I’ll cut to the chase right away, this is so serious. When not in use, take the battery out of your GoPro immediately or lock it away. If it’s in a room with your kids get it out of there—right now.

Three days ago, I visited one of Australia’s largest tech retailers and bought my first GoPro, a Hero 7 Black. I wanted a portable video camera and this year-old model was rumoured to have pulled GoPro from the brink of liquidation in 2018, it was so well-featured and refined.

After inserting its battery and micro SD card, I powered it on. It asked me to connect to a “GoPro App” on my iPhone which I downloaded from iTunes; it then immediately went through a successful Wi-Fi pairing which gave my phone complete control over the camera and ensured that any media taken by my camera would immediately transfer to my phone.

Next day, my GoPro was lying face up near me on my desk pointing at the ceiling. It was in standby mode. When I later picked it up to play with it, that’s when everything hit the fan.

On it was a six-second video.

It was a film of my ceiling and accompanying it was a female American voice saying, “GoPro stop recording. GoPro STOP recording!”

My GoPro had been remotely hacked. And my SD card had caught it.

My retailer now has this camera back, a full refund offered.

I don’t know how this occurred. All I can gather is that when the Hero 7 initiates for the first time, it automatically creates a Wi-Fi network for itself and gives it a password. Here’s the thing. It uses real words for its passwords followed by digits. Words like “surfing”, “sport” and “tennis”. And these passwords cannot be altered by their user. This practice flies in the face of every IT security protocol. But GoPro does it nonetheless.

And I’m guessing, that all it takes then is someone with an app-based algorithm that knows how GoPro thinks to crack this code.

My retailer is following up my experiences with its supplier. GoPro customer service was absolutely unprepared and untrained to help me out or escalate the matter.

With the pending launch of the GoPro Hero 8 next month though, the question remains: Will this vulnerability still exist? Also, who knew about it? And if known, why weren’t customers told?

If you currently own a GoPro, you are at risk of being spied on just like me. Get it out of your kids’ rooms and disable its power source right away.

I hope to hear the results of my retailer’s investigation. The GoPro is a beautiful piece of equipment but right now it is a hacker’s delight.

Postscript

After my experience I did some research and found that this exact privacy vulnerability was reported in 2015, regarding the GoPro 4. It apparently, hasn’t been fixed.

This was confirmed in 2018, by Hypoxic Extreme Electronics in Arizona, USA, who did a phenomenal teardown of the entire GoPro unit part by part. Despite their affinity for the Hero 7 Black, they warned:

If you’re using these cameras for military ops, an undercover journalist, or just someone who enjoys their privacy; be careful of how you use your GoPro Camera. […] Your GoPro is insecure.

The impossibility of contacting GoPro Inc. directly other than through its call centres who were unable to escalate this issue for me; the impossibility to easily report a major data breach of this type to them, means I’ve had to take the time to document this publicly, rather than letting GoPro address it purely through media release or PR.

At present, any GoPro with Wi-Fi connectivity represents a major Internet risk. I can’t do more right now than absolutely stress the need for users to do everything they can to tighten their GoPro cyber access down.

And that basically means if its battery is inside, do not place your GoPro anywhere you don’t want the world to see, or talk near it about anything you don’t want the world to hear.

I currently am GoPro-less.

© 2019 Adam Parker.