Vulnerabilities

Multiple Vulnerabilities Uncovered in Google Nest Cam

A security researcher took it to GitHub to disclose information on multiple vulnerabilities allegedly affecting Nest Cam and Dropcam Pro devices after receiving no response from Google for several months.

Ionut Arghire

March 22, 2017

The issues were discovered by security researcher Jason Doyle and affect the devices’ Bluetooth connectivity, allowing an attacker to access the affected device remotely or knock it offline for 60 to 90 seconds. Basically, a burglar capable of shutting the camera down could slip past it unnoticed.

Doyle revealed that three vulnerabilities impact the Bluetooth (BLE) connectivity of Dropcam, Dropcam Pro, Nest Cam Indoor/Outdoor models running firmware version 5.2.1. The researcher reveals that Google, which bought Nest several years ago, was notified on the issue on October 26, 2016. The company even acknowledged the bugs, but hasn’t released a fix to date.

The first bug is a buffer overflow condition that can be triggered when setting the SSID parameter on the camera. According to the researcher, an attacker exploiting the issue would have to be within Bluetooth range at any time during the camera’s powered on state. This is possible, however, because Bluetooth on the device is never disabled, not even after initial setup.

Another buffer overflow condition can be triggered when setting the encrypted password parameter on the camera. Similarly, the attacker must be in Bluetooth range of the device. The attack results in the camera to crash and reboot back to operational state.

The third issue, the researcher reveals, could allow an attacker to temporarily disconnect the camera from its Wi-Fi connection by supplying it with a new SSID to connect to. Because the affected cameras don’t come with support for local storage of video footage, the surveillance capabilities of the targeted device are temporarily disabled.

This attack can be leveraged to knock the camera offline while it attempts association with the newly set SSID. The device goes offline for around 60-90 seconds before re-connecting to the original Wi-Fi network and resuming normal operation.

The security researcher published all of the details pertaining to the three vulnerabilities, complete with example exploits.

Written By Ionut Arghire

Ionut Arghire is an international correspondent for SecurityWeek.

Latest News

Click to comment

How the Atomized Network Changed Enterprise Protection

Our networks have become atomized which, for starters, means they’re highly dispersed. Not just in terms of the infrastructure – legacy, on-premises, hybrid, multi-cloud, and edge.

Matt Wilson

Mapping Threat Intelligence to the NIST Compliance Framework Part 2

How threat intelligence is critical when justifying budget for GRC personnel, and for threat intelligence, incident response, security operations and CISO buyers.

Landon Winkelvoss

Password Dependency: How to Break the Cycle

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the password dependency cycle. But how can this be done?

Torsten George

Why CISOs Make Great Board Members

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make for successful board members.

Galina Antova

A Change in Mindset: From a Threat-based to Risk-based Approach to Security

A threat-based approach to security often focuses on a checklist to meet industry requirements but overlooked the key component of security: reducing risk.

Marie Hattar