
Triple Flaw in Nest's Dropcam - wglb
https://www.bitdefender.com/box/blog/iot-news/triple-flaw-nests-dropcam-opens-door-burglars/?cid=soc%7Cbox%7Cfb%7CBlog
======
mancerayder
_The first vulnerability involves using the camera’s Bluetooth Low Energy
(BLE) – always on by default – and pinging Wi-Fi SSID with a really long
parameter. This causes a buffer overflow in the camera and prompts the device
to crash and reboot. The second vulnerability also involves a buffer overflow
crash, but this time caused by an overly long Wi-Fi password._

If a burglar can do that, he can definitely make better money elsewhere. His
burgling career can officially be retired.

 _Because the smart camera has no offline footage storage capabilities, this
attack would give a burglar a window of opportunity to sneak into the house.
Considering the attack could be repeated indefinitely, the burglar would have
a lot more than 90 seconds to move about the house, without fear of being
recorded._

Technical aspects aside, the scenarios painted in the article are almost
comically far-fetched. In 2017, a spy scenario might even be less so.

~~~
mancerayder
I don't know what burglar fantasy-land you folks are familiar with, but in my
part of the concrete woods, burglars are known for their prowess. Their
dexterity. The ability to put fear aside.

Their technical experience, perhaps less so. How many could pass a red-black
tree traversal whiteboard interview?

The day these attributes are combined with an understanding​ of buffer
overflow exploits will be a scary day indeed.

~~~
pikzen
It only takes one person to automate this process for every one to use. Nobody
expects burglars to manually write the exploit. Running a single thing from
your phone? Much easier.

~~~
mancerayder
BurglarPro 1.1, now available ​from the Play Store. Modules available for
front cam common buff overflow exploits, more. See testimonials for yourself
and any positive feedback appreciated.

~~~
tomc1985
s/Play Store/underground carding forum/i and you're pretty much correct

------
caleblloyd
Guess what the burglar could also cut the cable line coming into the house to
completely disable the internet. Works on every DIY camera with no local
storage that only uses home networking.

~~~
xbryanx
Aren't most of those cables either buried in the ground, or 12 feet up in the
air?

~~~
gregmac
And almost all of them actually enter the house at ground level, often
entering the basement around the same place as the main power line does.

~~~
jcrawfordor
Whether it's overhead or underground depends on the house. Usually overhead in
older neighborhoods and underground in newer ones.

Telephone lines almost always have an externally accessible demarcation box at
ground level (usually a little grey one that says "telephone wiring" on it),
making them very easy for a crook to cut. Cable varies a lot, though. It's
common for cable to be retrofit into older construction in such a way that the
lines are externally accessible, but in newer houses it may have been
installed at construction time and well hidden. The cable
splitter/distribution amplifier is often in the basement or elsewhere in the
house, but is sometimes also installed on the exterior, basically depending on
what was easiest to the installer.

So basically, there's almost no common standard for cable. You'll just have to
look around. Sometimes the incoming line is lazily run along a fence,
sometimes it's buried and all house wiring is internal.

------
timdierks
Nest cameras work over WiFi (as far as I know). Presumably you can defeat them
with a spark gap or a microwave you've jimmied to run with the door open.
Vulnerabilities against technical hackers sending hand-crafted artisanal
Bluetooth packets are laughably irrelevant.

~~~
angry_octet
A spark gap (aka noise jammer) is laughably broad and would also cause
interference with everyone in the neighbourhood. But a frequency selective
Wifi noise jammer is very effective, especially if aimed at the base station
with a directional antenna.

I wouldn't recommend disassembling a microwave oven to get at its magnetron,
because you will probably electrocute yourself at best, and if you manage to
turn it on (e.g. by jamming the door closed sensors), literally cooking your
eyeballs.

~~~
bigiain
I have a cheapo Chinese 2.4GHz video transmitter which quite effectively jams
2.4GHz wifi for hundreds of feet in every direction (as my neighbours let me
know...)

I've got a friend who claims you can force a DJI drone to autoland from well
over 1km with some microwave oven guts duct taped to a satellite tv dish.

~~~
derefr
> with some microwave oven guts duct taped to a satellite tv dish

The word you're looking for is "maser."

~~~
adrianratnapala
I think microwave ovens usually use mangetrons rather than masers:
[https://en.wikipedia.org/wiki/Cavity_magnetron](https://en.wikipedia.org/wiki/Cavity_magnetron)

It's true though that both of them are coherent microwave sources. And the
magnetron is arguabbly more "laser-like" than a maser.

------
TazeTSchnitzel
> “the smart camera has no offline footage storage capabilities”

How on earth did this get approved to go to market? A security camera that
can't record when the internet goes down!

~~~
762236
Perhaps because it would become a significantly more expensive product?

~~~
srssays
You can store hours of video on an SD card.

