This post is also available in: עברית (Hebrew)
Security vulnerabilities were found at a popular security product. A security researcher has recently published a vulnerability and proof-of-concept exploits in Google’s Internet of Things (IoT) security cameras, marketed as “Nest Dropcam”, with its different versions – Pro, Outdoor and Indoor. The vulnerabilities were disclosed to Google last fall, but the company hasn’t patched them despite the gravity of the vulnerability and the long months since the disclosure.
The Researcher, Jason Boyle, discovered that sending long wifi network names or passwords to cameras over their Bluetooth interfaces (which cannot be disabled) will cause them to reboot. According to boingboing.com, rebooting all the cameras in the home is a trivial procedure for a home intruder before breaking in.
A camera that is passed a malformed wifi network name can be made to disconnect from its home wifi for 60-90 seconds; this time can be extended by feeding it a stream of malformed wifi names.
This major glitch in design is an example of how even well-resourced, professionally managed companies can fall down on the job when it comes to security. Proponents of giving companies the power to sue security researchers who disclose defects in their products argue that companies are generally responsive to security vulnerability disclosures and that any unauthorized disclosures are, by definition, irresponsible.
But if Google can’t be relied upon to patch showstopper bugs in their flagship home security products over a six-month period, who can?
The first two flaws can be triggered and lead to a buffer overflow condition if the attacker sends to the camera a too-long Wi-Fi SSID parameter or a long encrypted password parameter, respectively. That’s easy to do as Bluetooth is never disabled after the initial setup of the cameras, and attackers (e.g. burglars) can usually come close enough to them to perform the attack.
Triggering one of these flaws will make the devices crash and reboot. The third flaw is a bit more serious, since it allows the attacker to force the camera to temporarily disconnect from the wireless network to which it is connected by supplying it a new SSID to connect to. If that particular SSID does not exist, the camera drops its attempt to associate with it and return to the original Wi-Fi network, but the whole process can last from 60 to 90 seconds, during which the camera won’t be recording.