back to article Nest cameras can be easily blacked out by Bluetooth burglars

Nest's Dropcam and Dropcam Pro security cameras can be wirelessly attacked via Bluetooth to crash and stop recording footage. This is perfect for burglars and other crooks who want to knock out the cams moments before robbing a joint. The three vulnerabilities are in camera firmware version 5.2.1, and no patch is publicly …

Silver badge

Not like we weren't ever expecting this thing to get hacked.... despite Google and Nest's "assurances" about security, blah, blah...

And some wonder why we call this the IoS...?

18
1
Bronze badge
FAIL

You know this isn't hacked right? It's ddos...

0
13
cb7

Not quite

"You know this isn't hacked right? It's ddos..."

Close. I would have said DOS not DDOS. After all I see nothing that mentions anything about Distributed. Seems like all it takes is one source to kick it in the nuts...

10
0
Silver badge
Alert

Nest is aware of this issue, developed a fix for it, and will roll it out to customers in the coming days.

Translation: "We really couldn't be bothered until El Reg made this public".

6
0

I wonder where that version number came from

Both of my Nest Outdoor cameras show a version of 214-610025 and my two DropCam Pro inside cameras show a version of 205-600052. His advisory says it affects all of them.

The thermostat has used version numbering in a format similar to "5.2.1" but mine is 5.6-7 (not a typo).

0
0
Silver badge

Re: I wonder where that version number came from

214-610025 ... 205-600052 ... 5.6-7

That's fascinating. I'd like to learn more. Can you tell us your home address as well, please?

3
0

Re: I wonder where that version number came from

"214-610025 ... 205-600052 ... 5.6-7

That's fascinating. I'd like to learn more. Can you tell us your home address as well, please?"

Sure, I trust you know how to fix this, huh? Thanks for the offer! My address is:

725 5th Ave

New York

NY

10022

Just tell the doorman you're here to see me about the security cameras.

Thanks!

11
0
Silver badge
Facepalm

In other news

Cutting the small round cable to the house also disables cloud devices.

26
1

Re: In other news

Depends, do that to my house and you won't cut off cloud devices from their cloud..

Not every internet connection is cable based?

1
0

Re: In other news

I'm pretty sure by cutting the cable going to the unit and thus the power, it's irrelevant where your internet connection is based.

1
0
Anonymous Coward

Re: In other news

My "small round cable" is buried underneath some paving slabs and about 50cm of hardcore, so to cut this would require a pickaxe and some hard graft.

1
0
Anonymous Coward

Re: In other news

"Cutting the small round cable to the house also disables cloud devices"

The first thing that some scroats did before breaking into my house was rip the cable off the wall. They weren't a sophisticated lot either. However the fact that the cable they ripped was the cable to an unused satellite dish and didn't touch the cable that actually operated the broadband showed they weren't the brightest bunch.

Unfortunately I didn't have any cctv anyway so I couldn't catch them.

2
1
Silver badge
FAIL

Re Adam JC: In other news

Er, no. If you use a router from a good vendor, it will allow things like a cellular failover. If the router is also on a UPS, someone can cut all the cables they want and your network stays connected. Even cheap consumer grade routers from good router makers support this feature with "pay as you go" cellular. (e.g. Peplink Surf SOHO)

3
0
Silver badge

Re: Re Adam JC: In other news

So tell me - how many Nest cameras do you reckon are on cellular failover and backed by an UPS...? My quick, off-the-cuff estimate: Not A Single One.

4
0
Silver badge
Joke

Re: In other news

My "small round cable" is buried underneath some paving slabs and about 50cm of hardcore, so to cut this would require a pickaxe and some hard graft.

Challenge accepted, anyone?

0
0
gv
Bronze badge
Boffin

Re: In other news

"Challenge accepted, anyone?"

IT nerds doing physical labour?

4
0
Silver badge

Re: In other news

The "small round cable" going into our house is pretty well buried, right up until it exits our property whereupon it just dangles down a wall right next to the pavement. I'm kind of surprised how long it's lasted without some drunk pulling it down.

0
0
Silver badge

Re: In other news

Which is why you use 3G/4G backup on your router, and why you use UPS on any device that you care about surviving a power outage. CCTV DVRs and cameras should be top of that list.

(And is the Nest PoE-powered or mains? Even if it's mains (stupid), it's not difficult to ensure it runs on a protected circuit, but if it's PoE, you just need to UPS the switch).

Anyone who cares about home/business security can spend £50 on the cheapest of UPS and buy a GSM alerting alarm/camera system (which is the only kind of thing I'd buy anyway... why would you want the alerts from your cameras - literally "someone has cut me off!" - not get sent over an independent connection to warn you personally?