~~~
gnicholas
yep, and although thieves could steal the SD cards, it wouldn't be hard for
Google to make the system redundant, so that if the internet goes down, each
cam sends its motion-activated footage to all the other local cams, for
storage on the SD cards. That way, the thieves have to physically access all
of the cameras in order to remove the SD cards.

------
intern4tional
IMO only the last of the three flaws is something that would be practically
exploitable by a burglar. The rest, while poor coding practices and do
illustrate some flaws with the system are not likely that a burglar would
exploit.

This is FUD causing article.

------
coldcode
The first two are simply embarrassing. Google paid 3 Billion for this stuff?
Does anyone do QA any more? Especially for a device you use for a security
purpose, you'd think bugs like this would be not only found, but designed to
not happen in the first place.

~~~
stevenwoo
I live near the Nest main office on Foothill Expressway. There used to be a
signficant amount of cars there on the weekends. That is no longer true.

~~~
tblair
I know you're implying that they don't care anymore, but I think over-working
leads to fatigue and rush jobs/corner cutting, which is a great way to end up
with security flaws.

------
evan_
Someone should package this exploit in an iPhone app and market it as an anti-
peeping product for Airbnb customers.

------
Thriptic
Does anyone have recommendations for IP cameras that (in theory) are
relatively secure?

~~~
kawsper
I bought a Ubiquiti Micro[0] camera, and sat up a local server that runs their
NVR software, that saves the recordings and controls the cameras. It was
important to me not to get a cloud enabled camera.

Sadly they are out of stock most places, but a new version have been rumoured.

[0] [https://www.ubnt.com/unifi-video/unifi-video-camera-
micro/](https://www.ubnt.com/unifi-video/unifi-video-camera-micro/)

~~~
Johnny555
I can second the Unifi cameras if you don't mind setting up a server to
monitor them. I'm using their outdoor cameras to watch my front/back doors at
home, and I have about a dozen of the dome cameras at work. The NVR software
has been working flawlessly in both places.

I was less impressed with the image quality of the Micro camera, it's
adequate, but the Nest cam is better.

------
greedo
And in a follow up article, it was discovered that burglars could disable a
Nest Cam by using an aerosol deployed enamel compound that occluded its lens.
Press officials for Rustoleum were unavailable for comment.

------
iampims
Leaving a Bluetooth service available, visible and unauthenticated seems to be
the crux of the issue.

------
kartan
This kind of cameras are just to scare non-sophisticated burglars. Alarm
systems work on the premise that burglars will decide to choose another target
as the "protected" one is slightly more inconvenient to rob. It is really hard
to stop a highly motivated thief.

That doesn't justify the camera flaws, thou.

~~~
bbcbasic
Yes it's a pretty sophisticated burger that jams wifi and Bluetooth

~~~
seanp2k2
Or cuts the power / cable line with the same bolt cutters they use to cut
locks.

~~~
heartbreak
I'd encourage any burglar who wants to cut my mains with bolt cutters to do so
at any time.

------
TACIXAT
Is the main use case for these security? I've been considering getting some. I
mainly want to watch my dogs and see how they're doing when I'm out. My dogs
can't buffer overflow so I think I'm still OK to purchase.

------
27182818284
>buffer overflow in the camera

I'm pretty ignorant in the embedded/hardware area of tech, but I would have
guessed by now C or other buffer-overrun-prone languages would have been
replaced by the majority of companies making new-ish products. Is something
like managed C# not an option still despite hardware gains? Or, I keep hearing
about Rust on Hacker News as a possible fix to this. Is it a problem with the
education pipeline, like students learn that devices like this need C so they
code C for them out of school?

~~~
pjmlp
Pascal, Ada, Oberon, Basic compilers have existed for micro-controllers for
decades.

Even C++ would be a better option, given its improved type safety over plain
C.

However the culture in embedded systems industry makes it very hard to use
anything else besides Assembly and C.

As an example, I recently saw talks that some BMW and Sony units only now in
2017 are moving away from C into C++11.

~~~
DrScump
Couldn't one use an alternate malloc() library that enforces boundaries?

~~~
pjmlp
No, because the way pointers work in C.

You need compiler support for generating bound checked instructions, and
additionally processor support like the Intel MPX or Sparc v8 tagged
instructions.

------
xutopia
Am I really supposed to be scared of a burglar who has the skills to hack a
security system though? If he has those skills maybe he can find a good paying
job easily enough.

~~~
detaro
You'd think that with malware also, and that has turned into a business model
by now: the people writing the code often are not the ones using it, selling
exploitkits instead. Even offering it as SaaS or subscriptions nowadays.

Not sure if disabling Nest cameras is interesting enough, but there could be a
black-market business somewhere in interrupting IoT devices. (E.g. sell an
android phone preloaded with an app to unlock remote controlled locks)

~~~
closeparen
Yep. I remember reading that sophisticated car remote entry hacks were
encapsulated in little mircrocontroller-based push-and-go boxes and sold via
the criminal underworld to people who would actually be willing to take the
risk of using them.

