Beware of Bluetooth burglars raiding your nest!
A recent discovery has found that NEST CCTV cameras can be wirelessly hacked to crash and stop recording footage via Bluetooth, making them and the houses they protect perfect targets for criminals.
Nest's Dropcam and Dropcam Pro security cameras can be wirelessly attacked via Bluetooth to crash and stop recording footage. The vulnerabilities are in camera firmware version 5.2.1, and it is understood that no patch is publicly available. Security researcher Jason Doyle, based in Florida, US, spotted the holes, and alerted Google-stablemate Nest about them last October. However, there's been no software updates to correct the programming since then. This month, Doyle went public with details of the flaws, including example exploits.
For the first bug, an attacker can trigger a buffer overflow in the camera by pinging it an overlong Wi-Fi SSID parameter via Bluetooth Low Energy (BLE). This causes the gadget to crash and reboot. The second flaw is similar, but in this case the miscreant sends a long Wi-Fi password parameter to the camera. This too will cause the camera to crash and restart.
A third issue is more serious. The criminal can send the camera a new Wi-Fi SSID to connect to, forcing it to disconnect from the current network, try joining the new SSID which may not exist, and reconnect to the previous wireless network about 90 seconds later. During this time, the device stops recording footage to its cloud-connected back-end. Nest deliberately designs its cameras to use internet hosted storage for video, not local storage, so any down-time is bad news.
By repeatedly exploiting these holes, a device is knocked offline and stops keeping a record of what it sees – thus rendering it useless as a remote security cam.
All of these flaws require the attacker to be in BLE range, but that's not a problem for someone about to break into your house or office. Bluetooth is enabled by default in the cameras, and stays on at all times so the gadgets can be reconfigured over the air. This leaves them vulnerable to attack.
Cesare Garlati, Chief Security Strategist, prpl Foundation had this to say: “This is yet another case where security by separation at the hardware layer of the device would keep malicious actors from configuring the cameras for their own gain.
“Without it, lateral movement inside the device is possible because there is no trust established within the device to distinguish which elements have the trusted ability to control critical functions, like turning the device off – it is essentially a free for all if you know where to look. And clearly these guys do. This is a major problem plaguing IoT and should be a wake- up call to device manufacturers to take the security of hardware in connected devices more seriously.
“In fact, hardware is the key to making security more robust in connected devices. It also further confirms that security through obscurity just doesn’t work anymore and it’s time for a more proactive approach to securing embedded devices including using open source, security through separation with hardware virtualisation and a root of trust established at the hardware level.”