Google Nest Security Cam Bugs Allow Device Takeover

google nest device takeover

Eight vulnerabilities would allow a range of attacker activities, including taking the Nest camera offline, sniffing out network information and device hijacking.

Multiple vulnerabilities in Google’s Nest Cam IQ connected indoor security camera would allow an attacker on the same network to take over the device, execute code on it and/or take it offline.

Nest Labs’ Cam IQ Indoor integrates security-enhanced Linux in Android, Google Assistant and facial recognition all into a compact security camera, according to Cisco Talos, whose Lilith Wyatt and Claudio Bozzato discovered the bugs.

“It primarily uses the Weave protocol for setup and initial communications with other Nest devices over TCP, UDP, Bluetooth and 6lowpan,” they explained in a Monday write-up. “Most of these vulnerabilities lie in the weave binary of the camera, however, there are some that also apply to the weave-tool binary.”

There are eight vulnerabilities total; three of them are denial-of-service (DoS) bugs that an attacker could use to disable the camera; two would allow code execution; and the other three could be used for information disclosure.

The most severe (with a 9.0 and 8.2 severity rating on the CVSS scale, respectively) are two of the information disclosure bugs, CVE-2019-5035 and CVE-2019-5040. The 9.0 bug is a Weave PASE pairing brute-force vulnerability in the device, which can be triggered by sending a set of specially crafted weave packets that can brute-force a pairing code, “resulting in greater Weave access and potentially full device control,” according to the researchers.

When initially setting up any Nest device, the owner typically looks for a QRcode or a six-digit/letter code somewhere on the device, which is then used as a shared secret for JPAKE authentication in the pairing process.

“Normally, due to the processing time required to do a single round of JPAKE authentication, the fact that JPAKE must be done online, and also the key space of six alphanumeric characters, it would be unreasonable to brute-force this process, even though there is no tracking of failed authentication attempts,” according to the advisory. However, the issue is that the code never changes, even if the device is rebooted – giving an attacker plenty of time to try different passcodes.

“While needing to communicate with a device for three to four weeks might be unreasonable for brute forcing, the pairing code will stay the same for a given device across reboots, and also, if the device is ever in a non-configured state when the code has been discovered, an attacker can emulate the pairing process and add the device to their own Nest account, granting full access,” explained Cisco Talos.

The other severe bug is an Openweave Weave DecodeMessageWithLength vulnerability.

“This vulnerability allows us to send a short packet and have whatever data was already there to be included into our packet, as the allocation and freeing of a PacketBuffer do not clear the data inside, which provides an attacker something to work with,” according to the advisory. “The quickest and most useful packet to send is the kMsgType_EchoRequest, as one can read out the last sent packet by any other party over any other connection (as TCP, UDP, Bluetooth and 6lowpan all share the same PacketBufferPool). Even more interesting is that, when dealing with encrypted communications (e.g. a PASE or CASE session), encrypted messages are actually encrypted and decrypted in the PacketBuffer itself, which would allow us to read data sent encrypted over the wire to a device (such as Fabric Configurations, Network Configurations or other sensitive information).”

The other flaws are rated 7.5 and below on the CVSS scale. These include a Weave legacy pairing vulnerability (CVE-2019-5034), the third flaw that could be used for information disclosure.

And as for DoS, these include a Weave TCP connection DoS bug (CVE-2019-5043), which Cisco said exists in the Weave daemon of the Nest Cam IQ Indoor, which can be triggered by simply connecting multiple times to the camera. Another is a Weave KeyError DoS vulnerability (CVE-2019-5036) that lies in the Weave error reporting functionality of the device (“A specially crafted weave packet can cause an arbitrary Weave Exchange Session to close, resulting in a denial of service,” explained the researchers).

And the third DoS issue (CVE-2019-5037) is in the Weave certificate loading functionality of the camera. “A specially crafted weave packet can cause an integer overflow and an out-of-bounds read to occur on unmapped memory, resulting in a denial of service,” the researchers wrote. “An attacker can send a specially crafted packet to trigger this vulnerability.”

On the code-execution front, one bug (CVE-2019-5038) exists in the print-tlv command of Weave tool. “A specially crafted weave TLV can trigger a stack-based buffer overflow,” said Wyatt and Bozzato. “An attacker can trigger this vulnerability by convincing the user to open a specially crafted Weave command.”

And, the Openweave Weave ASN1Writer PutValue has a bug (CVE-2019-5039) in the ASN1 certificate writing functionality of Openweave-core, version 4.0.2.

“A specially crafted weave certificate can trigger a heap-based buffer overflow, resulting in code execution. An attacker can exploit this vulnerability by tricking the user into opening a specially crafted Weave,” the researchers wrote.

Version 4620002 of the Nest Labs IQ Indoor camera is affected by the bugs, according to Cisco Talos, which responsibly disclosed them to the vendor. Users are encouraged to apply the patch that Nest has rolled out.

Connected cameras are among the most widely deployed internet of things (IoT) devices out there, and bugs are not uncommon. In July for instance, a vulnerability in the consumer-grade Amcrest IP2M-841B IP home security video camera was found that would allow an attacker to remotely listen to the camera’s audio over the internet, without authentication. And earlier that month, two bugs in the Arlo Technologies’ wireless home video security cameras were found that allow a local attacker to take control of the device.

Interested in more on the internet of things (IoT)? Don’t miss our free Threatpost webinar, “IoT: Implementing Security in a 5G World.” Please join Threatpost senior editor Tara Seals and a panel of experts as they offer enterprises and other organizations insight about how to approach security for the next wave of IoT deployments, which will be enabled by the rollout of 5G networks worldwide. Click here to register.

Suggested articles