The internet has made it supremely easy to install connected security cameras wherever you want. Unfortunately for Nest, that easy connectivity makes it simple for hackers to disable its cameras with just a few keystrokes. And that’s a very bad feature for a security camera.
Nest’s indoor and outdoor security camera as well as Dropcams and Dropcam Pros have serious-sounding vulnerabilities that let hackers disconnect the cameras with a Bluetooth command. Security researcher Jason Doyle discovered the flaws and reported them to Nest back in October, but the Alphabet subsidiary has for some grossly negligent reason failed to release a patch. After Doyle published the details of the vulnerabilities, however, the company said that it’s aware of the issues and working on a fix.
We knew it was coming. When Nest bought the camera maker DropCam for a cool half billion last year, it seemed inevitable that a surveillance camera would be Nest's third big hardware release. Today, Nest announced Nest Cam -- along with a subscription service called Nest Aware.Read more
There are actually three vulnerabilities, all of which involve the most recent firmware, version 5.2.1, which was released in January 2016. The first two involve sending either a Wi-Fi SSID parameter or a Wi-Fi password parameter to the camera via Bluetooth. In either case, the camera will crash and reboot, giving a potential burglar about 90 seconds to enter a home undetected. The third vulnerability lets a hacker disconnect the camera from the network altogether by sending it a new, non-existent Wi-Fi SSID parameter via Bluetooth. This is bad news since all of Nest’s security cameras (including the legacy Dropcams) save footage to the internet via Wi-Fi.
It’s unclear how to protect yourself, if you own a Nest cam or Dropcam. The vulnerabilities that Doyle discovered apply to a specific version of the firmware, although he wasn’t able to say if other versions are affected as well.
“If Nest hasn’t released a fixed version of the firmware then I’m not aware of any workarounds,” Doyle told Gizmodo. “I don’t know if earlier versions of the firmware would be in operation. Since it’s a cloud camera I’d expect Nest to automatically push out any new updates to enrolled cameras as they become available.”
Now that the code for the exploit has been published, a motivated and knowledgeable burglar could theoretically use it on people’s homes tonight. If you own one of these cameras, the only real, bulletproof solution to avoid the flaw is to disconnect them until Nest pushes a software fix, and, of course, disconnecting a camera doesn’t exactly make you any safer. Given that Nest hasn’t updated the firmware in over a year, that’s real cause for concern. Let’s hope they hop to it with a fix.