The bug has yet to be patched, yet Bluetooth in the devices cannot be disabled
Google’s Nest smart surveillance camera has a bug in its firmware that enables burglars to disrupt the feed from being recorded by establishing a Bluetooth connection.
The vulnerability in the software enables savvy crooks to trigger a buffer overflow whereby a program writing data to a memory buffer overruns it’s boundaries and overwrites adjacent memory, in the SSID parameters of the camera when in Bluetooth range.
This has the effect of knocking the Nest camera off the Wi-Fi network it is connected to for 90 seconds, essentially severing its ability to record video feed for a small window of time which burglars can exploit to gain unspotted access to a property. The attack can be repeated, so criminals can keep the camera off the network while they search a property for valuables.
“It’s possible to temporarily disconnect the camera from Wi-Fi by supplying it a new SSID to connect to. Local storage of video footage is not supported by these cameras so surveillance is temporarily disabled. The attacker must be in Bluetooth range at any time during the cameras powered on state. Bluetooth is never disabled even after initial setup,” explained security researcher Jason Doyle, who discovered the bug and posted details of it on GitHub.
The current Nest cameras affected by the bug include the Dropcam, Dropcam Pro, Nest Cam Indoor/Outdoor models running the firmware version 5.2.1.
Doyle had reported the bug to Google last year, but he told The Register that as he was not convinced it had been patched he published the details of the bug on GiHub.
The worrying thing about the bug is the inability to shut off the camera’s Bluetooth connection, meaning users aware of the flaw can do little to combat against it.
Nest has now patched the flaw with a spokesperson from the company telling Silicon : “All Nest camera customers now have the updated software. To our knowledge, no customer’s camera was ever affected by this issue and customer video remained safe. This isn’t the first time we’ve updated our security measures, and it won’t be the last, as we continue to look for ways to improve our products, such as the introduction of two-factor authentication last month.”
The rise of the Internet of Things (IoT) is making an increasing amount of object smarter and more connected, but with that comes the risk of being hacked or exploited. Unfortunately, cyber security in such devices has yet to be standardised and is often incorporated as an afterthought.
The nest big is yet another example of the security risks such smart devices can bring. Now that is not to say businesses and society should rally against the adoption of IoT tech, but people and companies looking at making their homes and offices smart would be wise to ensure enough thought is given to cyber security.