Web application security specialists report the presence of a number of vulnerabilities in Google Nest Cam home security cameras that, if exploited, could allow a hacker to take control of the device, execute arbitrary code and even disconnect it, as long as the attacker is connected to the same network as the camera.
This camera integrates various services and platforms, such as the Android operating system, Google Assistant, facial recognition technology, among other features. Lilith Wyatt and Claudio Bozzato of Cisco Talos were in charge of the investigation.
In their report, web application security specialists mention that these devices use the Weave protocol for initial configuration and communications over TCP, Bluetooth, and UDP. “Almost all flaws are found in the camera binary”, the experts added. In total, eight vulnerabilities were found, three of which are denial-of-service flaws considered critical that attackers could exploit to disable cameras and two are code execution flaws and three confidential information leaking exploits.
The two most severe errors, identified as CVE-2019-5035 and CVE-2019-5040, are confidential information disclosure failures that can be triggered by sending packages specially designed to force a brute force pairing code, completely compromising a device. These vulnerabilities received scores of 9.0 and 8.2 on the Common Vulnerability Scoring System (CVSS) scale.
According to web application security experts, after first setting up a Nest device, users search for a QR code or six-digit key printed on the device; this key will be used as a shared secret for JPAKE authentication during the peering process. “The point is that these codes never change, even by rebooting the device, this gives the threat actors enough time to apply brute force and get access,” the specialists say.
All other vulnerabilities received scores of 7.5 and lower on the CVSS scale. These include a Weave peering flaw that could leak sensitive information; this flaw has been identified as CVE-2019-5034.
The main DoS vulnerability (CVE-2019-5037) is the sending of a package specially designed to cause integer overflow and out-of-bounds reading in unallocated memory, resulting in the denial of service condition.
On the other hand, the CVE-2019-5038 vulnerability is a flaw that allows the execution of code present in the print-tlv command of the Weave tool that can trigger a buffer overflow; “The vulnerability can be exploited by tricking the user into executing the specially designed command,” the experts said.
According to the web application security specialists of the International Institute of Cyber Security (IICS) the affected device is the Nest Labs IQ Indoor camera version 4620002; users are encouraged to verify the installation of the patches released by the company. These kinds of security cameras are one of the most secure Internet of Things (IoT) devices. Just a few weeks ago an Amcrest security camera failure was detected that allowed hackers to remotely listen to camera audio without authentication.