back to article Nest cameras can be easily blacked out by Bluetooth burglars

Nest's Dropcam and Dropcam Pro security cameras can be wirelessly attacked via Bluetooth to crash and stop recording footage. This is perfect for burglars and other crooks who want to knock out the cams moments before robbing a joint. The three vulnerabilities are in camera firmware version 5.2.1, and no patch is publicly …

  1. Mark 85

    Not like we weren't ever expecting this thing to get hacked.... despite Google and Nest's "assurances" about security, blah, blah...

    And some wonder why we call this the IoS...?

    1. Planty Bronze badge
      FAIL

      You know this isn't hacked right? It's ddos...

      1. cb7

        Not quite

        "You know this isn't hacked right? It's ddos..."

        Close. I would have said DOS not DDOS. After all I see nothing that mentions anything about Distributed. Seems like all it takes is one source to kick it in the nuts...

    2. BillG
      Alert

      Nest is aware of this issue, developed a fix for it, and will roll it out to customers in the coming days.

      Translation: "We really couldn't be bothered until El Reg made this public".

      1. Anonymous Coward
        Anonymous Coward

        Matters not anyway.

        Again, a readily available and cheap Bluetooth jammer will suffice. No need to mess around with anything fancy. Just turn it on and away you go.

  2. Amos1

    I wonder where that version number came from

    Both of my Nest Outdoor cameras show a version of 214-610025 and my two DropCam Pro inside cameras show a version of 205-600052. His advisory says it affects all of them.

    The thermostat has used version numbering in a format similar to "5.2.1" but mine is 5.6-7 (not a typo).

    1. Rich 11

      Re: I wonder where that version number came from

      214-610025 ... 205-600052 ... 5.6-7

      That's fascinating. I'd like to learn more. Can you tell us your home address as well, please?

      1. Amos1

        Re: I wonder where that version number came from

        "214-610025 ... 205-600052 ... 5.6-7

        That's fascinating. I'd like to learn more. Can you tell us your home address as well, please?"

        Sure, I trust you know how to fix this, huh? Thanks for the offer! My address is:

        725 5th Ave

        New York

        NY

        10022

        Just tell the doorman you're here to see me about the security cameras.

        Thanks!

  3. Kevin McMurtrie Silver badge
    Facepalm

    In other news

    Cutting the small round cable to the house also disables cloud devices.

    1. Chloe Cresswell Silver badge

      Re: In other news

      Depends, do that to my house and you won't cut off cloud devices from their cloud..

      Not every internet connection is cable based?

      1. Adam JC

        Re: In other news

        I'm pretty sure by cutting the cable going to the unit and thus the power, it's irrelevant where your internet connection is based.

        1. The Man Who Fell To Earth Silver badge
          FAIL

          Re Adam JC: In other news

          Er, no. If you use a router from a good vendor, it will allow things like a cellular failover. If the router is also on a UPS, someone can cut all the cables they want and your network stays connected. Even cheap consumer grade routers from good router makers support this feature with "pay as you go" cellular. (e.g. Peplink Surf SOHO)

          1. DropBear

            Re: Re Adam JC: In other news

            So tell me - how many Nest cameras do you reckon are on cellular failover and backed by an UPS...? My quick, off-the-cuff estimate: Not A Single One.

            1. The Man Who Fell To Earth Silver badge
              FAIL

              Re: Re DropBear: In other news

              If the network owners knew enough to properly set up a resilient network, they would not own any Nests.

    2. Anonymous Coward
      Anonymous Coward

      Re: In other news

      My "small round cable" is buried underneath some paving slabs and about 50cm of hardcore, so to cut this would require a pickaxe and some hard graft.

      1. Zippy's Sausage Factory
        Joke

        Re: In other news

        My "small round cable" is buried underneath some paving slabs and about 50cm of hardcore, so to cut this would require a pickaxe and some hard graft.

        Challenge accepted, anyone?

        1. gv
          Boffin

          Re: In other news

          "Challenge accepted, anyone?"

          IT nerds doing physical labour?

      2. phuzz Silver badge

        Re: In other news

        The "small round cable" going into our house is pretty well buried, right up until it exits our property whereupon it just dangles down a wall right next to the pavement. I'm kind of surprised how long it's lasted without some drunk pulling it down.

