A security researcher has published a vulnerability and proof-of-concept exploits in Google's Internet of Things security cameras, marketed as Nest Dropcam, Nest Dropcam Pro, Nest Cam Outdoor and Nest Cam Indoor; these vulnerabilities were disclosed to Google last fall, but Google/Nest have not patched them despite the gravity of the vulnerability and the long months since the disclosure.
Researcher Jason Boyle discovered that sending long wifi network names or passwords to cameras over their Bluetooth interfaces (which cannot be disabled) will cause them to reboot. It would be trivial for a home intruder to reboot all the cameras in a home before breaking in.
More seriously, a camera that is passed a malformed wifi network name can be made to disconnect from its home wifi for 60-90 seconds; this time can be extended by feeding it a stream of malformed wifi names.
It's a sobering example of how even well-resourced, professionally managed companies can fall down on the job when it comes to security. Proponents of giving companies the power to sue security researchers who disclose defects in their products argue that companies are generally responsive to security vulnerability disclosures, and that any unauthorized disclosures are, by definition, irresponsible.
But if Google can't be relied upon to patch showstopper bugs in their flagship home security products over a six-month period, who can?
The first two flaws can be triggered and lead to a buffer overflow condition if the attacker sends to the camera a too-long Wi-Fi SSID parameter or a long encrypted password parameter, respectively.
That’s easy to do as Bluetooth is never disabled after the initial setup of the cameras, and attackers (e.g. burglars) can usually come close enough to them to perform the attack.
Triggering one of these flaws will make the devices crash and reboot.
The third flaw is a bit more serious, as it allows the attacker to force the camera to temporarily disconnect from the wireless network to which it is connected by supplying it a new SSID to connect to.
If that particular SSID does not exist, the camera drops its attempt to associate with it and return to the original Wi-Fi network, but the whole process can last from 60 to 90 seconds, during which the camera won’t be recording.
Google-Nest-Cam-Bug-Disclosures [Jason Doyle/Github]
Burglars can easily make Google Nest security cameras stop recording [Zeljka Zorz/Helpnet]