Don't rely on ADT/Yale to come running. Don't rely on your phone line being up. Don't rely on your neighbours to see the burglars or respond to your alarm. Even the police barely respond unless there's proof of a robbery in active progress, just an alarm going off is useless and CCTV? "Yeah, if you can just search that for us and send us anything that's relevant" (I worked with the CCTV in schools for 15 years and have also provided evidence for 3 crimes for neighbour's burglaries etc. - they just don't have time to sit through even YOUR footage, they will ask you to provide it or not bother).

My system is actually a proper system:

- 30-day recording CCTV on all cameras, full res, none of this motion detection junk.

- Wired cameras with blackout / cable-cut detection alerts (even putting a bit of chewing gum over the lens).

- UPS-backed NVR.

- Connection for alerts via email, GSM, etc.

- Smartphone app on my phone, my girlfriend's phone.

- Tablet app on an iPad in work, constantly showing all the cameras all day (just underneath my monitor. After a while, you ignore it all unless something happens, but because it's ALWAYS in line-of-sight you see everything you need to).

- Home burglar alarm is wired internally and alerts via GSM messages with internal battery backup.

Already proved useful in 3 police-reported crimes for my neighbours, numerous "neighbourly" disagreements ("If I catch your kids standing on top of my garden fence again, you're buying me a new one", "But they don't!", "1.28pm today, 12:12pm yesterday, would you like me to send you an MP4? Just because I'm not there doesn't mean I can't see it"), and no end of other minor disputes (my council weren't collecting my rubbish, then they claimed it was "contaminated", then they claimed that my bins were in the wrong place - ALL WRONG!, DHL parcel guy lobs fragile parcel over back-fence and then signs our signature... etc.), as well as my girlfriend "checking the cats were okay" every two seconds. It survives power-cuts (an hour at least, I think, but I've never had it out longer than that in 3 years), it survives cable-cutting, it survives people blocking or obscuring the cameras, and instantly raises enough alerts / suspicion that I'd be on my way home with a friendly call to the police on the way there (which, generally, should gee them up more than just "Oh, someone is burgling an empty house")..

And, strangely, the closest we've come to a problem is the guy who burgled one neighbour, then came back the next week in the same car, drove past my house at 2mph looking intently at my house for a long time, then decided to burgle the other neighbour instead. I'm sure the cameras, infrared floods, hard-wired connections, bell-box, RFID alley gates, etc. had nothing to do with that....

Ironically, all-in the system cost about £300 and a couple of days of cable-running. And you'd be hard pressed to find enough inside to walk out with worth more than that before I could do something, and it'd be much more tricky to do it untraceably.

Hell, even the iPad at work isn't actually mine.

2
3
Anonymous Coward

Re: In other news

> My system is actually a proper system:

Lee, I hope you do not mind me saying, but you seem to live a rather sad life, with all that crime, neighbourly disagreements, snooping, and general worrying about small things.

My house's front door stays unlocked even while I am away on month-long business trips and my neighbour's kids are quite welcome to play in my garden.

My only complaint is that every time I plant something new outside, it only lasts until my gardener shows up--everything his mower can mow, will get mowed. I'm half expecting him to supplement his effort with a chainsaw one day and take care of my lemon trees. :-)

1
0

Re: In other news

After forcing me to read through that marathon post, the least you could do is provide specs and model numbers!

3
0
Silver badge
FAIL

Re: Re DropBear: In other news

If the network owners knew enough to properly set up a resilient network, they would not own any Nests.

2
0
Bronze badge

Re: In other news

"every time I plant something new outside, it only lasts until my gardener shows up"

Too large a value of "gardener", I think. BTW, I suggest keeping a counter running between yourself and your butcher.

0
0
Anonymous Coward

Re: In other news

> Too large a value of "gardener", I think.

Well, the grass is incredibly tidy!

0
0
Bronze badge

"There doesn't seem to be any reason why [Nest] leaves Bluetooth on after setup unless they need it for future or current integrations"

Well, if they turn Bluetooth off, how will Google know when you've returned home with your phone etc within Bluetooth range? Wouldn't want to miss the opportunity to slurp up that location data would they?

5
1
Alien

Google will know because the phone will tell them. They don't need yet another sensor to get that info.

It might however let them see which room you are in and thus work out whether to advertise a new TV, microwave or softer toilet paper.

2
0
Silver badge
FAIL

The NSA Front Door Feature

Perhaps it is simply the NSA's/CSA's front door feature to allow 'permitted access' as required to confirm how daft users of these device really are?

This now pointless rubbish is not even IDIOTIC (Internet Direct Integration of Threats Including Chaos/Criminals) since Bluetooth is not an internet protocol.

0
2
Silver badge

> Nest deliberately designs its cameras to use internet-hosted storage for video, not local storage

Wait, a *security* camera that is flummoxed by a lack of internet connection? Using cloud storage doesn't stop you including a cheap sd card as a rolling buffer.

Oh and Google, October would be 90 days ago Shirley.

9
0
Anonymous Coward

Well, duh..

