The first vulnerability involves using the camera’s Bluetooth Low Energy (BLE) – always on by default – and pinging Wi-Fi SSID with a really long parameter. This causes a buffer overflow in the camera and prompts the device to crash and reboot. The second vulnerability also involves a buffer overflow crash, but this time caused by an overly long Wi-Fi password.
If a burglar can do that, he can definitely make better money elsewhere. His burgling career can officially be retired.
Because the smart camera has no offline footage storage capabilities, this attack would give a burglar a window of opportunity to sneak into the house. Considering the attack could be repeated indefinitely, the burglar would have a lot more than 90 seconds to move about the house, without fear of being recorded.
Technical aspects aside, the scenarios painted in the article are almost comically far-fetched. In 2017, a spy scenario might even be less so.
> If a burglar can do that, he can definitely make better money elsewhere. His burgling career can officially be retired.
True. Such as making $100 "nest cam defeaters" that are battery powered and backed by a raspberry pi zero or something similar.
This also goes to the question of "what is being protected?" Its one thing to burgle a house and get a few thousand worth of jewelry and electronics. Its another thing for a local small museum that doesn't have the budget for a good security camera system.
If a museum with anything of value is using Wifi cameras, then they are incompetent and the camera is likely not the worst of their flaws. Wifi disassociation attacks affect every Wifi camera.
People said that about cars too, but little boxes that exploit fancy car security are available.
The Nest cam is such a dumb product from a security POV that these attacks merely scratch the surface. Wire clipper to the unprotected coax from the cable company is the easiest exploit.
Eh, car theft decreased in the US by 41% between 2006 and 2015 in total volume, all while total number of cars has been increasing. Looks like modern security works okay!
I don't know what burglar fantasy-land you folks are familiar with, but in my part of the concrete woods, burglars are known for their prowess. Their dexterity. The ability to put fear aside.
Their technical experience, perhaps less so. How many could pass a red-black tree traversal whiteboard interview?
The day these attributes are combined with an understanding of buffer overflow exploits will be a scary day indeed.
It only takes one person to automate this process for every one to use. Nobody expects burglars to manually write the exploit. Running a single thing from your phone? Much easier.
BurglarPro 1.1, now available from the Play Store. Modules available for front cam common buff overflow exploits, more. See testimonials for yourself and any positive feedback appreciated.
It's not as if skilled programmers who caught drug felonies or whatever lost their skills - they simply lost their employability within their industry.
I'm certain a decent percentage of those folks make a living in the shadier areas of the economy, including theft.
As the exploit for this vulnerability is at (below?) beginner script-kiddie level, it is not far-fetched for a more sophisticated burglar. Every lock's life ends with someone uttering the words: "I never thought they would do that."
Well, imagine a smart man that is not a burglar-in-field start selling a device that did this. I think thats the scary part. Also think of evidence planting that could happen. Far fetched? Maybe. Maybe not.
Guess what the burglar could also cut the cable line coming into the house to completely disable the internet. Works on every DIY camera with no local storage that only uses home networking.
Whether it's overhead or underground depends on the house. Usually overhead in older neighborhoods and underground in newer ones.
Telephone lines almost always have an externally accessible demarcation box at ground level (usually a little grey one that says "telephone wiring" on it), making them very easy for a crook to cut. Cable varies a lot, though. It's common for cable to be retrofit into older construction in such a way that the lines are externally accessible, but in newer houses it may have been installed at construction time and well hidden. The cable splitter/distribution amplifier is often in the basement or elsewhere in the house, but is sometimes also installed on the exterior, basically depending on what was easiest to the installer.
So basically, there's almost no common standard for cable. You'll just have to look around. Sometimes the incoming line is lazily run along a fence, sometimes it's buried and all house wiring is internal.
Definitely a good point, but we should also be asking (1) is this easier? and (2) If it isn't much, much harder, is it also just sloppy to be giving up more opportunities to risk security and (3) maybe we should re-think the internet lines into the house.
I think most of the comments so far are a play on those points.
On T-Mobile at least, I've never been unable to call when my internet connection between router and internet is bad but I'm connected fine to the wifi.
I use Fi, and it will refuse to call over wifi if the connection is even slightly finicky. If a cell phone tries to place a call over wifi with no internet and then doesn't retry over the cell network I would call that a bug.
Nest cameras work over WiFi (as far as I know). Presumably you can defeat them with a spark gap or a microwave you've jimmied to run with the door open. Vulnerabilities against technical hackers sending hand-crafted artisanal Bluetooth packets are laughably irrelevant.