    3. Anonymous Coward
      Anonymous Coward

      Re: In other news

      "Cutting the small round cable to the house also disables cloud devices"

      The first thing that some scroats did before breaking into my house was rip the cable off the wall. They weren't a sophisticated lot either. However the fact that the cable they ripped was the cable to an unused satellite dish and didn't touch the cable that actually operated the broadband showed they weren't the brightest bunch.

      Unfortunately I didn't have any cctv anyway so I couldn't catch them.

    4. Lee D Silver badge

      Re: In other news

      Which is why you use 3G/4G backup on your router, and why you use UPS on any device that you care about surviving a power outage. CCTV DVRs and cameras should be top of that list.

      (And is the Nest PoE-powered or mains? Even if it's mains (stupid), it's not difficult to ensure it runs on a protected circuit, but if it's PoE, you just need to UPS the switch).

      Anyone who cares about home/business security can spend £50 on the cheapest of UPS and buy a GSM alerting alarm/camera system (which is the only kind of thing I'd buy anyway... why would you want the alerts from your cameras - literally "someone has cut me off!" - not get sent over an independent connection to warn you personally?

      Don't rely on ADT/Yale to come running. Don't rely on your phone line being up. Don't rely on your neighbours to see the burglars or respond to your alarm. Even the police barely respond unless there's proof of a robbery in active progress, just an alarm going off is useless and CCTV? "Yeah, if you can just search that for us and send us anything that's relevant" (I worked with the CCTV in schools for 15 years and have also provided evidence for 3 crimes for neighbour's burglaries etc. - they just don't have time to sit through even YOUR footage, they will ask you to provide it or not bother).

      My system is actually a proper system:

      - 30-day recording CCTV on all cameras, full res, none of this motion detection junk.

      - Wired cameras with blackout / cable-cut detection alerts (even putting a bit of chewing gum over the lens).

      - UPS-backed NVR.

      - Connection for alerts via email, GSM, etc.

      - Smartphone app on my phone, my girlfriend's phone.

      - Tablet app on an iPad in work, constantly showing all the cameras all day (just underneath my monitor. After a while, you ignore it all unless something happens, but because it's ALWAYS in line-of-sight you see everything you need to).

      - Home burglar alarm is wired internally and alerts via GSM messages with internal battery backup.

      Already proved useful in 3 police-reported crimes for my neighbours, numerous "neighbourly" disagreements ("If I catch your kids standing on top of my garden fence again, you're buying me a new one", "But they don't!", "1.28pm today, 12:12pm yesterday, would you like me to send you an MP4? Just because I'm not there doesn't mean I can't see it"), and no end of other minor disputes (my council weren't collecting my rubbish, then they claimed it was "contaminated", then they claimed that my bins were in the wrong place - ALL WRONG!, DHL parcel guy lobs fragile parcel over back-fence and then signs our signature... etc.), as well as my girlfriend "checking the cats were okay" every two seconds. It survives power-cuts (an hour at least, I think, but I've never had it out longer than that in 3 years), it survives cable-cutting, it survives people blocking or obscuring the cameras, and instantly raises enough alerts / suspicion that I'd be on my way home with a friendly call to the police on the way there (which, generally, should gee them up more than just "Oh, someone is burgling an empty house")..

      And, strangely, the closest we've come to a problem is the guy who burgled one neighbour, then came back the next week in the same car, drove past my house at 2mph looking intently at my house for a long time, then decided to burgle the other neighbour instead. I'm sure the cameras, infrared floods, hard-wired connections, bell-box, RFID alley gates, etc. had nothing to do with that....

      Ironically, all-in the system cost about £300 and a couple of days of cable-running. And you'd be hard pressed to find enough inside to walk out with worth more than that before I could do something, and it'd be much more tricky to do it untraceably.

      Hell, even the iPad at work isn't actually mine.

      1. Anonymous Coward
        Anonymous Coward

        Re: In other news

        > My system is actually a proper system:

        Lee, I hope you do not mind me saying, but you seem to live a rather sad life, with all that crime, neighbourly disagreements, snooping, and general worrying about small things.

        My house's front door stays unlocked even while I am away on month-long business trips and my neighbour's kids are quite welcome to play in my garden.

