A bug in the software powering Google's Nest Cam allows attackers to take the surveillance cameras offline for up to 90 seconds.
A recently-discovered vulnerability affecting Google's Nest Cam and Dropcam Pro allows an attacker to remotely access the camera and shut off its recording capabilities for 60 to 90 seconds.
The flaw, discovered by Jason Doyle and published on GitHub, can be exploited when the attacker is within Bluetooth range of the device. Doyle stated in his GitHub post that he initially reported the bug to Google on October 26, 2016, but that he has since made the information public. Google acknowledged the bug, but didn't let him know if it had been patched, he said in an interview with The Register.
If an attacker was able to knock the cameras offline for the maximum amount of time, they would be able to slip past them undetected. The bug presents an even bigger issue for some small businesses, who may use the Nest Cam and Dropcam Pro as CCTV tools or security cameras.
SEE: Information security incident reporting policy (Tech Pro Research)
The issue, according to Doyle's post, is that Bluetooth connectivity is never disabled after the initial setup of the device. Using Bluetooth, the camera is supplied with a different SSID, which causes it to leave its current Wi-Fi network in an attempt to associate with it. After 60 to 90 seconds, it returns back to the original network.
Bluetooth is necessary to initially set up either of these cameras, and can be used to change the settings or to configure the device later on. However, Bluetooth cannot be disabled, which means that there might not currently be an available workaround, Doyle told The Register.
The bugs highlight growing concern over the security implications of the Internet of Things (IoT) and other connected devices, especially in business. In addition to taking certain devices or services offline, IoT attacks can also be used to gain backdoor access into the network.
While there's not much that can be done about the Nest and Dropcam issue right now, users can protect their other IoT devices by implementing proper authentication policies, focusing on data privacy, and being wary of what they're connecting, as to avoid botnet attacks.
As reported by ZDNet's Liam Tung, the Bluetooth bug, and two other bugs Doyle reported that affect the cameras, all impact the Nest Cam and Dropcam Pro's firmware version 5.2.1.
Update: A Nest spokesperson has provided the following comment: "Nest is aware of this issue, developed a fix for it, and will roll it out to customers in the coming days."
Update: A Nest spokesperson later provided this comment: "All Nest camera customers now have the updated software. To our knowledge, no customer's camera was ever affected by this issue and customer video remained safe."
The 3 big takeaways for TechRepublic readers
- A new bug can be used to take the Google Nest Cam and Dropcam Pro offline for 60 to 90 seconds, long enough for an intruder to slip past them.
- The bug utilizes Bluetooth, which cannot be disabled on the cameras, meaning there is no workaround, a researcher said.
- The bugs highlight bigger issues with IoT security and the future of connected devices.
- How misaligned incentives give hackers an advantage over IT security pros (TechRepublic)
- Google Nest: Unpatched bug lets intruders use Bluetooth to stop cameras recording (ZDNet)
- Use Panopticlick to find out if you've been betrayed by your browser (TechRepublic)
- Internet of Things security: What happens when every device is smart and you don't even know it? (ZDNet)
- Why top ISPs don't think your web history or app usage is 'sensitive information' (TechRepublic)