Nest Camera Bluetooth Vulnerability Allows Hackers to Temporarily Disable the Unit
Connected security cameras convenient for monitoring your home while you are away, but having a connected device can also pose a security risk.
Nest’s camera line has been found to contain a Bluetooth vulnerability that would allow a hacker to force the device to reboot, disabling the unit for up to 90 seconds.
The vulnerability was first discovered last October by Florida-based security expert Jason Doyle, who reported the issue to Nest right away. The issue was ignored by Nest for several months before Doyle felt the need to make them public in hopes of pushing Nest to take action.
Doyle discovered a total of three different Bluetooth vulnerabilities. Before we can detail each of them we must define an important term. A buffer overflow occurs when a program attempts to put more data in a buffer (a block of memory) than it can hold. If this anomaly is not accounted for, the program will continue to write data into memory outside of the buffer, which can overwrite existing data causing the device to behave strangely.
The first is a Bluetooth-based buffer overflow attack via the SSID parameter and the second is a buffer overflow attack via the encrypted password parameter. Both of these vulnerabilities produce a buffer overflow in each of the given parameter fields, which causes the device to crash and reboot.
The third and final vulnerability is a Bluetooth-based Wi-Fi disassociation. Doyle found that is it possible to temporarily disconnect the camera from Wi-Fi by supplying git a new SSID to connect to. Local storage of video footage is not supported by these cameras so surveillance is temporarily disabled.
In this case, the camera dissociates from current Wi-Fi network to attempt association with the new SSID. The camera goes offline for approximately 60 to 90 seconds before reconnecting to the original Wifi network and resuming normal operation.
Before even thinking about why Nest did not check for buffer overflows, we want to ask why Bluetooth remains enabled after setup, even though it is never used. All three of these attacks are possible because of the device keeping Bluetooth enabled at all times.
If it’s not being used, Nest should disable Bluetooth after the initial setup is complete and also include some defenses for buffer overflow attacks.
Nest has released a statement claiming that they will be releasing a patch for the issue in the coming days. A full description and proof of concept for each vulnerability can be found on Doyle’s GitHub page.