ANY wireless camera or device can be blanked by the use of a cheap Chinese jammer - that's why professional systems are always cabled and the cable is monitored for disconnections.

I would not trust anything wireless for security or protection.

21
0
Bronze badge

Re: Well, duh..

Or "jammed" with a can of spray paint

3
0
Anonymous Coward

Re: Well, duh..

Korev>>Or "jammed" with a can of spray paint

There's a difference: Jamming isn't jamming if it sets off an alarm.

1) camera is sprayed, hooded, etc --- motion detection alarm on the cam or monitor is triggered

2) camera is disconnected or forced offline --- motion detection on cam is useless but monitor can still detect it, either with motion detect on incoming video, camera heartbeat failure, etc.

3) camera video feed freezes --- this is the killer: if you can keep a camera quiet for the few seconds you need to walk in its field of vision, that is the ultimate failure.

I'm unhappy using wireless except for non-security applications. Where security is concerned, you have to worry about smart people rather than dumb equipment. And however surprisingly dumb equipment (espicially IoT stuff) can be, the cleverness of people can be still more surprising.

I've even seen wireless security cameras on unprotected networks ("oh, I don't mind if anyone sees what's at my gate, as long as I can see it"). A little bit of research and radio hacking later and I phoned the guy up.

Me: "Hi Jim, it's John; I called yesterday to discuss your security, cameras etc. I'm at the gate"

Him: "*pause* Are you at the right house? I can't see you at on my camera!"

Me: "What's the weather like on that camera? Does it remind you of yesterday, at all?"

Him: "You tricky bastard! Ok, looks like I need your advice after all. Come in"

5
1
Silver badge

Re: Well, duh..

You find me a 5.8GHz jammer please.

0
0
Bronze badge
Boffin

Re: Well, duh..

You find me a 5.8GHz jammer please.

Just to throw something completely ridiculous out there.... I don't know about NEST but I know several other "security"[cough] cameras work over normal WIFI.

Now.. If I was to bring in a few laptops/RPi's etc, park close enough to your house and have these all talking on the same channel as your system is using (assuming it's manually set rather than automatic), would it actually be possible to effectively jam things that way? If the target is valuable enough, it could be a worthwhile attack? (Though one would hope if they're worth the effort they'd also have the brains not to rely on wireless cameras!)

Just some midnight weirdness. Don't mind me.

0
0

Clip the phone/cable line? Same result

The old days are back. If you want to stop them recording you can simply clip the phone line or cable line and smile for the now-failing camera.

If this is a wifi security device can you just flood deauth packets and boot it off?

1
1
Bronze badge
Facepalm

The vulnerabilities are in camera firmware

No they're not, the vulnerabilities are caused by the design decision of using a radio link that can be so easily jammed. Why weren't these vulnerabilities picked up at the security review - they did actually conduct a security review on the security product?

1
0
Anonymous Coward

Re: The vulnerabilities are in camera firmware

> Why weren't these vulnerabilities picked up at the security review - they did actually conduct a security review on the security product?

It is a consumer grade product, after all. If your security needs are more than casual, or if you need higher reliability, then you won't be (or at the very least, shouldn't be) using Nest services.

0
0

Erm ...

One thing that should perhaps be noted is that Nest cameras send a continous stream of live images to the cloud and notify the owner as soon as connection is lost with an image of what the cam last saw (and the video to that point can also be reviewed).

So unless the camera is approachable unseen to within bluetooth/jammer range or the internet wires/cables are out of sight it is likely the miscreant has already been snapped and the evidence safely stored out of reach.

0
0
Anonymous Coward

just a bit of attention seeking

All forms of wireless communication can be jammed, so there is no point in discussing esoteric vulnerabilities. If you are using a wireless security device, you have no security, period.

1
1

bypassing CCTV is easy

use a laser pointer or adopt anti surveillance technique

https://www.youtube.com/watch?v=Dss_9FmCqtg

0
0
Silver badge

Re: bypassing CCTV is easy

Bypassing it is easy.

Doing it without arousing suspicion is hard.

Most CCTV systems have an "image obscured / power fail" alert that detects when a camera is obscured, damaged or disconnected and alerts people.

And such alerts - because they NEVER happen - generate much more suspicion than anything else. Hell, you can even have it set off the house alarm when that happens if you like, it's that rare.

1
0
Anonymous Coward

I'm amazed that the camera doesn't have a buffer on-board to cover short periods of no internet access, even a 256Mb chip would help

2
0

I prefer to do my security the traditional way, by making my place look shabby from the outside and buying insurance.

0
0
Anonymous Coward

> I prefer to do my security the traditional way, by making my place look shabby from the outside

And I do security in depth, by making it look shabby from the inside too.

0
0

A better type of 2FA would help solve this

One approach uses low power LAN or WAN technology http://bit.ly/iotkillswitch

This won't be the last camera to be attacked ...

0
0

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2017