By 
Well, this is just plain bad. Apparently, a security researcher named Jason Doyle discovered 3 different vulnerabilities in Nest’s firmware which makes it possible to knock the cameras offline for anywhere between 30 and 90 seconds.
The methods involve using Bluetooth to send problematic WiFi SSID names and passwords to the camera, passwords far longer than they can handle. This causes them to crash and reboot. Another issue allows you to go as far as forcing the device to try and connect to a new SSID, which — upon failure — causes a more lengthy downtime of about 90 seconds.
In any of these cases, the security hole isn’t in a hacker’s ability to view your footage, but a way to manipulate the cameras to initiate more nefarious actions such as breaking into the home undetected.
But that thought itself isn’t even the scariest thing about this whole story. The scariest of all is that Nest and Google knew all of this 5 months ago when they were privately reported through Google’s Vulnerability Rewards Program which pays people to help find security bugs. Google did acknowledge the bug and mentioned that an investigation was underway, but it was seemingly swept under the wrong as a non-integrated acquisition bug, valued at a meager $100 (or otherwise seen as unimportant compared to some of the stuff that you can get up to $20,000 for).
So, we’re not sure why it took Nest and Google so long, but the publication of this vulnerability has forced their hand and now a fix has appeared out of thin air for them to distribute within the coming days. It’s sad that it had to come this far, but now we know.
[via The Register]
Comments