A spark gap (aka noise jammer) is laughably broad and would also cause interference with everyone in the neighbourhood. But a frequency selective Wifi noise jammer is very effective, especially if aimed at the base station with a directional antenna.
I wouldn't recommend disassembling a microwave oven to get at its magnetron, because you will probably electrocute yourself at best, and if you manage to turn it on (e.g. by jamming the door closed sensors), literally cooking your eyeballs.
I have a cheapo Chinese 2.4GHz video transmitter which quite effectively jams 2.4GHz wifi for hundreds of feet in every direction (as my neighbours let me know...)
I've got a friend who claims you can force a DJI drone to autoland from well over 1km with some microwave oven guts duct taped to a satellite tv dish.
Even more cynical: the focus was on making a buck selling a security theater product to the paranoid and gadget-obsessed, not to produce a product focused on providing prosecution evidence.
I mean seriously: cloud storage of the video may not be "secure", but it's undeniably cool and provides the visceral feedback that the marks want. It doesn't have to be actually useful to have value to its subscribers.
People who are actually worried about break-ins just buy safes and insurance policies. Or move. This is for the nuts.
I feel like I can add an n=1 sample here; I'm a Dropcam customer, who would describe themselves as paranoid and gadget-obsessed.
I was worried about office break-ins, so I bought things that include safes, insurance policies, and Dropcams. These cameras were WAY cheaper than the cameras & services offered by the alarm companies.
And in January this year, the worst happened: someone broke into our office, and took a bunch of electronics. Without the videos from the cameras, the building management wouldn't have been able to figure out how they got in, and police to be able to identify/prove who it was and what happened to our gear.
I'd definitely buy them again. The only change I'm going to make now is relocating the cameras to areas where they'll cover other parts of the office, and add additional cameras as well.
yep, and although thieves could steal the SD cards, it wouldn't be hard for Google to make the system redundant, so that if the internet goes down, each cam sends its motion-activated footage to all the other local cams, for storage on the SD cards. That way, the thieves have to physically access all of the cameras in order to remove the SD cards.
IMO only the last of the three flaws is something that would be practically exploitable by a burglar. The rest, while poor coding practices and do illustrate some flaws with the system are not likely that a burglar would exploit.
The first two are simply embarrassing. Google paid 3 Billion for this stuff? Does anyone do QA any more? Especially for a device you use for a security purpose, you'd think bugs like this would be not only found, but designed to not happen in the first place.
I know you're implying that they don't care anymore, but I think over-working leads to fatigue and rush jobs/corner cutting, which is a great way to end up with security flaws.
That's because Tony Fadell made them work on the weekends. If you're forcing your employees to work on the weekends, on a regular basis, then something is very wrong - which probably explains why he's no longer at Nest.
The third flaw is endemic to Wifi, and it's so easy to execute with off-the-shelf tools that the more esoteric attacks hardly make the camera security any worse.
Anyone that cares about security uses hard-wired cameras.
I've had success with MotionEyeOS [0] on a Raspberry Pi. It used to be that a Pi ($35) plus the camera module ($25) meant ~$60 per cam but now that the Zero W [1] is out you can do Pi ($10) plus camera module ($25) plus the nifty official case that nicely accommodates a camera ($5) for ~$40.
MotionEye let's you store images or video locally on the Pi or has multiple cloud destinations available (Drive, Dropbox, your own custom FTP node). An email notification + dropping the files into Google Drive is stupid simple to set up. Plus you can configure just about everything from motion sensitivity to frame rate, etc. Most difficult setup is live stream which means you would need to VPN into your home network; certainly not impossible but still not turnkey simple. If there is a better open source solution for the Pi, I'd love to hear about it.
I bought a Ubiquiti Micro[0] camera, and sat up a local server that runs their NVR software, that saves the recordings and controls the cameras. It was important to me not to get a cloud enabled camera.
Sadly they are out of stock most places, but a new version have been rumoured.
I can second the Unifi cameras if you don't mind setting up a server to monitor them. I'm using their outdoor cameras to watch my front/back doors at home, and I have about a dozen of the dome cameras at work. The NVR software has been working flawlessly in both places.
I was less impressed with the image quality of the Micro camera, it's adequate, but the Nest cam is better.
Pretty much all the larger non-Chinese companies sell pretty secure cameras. The safest way to use IP cameras is to isolate them so they aren't connected to the internet.
