A security researcher has published a vulnerability and proof-of-concept exploits in Google’s Internet of Things security cameras, marketed as Nest Dropcam, Nest Dropcam Pro, Nest Cam Outdoor and Nest Cam Indoor; these vulnerabilities were disclosed to Google last fall, but Google/Nest have not patched them despite the gravity of the vulnerability and the long months since the disclosure. IT security experts from DomainTools, Tripwire and Tenable Network Security commented below.

Tim Helming, Director, Product Management at DomainTools:

Tim-Helming“There was never any reason to believe that the Nest systems would be impervious to vulnerability and exploit, so in a way this doesn’t come as a surprise. Having said that, it’s more troubling that Nest apparently didn’t act upon the responsible disclosure of the vulnerability. In this case it’s not so much the “IoT-ness” of the cameras that’s the problem, because this vulnerability as described doesn’t allow remote code execution or hijacking of data streams; but it’s still a flaw that shouldn’t sit unpatched for extended lengths of time.”

Craig Young, Security Researcher at Tripwire:

CraigYoung“The ability to take a WiFi camera offline is incredibly trivial.  Anyone who wants to take a Nest camera (or other WiFi based camera) offline simply needs to broadcast 802.11 DEAUTH frames to make the wireless network unusable.  This is something you can do with a $30 battery powered travel router or a specially configured phone and you can keep the device offline for as long as you want.

What is more interesting about this situation is that the researcher indicates that this is a buffer overflow which could in fact lead to code execution.  If it is possible to get code execution through BLE frames, an attacker may be able to gain access to home networks to steal data or perhaps take control over something like a connected lock or home security system.  This however is a very non-trivial task requiring a lot of specialized knowledge and likely a decent time investment.  It is also worth noting that just because a system appears to crash in response to an overly long input, it does not necessarily mean that there is a buffer overflow.  (For example, there can also be a failed assertion leading to a graceful service restart.)

I am also curious to see a detailed timeline of the correspondence this researcher had with Google and whether they went through the Google vulnerability submission process.  I have submitted quite a few bugs through Google’s bug bounty program including one in the DropCam (now Nest cam) and Google has always responded very swiftly with a fix and a bounty payment where applicable.”

John Chirhart, Federal Technical Director at Tenable Network Security:

isbuzz-author-male_1“The 2016 holiday season was flooded with IoT devices, and we continue to see people paying hundreds of dollars for devices to see, listen and monitor their homes and lives. People have placed blind trust in these devices, without first ensuring that they’re secure. The IoT certainly isn’t going anywhere, so the challenge becomes protecting ourselves, our businesses and our homes in today’s ever-connected world.

The bottom line is consumers don’t want to pay extra for IoT security, it’s expected. But manufacturing has largely failed to include security up front. To fix this, manufacturers need to build security into the design process, it can’t be an afterthought.”

Information Security Buzz