A security researcher took it to GitHub to disclose information on multiple vulnerabilities allegedly affecting Nest Cam and Dropcam Pro devices after receiving no response from Google for several months.
The issues were discovered by security researcher Jason Doyle and affect the devices’ Bluetooth connectivity, allowing an attacker to access the affected device remotely or knock it offline for 60 to 90 seconds. Basically, a burglar capable of shutting the camera down could slip past it unnoticed.
Doyle revealed that three vulnerabilities impact the Bluetooth (BLE) connectivity of Dropcam, Dropcam Pro, Nest Cam Indoor/Outdoor models running firmware version 5.2.1. The researcher reveals that Google, which bought Nest several years ago, was notified on the issue on October 26, 2016. The company even acknowledged the bugs, but hasn’t released a fix to date.
The first bug is a buffer overflow condition that can be triggered when setting the SSID parameter on the camera. According to the researcher, an attacker exploiting the issue would have to be within Bluetooth range at any time during the camera’s powered on state. This is possible, however, because Bluetooth on the device is never disabled, not even after initial setup.
Another buffer overflow condition can be triggered when setting the encrypted password parameter on the camera. Similarly, the attacker must be in Bluetooth range of the device. The attack results in the camera to crash and reboot back to operational state.
The third issue, the researcher reveals, could allow an attacker to temporarily disconnect the camera from its Wi-Fi connection by supplying it with a new SSID to connect to. Because the affected cameras don’t come with support for local storage of video footage, the surveillance capabilities of the targeted device are temporarily disabled.
This attack can be leveraged to knock the camera offline while it attempts association with the newly set SSID. The device goes offline for around 60-90 seconds before re-connecting to the original Wi-Fi network and resuming normal operation.
The security researcher published all of the details pertaining to the three vulnerabilities, complete with example exploits.
Related: Backdoor Found in Many Sony Security Cameras
Related: Hundreds of Thousands of IP Cameras Exposed to IoT Botnets