This article is more than 1 year old
Nest cameras can be easily blacked out by Bluetooth burglars
So far, no patch available to the public
Updated Nest's Dropcam and Dropcam Pro security cameras can be wirelessly attacked via Bluetooth to crash and stop recording footage. This is perfect for burglars and other crooks who want to knock out the cams moments before robbing a joint.
The three vulnerabilities are in camera firmware version 5.2.1, and no patch is publicly available, we understand. Security researcher Jason Doyle, based in Florida, US, spotted the holes, and alerted Google-stablemate Nest about them in October – but there's been no software updates to correct the programming cockups. This month, Doyle went public with details of the flaws, including example exploits.
For the first bug, an attacker can trigger a buffer overflow in the camera by pinging it an overlong Wi-Fi SSID parameter via Bluetooth Low Energy (BLE). This causes the gadget to crash and reboot. The second flaw is similar, but in this case the miscreant sends a long Wi-Fi password parameter to the camera. This too will cause the camera to crash and restart, we're told.
The third issue is more serious. The crook can send the camera a new Wi-Fi SSID to connect to, forcing it to disconnect from the current network, try joining the new SSID which presumably doesn't exist, and reconnect to the previous wireless network about 90 seconds later. During this time, the device stops recording footage to its cloud-connected backend. Nest deliberately designs its cameras to use internet-hosted storage for video, not local storage, so any downtime is bad news.
By repeatedly exploiting these holes, a device is knocked offline and stops keeping a record of what it sees – thus rendering it rather useless as a remote security cam.
All of these flaws require the attacker to be in BLE range, but that's not a problem for someone about to break into your house or office. The reported shortcomings highlight a serious design fault within the cameras that can't be mitigated at the moment. Bluetooth is enabled by default in the cameras, and stays on at all times so the gadgets can be reconfigured over the air. This leaves them vulnerable to attack.
"As far as workarounds, since you can't disable Bluetooth, I'm not sure there are any," Doyle told The Register on Monday.
"There doesn't seem to be any reason why [Nest] leaves Bluetooth on after setup unless they need it for future or current integrations. Some cameras like the Logitech Circle turn Bluetooth off after setting up Wi-Fi."
Doyle said Google has acknowledged it had received his bug report, but unusually hadn't let him know if they are patched. Nest had no comment at time of publication. A source familiar with the matter said a patch has been prepared and will be pushed out shortly. ®
Updated to add
Nest has passed on the following comment:
Nest is aware of this issue, developed a fix for it, and will roll it out to customers in the coming days.