        My only complaint is that every time I plant something new outside, it only lasts until my gardener shows up--everything his mower can mow, will get mowed. I'm half expecting him to supplement his effort with a chainsaw one day and take care of my lemon trees. :-)

        1. Michael Thibault

          Re: In other news

          "every time I plant something new outside, it only lasts until my gardener shows up"

          Too large a value of "gardener", I think. BTW, I suggest keeping a counter running between yourself and your butcher.

          1. Anonymous Coward
            Anonymous Coward

            Re: In other news

            > Too large a value of "gardener", I think.

            Well, the grass is incredibly tidy!

      2. Dan White

        Re: In other news

        After forcing me to read through that marathon post, the least you could do is provide specs and model numbers!

  4. Phil Kingston

    "There doesn't seem to be any reason why [Nest] leaves Bluetooth on after setup unless they need it for future or current integrations"

    Well, if they turn Bluetooth off, how will Google know when you've returned home with your phone etc within Bluetooth range? Wouldn't want to miss the opportunity to slurp up that location data would they?

    1. Anonymous Coward Silver badge
      Alien

      Google will know because the phone will tell them. They don't need yet another sensor to get that info.

      It might however let them see which room you are in and thus work out whether to advertise a new TV, microwave or softer toilet paper.

  5. Richard Jones 1
    FAIL

    The NSA Front Door Feature

    Perhaps it is simply the NSA's/CSA's front door feature to allow 'permitted access' as required to confirm how daft users of these device really are?

    This now pointless rubbish is not even IDIOTIC (Internet Direct Integration of Threats Including Chaos/Criminals) since Bluetooth is not an internet protocol.

  6. Adam 1

    > Nest deliberately designs its cameras to use internet-hosted storage for video, not local storage

    Wait, a *security* camera that is flummoxed by a lack of internet connection? Using cloud storage doesn't stop you including a cheap sd card as a rolling buffer.

    Oh and Google, October would be 90 days ago Shirley.

  7. Anonymous Coward
    Anonymous Coward

    Well, duh..

    ANY wireless camera or device can be blanked by the use of a cheap Chinese jammer - that's why professional systems are always cabled and the cable is monitored for disconnections.

    I would not trust anything wireless for security or protection.

    1. Korev Silver badge

      Re: Well, duh..

      Or "jammed" with a can of spray paint

      1. Anonymous Coward
        Anonymous Coward

        Re: Well, duh..

        Korev>>Or "jammed" with a can of spray paint

        There's a difference: Jamming isn't jamming if it sets off an alarm.

        1) camera is sprayed, hooded, etc --- motion detection alarm on the cam or monitor is triggered

        2) camera is disconnected or forced offline --- motion detection on cam is useless but monitor can still detect it, either with motion detect on incoming video, camera heartbeat failure, etc.

        3) camera video feed freezes --- this is the killer: if you can keep a camera quiet for the few seconds you need to walk in its field of vision, that is the ultimate failure.

        I'm unhappy using wireless except for non-security applications. Where security is concerned, you have to worry about smart people rather than dumb equipment. And however surprisingly dumb equipment (espicially IoT stuff) can be, the cleverness of people can be still more surprising.

        I've even seen wireless security cameras on unprotected networks ("oh, I don't mind if anyone sees what's at my gate, as long as I can see it"). A little bit of research and radio hacking later and I phoned the guy up.

        Me: "Hi Jim, it's John; I called yesterday to discuss your security, cameras etc. I'm at the gate"

        Him: "*pause* Are you at the right house? I can't see you at on my camera!"

        Me: "What's the weather like on that camera? Does it remind you of yesterday, at all?"

        Him: "You tricky bastard! Ok, looks like I need your advice after all. Come in"

    2. Anonymous Coward
      Anonymous Coward

      Re: Well, duh..

      You find me a 5.8GHz jammer please.

      1. Kiwi
        Boffin

        Re: Well, duh..

        You find me a 5.8GHz jammer please.

        Just to throw something completely ridiculous out there.... I don't know about NEST but I know several other "security"[cough] cameras work over normal WIFI.

        Now.. If I was to bring in a few laptops/RPi's etc, park close enough to your house and have these all talking on the same channel as your system is using (assuming it's manually set rather than automatic), would it actually be possible to effectively jam things that way? If the target is valuable enough, it could be a worthwhile attack? (Though one would hope if they're worth the effort they'd also have the brains not to rely on wireless cameras!)

