Reports recently surfaced that Google was alerted to security holes in its IoT security camera products and declined to patch them. This was quite frightening for two reasons. First, the fix was apparently straightforward, and second, the hole was readily and easily available to burglars with even a modicum of tech savviness.
Meanwhile, eBay seems to be encouraging users to downgrade their security defenses by giving up the hardware tokens they use for two-factor authentication and relying on text messages instead. Yes, eBay suggested that users make themselves more vulnerable to identity thieves. With these two recent incidents, is it any wonder that IT is suspicious about whether major companies are taking security seriously?
Let’s start with the Google situation. At issue is a series of products marketed as Nest Dropcam, Nest Dropcam Pro, Nest Cam Outdoor and Nest Cam Indoor. The Boing Boing story linked above provided more details:
“Researcher Jason Boyle discovered that sending long wifi network names or passwords to cameras over their Bluetooth interfaces (which cannot be disabled) will cause them to reboot. It would be trivial for a home intruder to reboot all the cameras in a home before breaking in. More seriously, a camera that is passed a malformed wifi network name can be made to disconnect from its home wifi for 60-90 seconds. This time can be extended by feeding it a stream of malformed wifi names,” the story said. It added that another flaw “allows the attacker to force the camera to temporarily disconnect from the wireless network to which it is connected by supplying it a new SSID to connect to. If that particular SSID does not exist, the camera drops its attempt to associate with it and return to the original Wi-Fi network, but the whole process can last from 60 to 90 seconds, during which the camera won’t be recording.”
To be fair, these attacks do require the burglar (or, for that matter, murderer or rapist) to engage in a bit of physical gymnastics. The attacker first needs to get close enough to the camera to access Bluetooth — distances vary based on device and environment and it can even vary from initially making the handshake to maintaining the connection. But these are security cameras, so the attacker must achieve this potentially very short distance while also staying out of the camera’s view. After all, if the attacker is filmed before initiating the connection, the point of this exercise may be lost.
This problem is hardly insurmountable. But it involves studying the camera beforehand to learn the proper angle and positioning needed to access Bluetooth without being seen.
Sign up for Computerworld eNewsletters.