Several Google Nest internet-connected cameras contain unpatched bugs which could cause devices to crash and/or stop recording, raising concerns over home security.
The smart home brand has so far failed to patch the vulnerabilities despite being informed by researcher Jason Doyle at the end of October 2016, according to a GitHub post.
All three flaws affect version 5.2.1 of the Dropcam, Dropcam Pro, and Nest Cam Indoor/Outdoor models.
The first bug could allow a hacker to trigger a buffer overflow by setting an over-long Wi-Fi SSID parameter, forcing the device to crash and reboot.
The second also triggers a buffer overflow resulting in a crash and reboot, but this time if an attacker sets an over-long encrypted password parameter for the camera.
The third is possibly more serious as it forces the camera offline for 60-90 seconds.
It’s described as follows:
“It's possible to temporarily disconnect the camera from Wi-Fi by supplying it a new SSID to connect to. Local storage of video footage is not supported by these cameras so surveillance is temporarily disabled.”
Although the attackers must be within Bluetooth range to exploit all three flaws, the connectivity setting is always on – leaving homes potentially at risk if there are any tech-savvy burglars in the area.
Craig Young, security researcher at Tripwire, questioned why it had taken Google so long to fix the flaws.
“I am curious to see a detailed timeline of the correspondence this researcher had with Google and whether they went through the Google vulnerability submission process,” he explained.
“I have submitted quite a few bugs through Google’s bug bounty program including one in the DropCam (now Nest cam) and Google has always responded very swiftly with a fix and a bounty payment where applicable.”
A report from non-profit prpl Foundation last year found that smart home gadgets have now well and truly hit the mainstream, although a combination of insecure products and poor configuration by users is causing unnecessary risk.
It revealed that consumers are prepared to fork out if more secure kit were available on the market.
Some 60% of respondents said they think home owners should take control of securing their connected devices, and more than 40% said they’d generally prefer to pay more for more secure devices.