        Just some midnight weirdness. Don't mind me.

  8. Drone Pilot

    Clip the phone/cable line? Same result

    The old days are back. If you want to stop them recording you can simply clip the phone line or cable line and smile for the now-failing camera.

    If this is a wifi security device can you just flood deauth packets and boot it off?

  9. Anonymous Coward
    Facepalm

    The vulnerabilities are in camera firmware

    No they're not, the vulnerabilities are caused by the design decision of using a radio link that can be so easily jammed. Why weren't these vulnerabilities picked up at the security review - they did actually conduct a security review on the security product?

    1. Anonymous Coward
      Anonymous Coward

      Re: The vulnerabilities are in camera firmware

      > Why weren't these vulnerabilities picked up at the security review - they did actually conduct a security review on the security product?

      It is a consumer grade product, after all. If your security needs are more than casual, or if you need higher reliability, then you won't be (or at the very least, shouldn't be) using Nest services.

    2. dmitry@cybeats.com

      Re: The vulnerabilities are in camera firmware

      The problem exists for most of the IoT devices. Nest actually doing a good job when it comes to firmware update and patching, others either ignore it or not aware of the issues until it's too late.

  10. Badvok

    Erm ...

    One thing that should perhaps be noted is that Nest cameras send a continous stream of live images to the cloud and notify the owner as soon as connection is lost with an image of what the cam last saw (and the video to that point can also be reviewed).

    So unless the camera is approachable unseen to within bluetooth/jammer range or the internet wires/cables are out of sight it is likely the miscreant has already been snapped and the evidence safely stored out of reach.

  11. Anonymous Coward
    Anonymous Coward

    just a bit of attention seeking

    All forms of wireless communication can be jammed, so there is no point in discussing esoteric vulnerabilities. If you are using a wireless security device, you have no security, period.

  12. Mickey Porkpies

    bypassing CCTV is easy

    use a laser pointer or adopt anti surveillance technique

    https://www.youtube.com/watch?v=Dss_9FmCqtg

    1. Lee D Silver badge

      Re: bypassing CCTV is easy

      Bypassing it is easy.

      Doing it without arousing suspicion is hard.

      Most CCTV systems have an "image obscured / power fail" alert that detects when a camera is obscured, damaged or disconnected and alerts people.

      And such alerts - because they NEVER happen - generate much more suspicion than anything else. Hell, you can even have it set off the house alarm when that happens if you like, it's that rare.

  13. Anonymous Coward
    Anonymous Coward

    I'm amazed that the camera doesn't have a buffer on-board to cover short periods of no internet access, even a 256Mb chip would help

  14. Jonathan 27

    I prefer to do my security the traditional way, by making my place look shabby from the outside and buying insurance.

    1. Anonymous Coward
      Anonymous Coward

      > I prefer to do my security the traditional way, by making my place look shabby from the outside

      And I do security in depth, by making it look shabby from the inside too.

  15. patrickburns

    A better type of 2FA would help solve this

    One approach uses low power LAN or WAN technology http://bit.ly/iotkillswitch

    This won't be the last camera to be attacked ...

  16. dmitry@cybeats.com

    IoT device security

    I would ask the question why Nest using Bluetooth in their devices? And the answer is pretty straight forward user experience. The major reason for having this feature is easy straight forward first time setup of the device. This is the secret sauce that makes Nest devices so successful and popular. The next question is this the most efficient approach taken also by other IoT manufacturers to improve their user experience of the first setup?

    The answer is yes, many of IoT manufacturers copied the success story from Nest. And they have no less production capacity than Nest. However, unlike Nest many of them are not even aware that they have now such problem and they don't have a way to solve it seamlessly for the user by updating the firmware over the air.

    I'm a founder of the IoT cyber protection startup Cybeats and we have a goal to protect the customers of IoT companies by protecting their products.

    Our company creates the solution for any IoT vendor and manufacturer so once such vulnerability is discovered (zero day) in the professional jargon, the company like Nest alerted and has the proper way to mitigate the problem by pushing out the firmware that resolves it.

    If you interested to read more about the security problems modern IoT imposing to us as consumers and how manufacturers supposed to solve them you welcome to visit our website https://www.cybeats.com

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like