------
mavhc
On the other hand no one's remotely hacked the Nest Thermostat, so their own
code was fine, dangers of acquiring code and then not auditing it.

Seeing as you could just jam all wifi anyway, not that great a problem

~~~
tyingq
True, but this does show a buffer overflow, which is one path to get to a
remote hack. Well, remote as in wifi distance remote.

~~~
mavhc
But dropcam is a company they acquired, I'm guessing they didn't rewrite all
the software. The stuff they wrote themselves for the thermostat is apparently
more secure than at least 99% of things.

------
vogt
I own several dropcams but don't understand most of the language in this
article - are there any precautions I should be taking that I may not be
already?

~~~
ChuckMcM
Add some security cameras that do local storage.

Which is of course completely counter to the 'win' of cloud based video
storage. The bug is that a sophisticated burglar can cause your cameras to
stop recording.

~~~
pfarnsworth
Most burglars don't care about alarms or cameras. They wear a mask, go to the
back door between 11am and 3pm when most people are gone, kick it in, rummage
for anything for 3 mins and then run away. It's very low probability of
catching criminals with a simple workflow like this.

~~~
otterley
Does this statement come from statistics? If so, can you cite the study,
please?

~~~
Neliquat
No study, but this is a very common MO, if not the most common. This is not an
extraordinary claim that needs proof.

~~~
otterley
The claim was (emphasis mine):

" _Most_ burglars ... wear a mask, go to the back door between 11am and 3pm
when most people are gone, kick it in, rummage for anything for 3 mins and
then run away..."

Emphasis on the word "most" here. That implies a majority. If the author had
said "some" or "many," that would be uncontroversial. Here, however, the
author is making a specific quantitative/statistical claim, and it is that
that deserves proof.

------
patwolf
What amazes me is that the vulnerabilities have been known for many months yet
haven't been patched.

Maybe I shouldn't be too surprised. I bought a Dropcam two years ago before
Nest/Google acquired them. It worked fine for a while, but since being
acquired the app and reliability has gotten worse and worse to the point that
I no longer use it because it's too flaky. Based on that and everything else I
read about the company, it seems that they're severely mismanaged.

~~~
seanp2k2
Nest hasn't done anything significant since the smoke alarm. I'm really not
sure how their leadership maintains employment. They launched that in October
2013. What company can go for 3 1/2 years, 3 of those with Google money, and
do so little? There are tons of opportunities for them to launch e.g. A real
home security system with window sensors, locks, a 24x7 monitoring service,
more smart home devices / integrations...

The smoke alarm wasn't even a good idea. A smoke alarm is a device you hope to
never have to use. It's like making a smart fire extinguisher, or a AED with
Siri integration. Really unimpressed with Nest as a company.

~~~
tacomonstrous
My Nest smoke alarm actually justified its value a couple of weeks ago: We
were out in town when it let me know that there was CO in the house. We were
able to rush back and turn off the leaking gas stove before things got out of
hand.

I think the peace of mind that this now gives me is extremely valuable.

~~~
dawnerd
Interesting. I wonder if there's any connected valves that could auto shut off
gas to the house if the smoke or co alarms go off?

------
eridius
I know this is the original title, but it's kind of misleading. I clicked this
article thinking that somehow the vulnerability literally opened your door to
burglars (e.g. if you have a smart door lock).

~~~
StavrosK
Yeah, less "opens the door" and more "stops the cameras from recording,
maybe".

~~~
mschuster91
If I were a burglar and would see Nest or other smart-home stuff in the
Bluetooth device list... well here's someone who fancies technology and might
be worth a try.

To make stuff even better: forcing the Dropcam to disassociate with the
owner's wifi network and reassociate with my own? Take a RPi, a 3G dongle, a
battery pack and throw it into a nearby bush... perfect to stalk out when the
home owners are not there, and thanks to the 3g connectivity no one will even
have to look around and arouse suspicion with neighbors.

~~~
kasey_junk
Actually if you were a burglar you'd likely be a teenager out for the thrills
or a drug addict and the most you'd do is see if anyone or a dog was home
before kicking in the door.

Burglary rates have cratered not because of security systems but because
people don't have things that are easy to trade for cash.

Unless it's jewelry, cash or guns it has virtually no value sold hot.

~~~
scurvy
Stolen documents are a goldmine to identity thieves.

~~~
tedunangst
What percentage of identity theft is the result of burgled documents?

~~~
scurvy
Not sure, but a stolen (some say give away by disgruntled postal carrier) USPS
key was used to break into dozens of mailboxes in a very affluent zip code in
San Francisco (Nob Hill and Russian Hill).

It must have been very lucrative for the pair of thieves. Also scary that a
single key works across an entire zip code.

