A security researcher has published a vulnerability and proof-of-concept exploits in Google’s Internet of Things security cameras, marketed as Nest Dropcam, Nest Dropcam Pro, Nest Cam Outdoor and Nest Cam Indoor; these vulnerabilities were disclosed to Google last fall, but Google/Nest have not patched them despite the gravity of the vulnerability and the long months since the disclosure. IT security experts from DomainTools, Tripwire and Tenable Network Security commented below.
Tim Helming, Director, Product Management at DomainTools:
Craig Young, Security Researcher at Tripwire:
What is more interesting about this situation is that the researcher indicates that this is a buffer overflow which could in fact lead to code execution. If it is possible to get code execution through BLE frames, an attacker may be able to gain access to home networks to steal data or perhaps take control over something like a connected lock or home security system. This however is a very non-trivial task requiring a lot of specialized knowledge and likely a decent time investment. It is also worth noting that just because a system appears to crash in response to an overly long input, it does not necessarily mean that there is a buffer overflow. (For example, there can also be a failed assertion leading to a graceful service restart.)
I am also curious to see a detailed timeline of the correspondence this researcher had with Google and whether they went through the Google vulnerability submission process. I have submitted quite a few bugs through Google’s bug bounty program including one in the DropCam (now Nest cam) and Google has always responded very swiftly with a fix and a bounty payment where applicable.”
John Chirhart, Federal Technical Director at Tenable Network Security:
The bottom line is consumers don’t want to pay extra for IoT security, it’s expected. But manufacturing has largely failed to include security up front. To fix this, manufacturers need to build security into the design process, it can’t be an afterthought.”