Researcher reports of vulnerability in Nest cameras that shuts it off

News by Roi Perez

As Nest cameras store all the footage they record in the cloud, it means any time the camera is down it is not recording, allowing just enough time for the home burglar to get in and out.

Security sleuth Jason Doyle has alerted IoT-boffins Nest of three vulnerabilities in their Dropcam and Dropcam Pro security cameras, one of which allows for a Bluetooth-based attack to crash the device and stop recording footage.

The vulnerabilities are found in camera firmware version 5.2.1. Doyle is said to have alerted Nest back in October, but there has been no update from the camera-maker since, so he went public on the disclosure and included examples.

Explaining the vulnerability which forces the camera to stop recording, Doyle said that “It's possible to temporarily disconnect the camera from Wi-Fi by supplying it a new SSID to connect to.”

As Nest deliberately designs its cameras to store any video it records online, and not locally, any downtime means the attack could simply be repeated to momentarily knock out any surveillance cameras.

Doyle writes: “The attacker must be in bluetooth range at any time during the camera's powered on state. Bluetooth is never disabled even after initial setup.”

Another of the vulnerabilities allows an attacker to crash the device and reboot it by sending it an overlong Wi-Fi SSID parameter via Bluetooth Low Energy (BLE). Doyle explains: “The payload attempts to set an SSID with a length of 1 byte and sends 16.”

Finally, Doyle has also found a vulnerability where if a house burglar were to send a long Wi-Fi password parameter to the camera, this too will cause the camera to crash and reboot.

All of these flaws require the attacker to be in BLE range. Bluetooth is enabled by default in the cameras, and stays on at all times so the gadgets can be reconfigured over the air.

Sarb Sembhi, GRC evangelist, told SC Media UK: "When you buy any wireless surveillance technology, should you have to secure the communication, or should you be able to expect that the vendor has already undertaken a threat assessment and fixed things?"

Sembhi highlights: "At the very least should customers be able to assume that the device can be patched at a future date when vulnerabilities are discovered?"

Nest was contacted for comment, but did not respond. 


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews