Security researcher Jason Doyle has discovered another flaw in connected devices, this time in Google’s Nest Cam, Dropcam and Dropcam Pro. These could be exploited by a burglar close to your house – anywhere within Bluetooth range – rather than being compromised remotely.
Doyle published details of the vulnerabilities on Github, but the synopsis is that two attacks rely on sending “excessively long WiFi data via Bluetooth to trigger a memory overflow” that makes the camera crash and then reboot. The third tricks the camera by making it temporarily disconnect and look to connect to another network.
This security flaw in Google Nest cams can be used to force vulnerable cameras go offline for approximately 60 to 90 seconds. This means that the camera’s recording to the cloud will be temporarily disabled – giving a tech-savvy burglar time to go about their nefarious business.
Doyle told the Register that the flaw hasn’t been patched, and points out that because you can’t turn off Bluetooth, you can’t protect yourself against it until the firmware is updated.
“There doesn’t seem to be any reason why [Nest] leaves Bluetooth on after setup unless they need it for future or current integrations,” said Doyle. “Some cameras like the Logitech Circle turn Bluetooth off after setting up WiFi.”
Nest Labs has confirmed there’s no fix for the issue yet, but one is coming soon.