a senior writer for Tom's Guide. Contact him at mhonorof@tomsguide.com. Follow him @marshallhonorof. Follow us @tomsguide, on Facebook and on Google+.

TOPICS
Marshall Honorof

Marshall Honorof is a senior editor for Tom's Guide, overseeing the site's coverage of gaming hardware and software. He comes from a science writing background, having studied paleomammalogy, biological anthropology, and the history of science and technology. After hours, you can find him practicing taekwondo or doing deep dives on classic sci-fi. 

Latest in GoPros & Action Cameras
The DJI Osmo Action 5 Pro on a selfie stick with a green tree and blue sky out of focus in the background
I've tested every action camera and I've never seen a deal as good as this one on the DJI Osmo Action 5 Pro — but it won't last for long
A GoPro Max 360 action camera
The five-year-old GoPro Max just got an update — and it’s packed with pro features at a lower price
The Insta360 Ace Pro 2 against a blue background
Insta360 Ace Pro 2 review
Insta360 Go 3S Cyber Monday deal
My cat is internet famous thanks to this action camera — and it's on sale for Cyber Monday
DJI Osmo Action 4 on a selfie stick against a white, blue and brick background. A Tom's Guide badge is in the lower left corner
The DJI Osmo Action 4 is just $209 for Black Friday with $15 cash back — how to get the deal
GoPro Hero13 Black on a white surface with a blue wall in the background and a Tom's Guide deal badge in the top right corner.
13 Cyber Monday action camera deals on GoPro, DJI and Insta360
Latest in News
Nintendo Switch 2
Nintendo Switch 2 tipster may have just leaked release month and launch plans
Disney Plus logo
Disney Plus upgrade just fixed one of my biggest problems with the home page
Tom Hiddleston as Robert Laing in "High Rise" now streaming on Netflix
5 best Netflix movies in March you haven't watched yet
iPhone 16 with Apple Intelligence logo for iOS 18.1
iOS 18.4: All the newest Apple Intelligence features coming to your iPhone
Maria Debska in "Just One Look" now streaming on Netflix
3 best Netflix shows in March you haven't watched yet
Split image featuring the Galaxy S25 Edge (left) and Galaxy S25 Ultra (right)
Samsung Galaxy S25 Edge just tipped for two Galaxy S25 Ultra-level features