IPVM also keeps a public up to date list on known vulnerabilities[1]
Re-purpose one of your older unused android phones. WardenCam is pretty good, can upload snapshots to google drive etc (create a google account specific to the phone(s) so you are not leaving a phone logged into you main account sitting around).
And in a follow up article, it was discovered that burglars could disable a Nest Cam by using an aerosol deployed enamel compound that occluded its lens. Press officials for Rustoleum were unavailable for comment.
This kind of cameras are just to scare non-sophisticated burglars. Alarm systems work on the premise that burglars will decide to choose another target as the "protected" one is slightly more inconvenient to rob. It is really hard to stop a highly motivated thief.
Is the main use case for these security? I've been considering getting some. I mainly want to watch my dogs and see how they're doing when I'm out. My dogs can't buffer overflow so I think I'm still OK to purchase.
I'm pretty ignorant in the embedded/hardware area of tech, but I would have guessed by now C or other buffer-overrun-prone languages would have been replaced by the majority of companies making new-ish products. Is something like managed C# not an option still despite hardware gains? Or, I keep hearing about Rust on Hacker News as a possible fix to this. Is it a problem with the education pipeline, like students learn that devices like this need C so they code C for them out of school?
Ahahahahahaha, that would assume anyone actually learns from decades of industry mistakes. They do not. Most micro-controllers still use C and the vendor applications are only "secure" in that no one has poked around for a few minutes to discover the numerous security holes. Every year at Defcon, there are at least a few presentations about striking security flaws in security devices or IoT gear.
You need compiler support for generating bound checked instructions, and additionally processor support like the Intel MPX or Sparc v8 tagged instructions.
In consumer product development, the software side is often cobbled together by an intern or entry-level SW engineer, who basically slaps a bunch of vendor-supplied firmware or poorly configured open-source software together until it works.
There is rarely top level direction on how the software should be designed from a security perspective.
Management is usually directed by supply-chain people for whom words like "Rust," "buffer overflow," or "security" are not in their vocabulary.
In most cases there is no budget to rewrite anything in a new better, language, and the amount of software and complexity of the moving parts is too much to understand let alone rewrite without a dedicated team of software/firmware specialists.
TL;DR management priorities, quantity/complexity of software involved.
I suspect it has to do with not only the availability of Rust compilers for embedded microcontrollers, but also Rust IDEs for them. Embedded IDEs tend to be heavily C-centric and have been for decades. Much infrastructure will have to be redone for this to change.
Am I really supposed to be scared of a burglar who has the skills to hack a security system though? If he has those skills maybe he can find a good paying job easily enough.
You'd think that with malware also, and that has turned into a business model by now: the people writing the code often are not the ones using it, selling exploitkits instead. Even offering it as SaaS or subscriptions nowadays.
Not sure if disabling Nest cameras is interesting enough, but there could be a black-market business somewhere in interrupting IoT devices. (E.g. sell an android phone preloaded with an app to unlock remote controlled locks)
Yep. I remember reading that sophisticated car remote entry hacks were encapsulated in little mircrocontroller-based push-and-go boxes and sold via the criminal underworld to people who would actually be willing to take the risk of using them.
But dropcam is a company they acquired, I'm guessing they didn't rewrite all the software. The stuff they wrote themselves for the thermostat is apparently more secure than at least 99% of things.
I own several dropcams but don't understand most of the language in this article - are there any precautions I should be taking that I may not be already?
Which is of course completely counter to the 'win' of cloud based video storage. The bug is that a sophisticated burglar can cause your cameras to stop recording.
Most burglars don't care about alarms or cameras. They wear a mask, go to the back door between 11am and 3pm when most people are gone, kick it in, rummage for anything for 3 mins and then run away. It's very low probability of catching criminals with a simple workflow like this.
Depends on your threat model, I'm more interested in catching a thief stealing packages from my porch (as happened to a neighbor). These thieves don't typically wear a mask as it's hard to be inconspicuous while walking around the neighborhood with a mask.
The key is to make sure your cameras cover the street so you can capture their car, and even better if your neighborhood has a critical mass of cameras so even if they park of range of your camera, your next door neighbor may have caught them.
Well, yeah. But coming from a high crime area (Las Vegas) I can tell you that cameras are critical to catching burglars and it happens all the time. Your things can be recovered or at the very least you may be helping prevent future burglaries.
If you can have them or an alarm, even though it may not do any good in the moment, it's not like it is completely fruitless to have them. In some places, the more security the better.
