The era of inexpensive home security cameras has arrived. Would-be thieves will take one look at your $150 webcam-based monitoring device and run away screaming, right? Not necessarily.
The Nest Cam, which currently comes in both indoor and outdoor varieties, is vulnerable to three different Bluetooth-based attacks that could render the camera useless for the duration of a burglary. (Don't call these attacks hacks — these are denial-of-service attacks that do not damage or change the Nest Cam's software.)
In a statement to Tom's Guide, Nest Labs said that it was "aware of this issue, [has] developed a fix for it and will roll it out to customers in the coming days." Unfortunately, there doesn't seem to be a way to turn off a Nest Cam's Bluetooth radio until then. You could just stay home for a while and stock up on heavy weaponry, to be safe.
This information comes courtesy of Jason Doyle, a senior security engineer at VMware AirWatch, who posted his research — and the instructions for carrying out each attack — on the Github online code repository.
Back in October, Doyle found three separate but similar Bluetooth-based flaws in Nest Cams and their older Dropcam cousins and submitted the information to Nest Labs, owned by Google parent company Alphabet. After five months without a fix, Doyle took his findings public.
The first attack involves overflowing the entry field for a Wi-Fi SSID, or network name, after connecting to a Nest Cam via Bluetooth. If you attempt to connect the Nest Cam to a phony Wi-Fi network and enter an arbitrarily long SSID, the camera will choke on the data, then crash and reboot.
Since Nest Cams transmit all data up to Nest servers via Wi-Fi and internet, rather than saving it on local storage, this would give burglars a short window in which to accomplish mischief. (And, of course, the burglars could repeat the attack as often as they like.)
Doyle's second attack uses a similar overflow tactic as the first. This time, instead of overflowing the SSID field, attackers can attempt to set a new password for the camera via the Bluetooth connection. If the password is sufficiently long, the camera will again crash and reboot, giving the burglars the short window mentioned above.
The third trick is the simplest of all. After connecting to a Nest Cam with Bluetooth, an attacker can simply instruct it to join a different Wi-Fi network. Whether or not the camera is successful in joining the new network, it will disconnect from its current Wi-Fi network and cease to transmit data for the 60 to 90 seconds it takes to attempt a new connection.
The flaws may not sound serious, since an attacker would need to be within Bluetooth range of the camera. However, while this would pose a problem for remote attackers, burglars are, by definition, not remote.
If a pair of thieves knew for sure that a house had a Nest Cam Indoor, Nest Cam Outdoor, Dropcam or Dropcam Pro, it would be fairly simple for one ne'er-do-well to hide just out of sight, continually knocking the camera out of service with his or her Bluetooth-enabled smartphone, while the other entered the house and made off with the loot.
Unlike some other security cameras, Nest Cams do not disable Bluetooth after their initial setups. Nest Labs claims that this continued connectivity is in order to make use of secondary features such as App Silence and Safety Checkup, although these features are arguably not important enough to leave the camera open to such trivial exploits.
Now that Doyle has gone public, Nest Labs is rushing out a fix. In the meantime, there's not much you can do aside from disconnecting your Nest camera — which would admittedly create the exact same situation as the one that burglars would want to exploit. At least there’s no evidence that anyone’s used the trick ... yet.