"Most burglars ... wear a mask, go to the back door between 11am and 3pm when most people are gone, kick it in, rummage for anything for 3 mins and then run away..."
Emphasis on the word "most" here. That implies a majority. If the author had said "some" or "many," that would be uncontroversial. Here, however, the author is making a specific quantitative/statistical claim, and it is that that deserves proof.
You're the one who made the claim. Telling someone to "Google" it isn't helpful, and makes your claim seem even less plausible. Help educate us, instead.
What amazes me is that the vulnerabilities have been known for many months yet haven't been patched.
Maybe I shouldn't be too surprised. I bought a Dropcam two years ago before Nest/Google acquired them. It worked fine for a while, but since being acquired the app and reliability has gotten worse and worse to the point that I no longer use it because it's too flaky. Based on that and everything else I read about the company, it seems that they're severely mismanaged.
Nest hasn't done anything significant since the smoke alarm. I'm really not sure how their leadership maintains employment. They launched that in October 2013. What company can go for 3 1/2 years, 3 of those with Google money, and do so little? There are tons of opportunities for them to launch e.g. A real home security system with window sensors, locks, a 24x7 monitoring service, more smart home devices / integrations...
The smoke alarm wasn't even a good idea. A smoke alarm is a device you hope to never have to use. It's like making a smart fire extinguisher, or a AED with Siri integration. Really unimpressed with Nest as a company.
My Nest smoke alarm actually justified its value a couple of weeks ago: We were out in town when it let me know that there was CO in the house. We were able to rush back and turn off the leaking gas stove before things got out of hand.
I think the peace of mind that this now gives me is extremely valuable.
I exactly felt this way until spring of last year, when the founder was fired.
After that, there has been really great, killer-app features which make me love my Nest again.
They have human-detection, which is critical for security, and it really useful. I don't look at any alerts that say "Nest has detected a human", etc. And the app has gotten pretty decent. You can scroll through a lot of footage very quickly, or look only at the footage where an alert was generated.
Overall, I think the Nest has gone from frustratingly useless to really great since earlier last year.
I know this is the original title, but it's kind of misleading. I clicked this article thinking that somehow the vulnerability literally opened your door to burglars (e.g. if you have a smart door lock).
If I were a burglar and would see Nest or other smart-home stuff in the Bluetooth device list... well here's someone who fancies technology and might be worth a try.
To make stuff even better: forcing the Dropcam to disassociate with the owner's wifi network and reassociate with my own? Take a RPi, a 3G dongle, a battery pack and throw it into a nearby bush... perfect to stalk out when the home owners are not there, and thanks to the 3g connectivity no one will even have to look around and arouse suspicion with neighbors.
Actually if you were a burglar you'd likely be a teenager out for the thrills or a drug addict and the most you'd do is see if anyone or a dog was home before kicking in the door.
Burglary rates have cratered not because of security systems but because people don't have things that are easy to trade for cash.
Unless it's jewelry, cash or guns it has virtually no value sold hot.
being a drug addict isn't mutually exclusive with having other skills. I wouldn't have been above something like this if my salary (software engineer) hadn't been able to cover my habits.
Granted. This wasn't a commentary on who is likely to have the skills, it was a commentary on the value of time. If you can pull of electronic surveillance you can make a lot more money doing that than B&E's.
Not sure, but a stolen (some say give away by disgruntled postal carrier) USPS key was used to break into dozens of mailboxes in a very affluent zip code in San Francisco (Nob Hill and Russian Hill).
It must have been very lucrative for the pair of thieves. Also scary that a single key works across an entire zip code.
I don't know much about Nests, but does simply being on the same wifi allow you to see what the camera sees? I thought they uploaded stuff to the cloud (I assume over https) so you would have to compromise the cloud account to see anything.
I have a Nest camera. You're right, being in same VLAN does not give you access to video feed (at least via http). You need to view it online from their cloud.
Somehow having to access it from a Nest server, and hence have it be copied by Nest, does not inspire confidence. I'd be much more worried about someone looking at me via Nest than a burglar subverting my Nest camera.
If a burglar can do that, he can definitely make better money elsewhere. His burgling career can officially be retired.
Because the smart camera has no offline footage storage capabilities, this attack would give a burglar a window of opportunity to sneak into the house. Considering the attack could be repeated indefinitely, the burglar would have a lot more than 90 seconds to move about the house, without fear of being recorded.
Technical aspects aside, the scenarios painted in the article are almost comically far-fetched. In 2017, a spy scenario might even be less so.