Vulnerabilities in Google Nest Cam IQ can be used to hijack the camera, leak data

The indoor security device was subject to bugs which threatened user privacy.

Google wants to take the smart out of the smart home ZDNet's Chris Matyszczyk claims that there’s nothing worse than living with someone -- or something -- that’s too clever by half. Read more: https://zd.net/2YIFUkl

The Google Nest Cam IQ Indoor camera contained a plethora of security vulnerabilities which could be used to hijack or disrupt the device.

On Monday, Lilith Wyatt and Claudio Bozzato from the Cisco Talos research team said a set of major vulnerabilities in the Nest Cam IQ, one of a selection of home security and Internet of Things (IoT) devices owned by Google, existed in the camera.

In version 4620002 of the Nest Cam IQ Indoor, the Weave Protocol was found to be vulnerable in many of the newly-disclosed security flaws.

"It [Nest Cam IQ Indoor] primarily uses the Weave protocol for setup and initial communications with other Nest devices over TCP, UDP, Bluetooth, and 6lowpan," the researchers said. "It is important to note that while the weave-tool binary also lives on the camera and is vulnerable, it is not normally exploitable as it requires a local attack vector (i.e. an attacker-controlled file) and the vulnerable commands are never directly run by the camera."

There are eight vulnerabilities in total, including denial-of-service problems, code execution, and information leaks. 

See also: WhatsApp vulnerabilities 'put words in your mouth,' lets hackers take over conversations

The first vulnerability, CVE-2019-5043, is an exploitable denial-of-service vulnerability prompted by multiple connection attempts to TCP, resulting in unrestricted resource allocation and system crashes. The bug exists in the Nest IQ's Weave daemon.

The second security flaw, CVE-2019-5034, is present in Weave legacy pairing functionality. If exploited by crafted Weave packets, attackers can trigger an out-of-bounds read and subsequent information disclosure. 

CVE-2019-5040 is another information leak issue which has been disclosed by the research team. Found in the Weave MessageLayer parsing of version 4.0.2 of Openweave-core, the vulnerability can be triggered with crafted packets to cause an integer overflow.

Two code execution vulnerabilities, CVE-2019-5038 and CVE-2019-5039, have also been made public. These security flaws, present in the print-tlv command of Weave tool and ASN1 certificate writing functionality of version 4.0.2 of Openweave-core respectively, can be exploited by luring a user into opening a malicious Weave command or Weave itself. If the attack is successful, this can give a hacker the opportunity to execute arbitrary code.  

CNET: Google tightens grip on some Android data over privacy fears, report says

A brute-force vulnerability, CVE-2019-5035, has also been disclosed. The bug exists in the Weave PASE pairing functionality of the camera and should a set of crafted weave packets be used, attackers can brute-force a pairing code which "results in greater Weave access and potentially full device control," according to Cisco Talos. 

In addition, CVE-2019-5036 and CVE-2019-5037, Weave error and certificate loading problems, can be exploited by malicious packets to cause denial-of-service. 

Cisco Talos worked with Weave and Nest Labs to resolve the security flaws and issue an automatic update before public disclosure. 

A Google spokesperson told ZDNet:

"We've fixed the disclosed bugs and started rolling them out to all Nest Camera IQs. The devices will update automatically so there's no action required from users."

TechRepublic: How to prevent data destruction from cybersecurity attacks

In related news, Google has announced that starting today, users are able to migrate their Nest accounts to standard Google accounts. Google Home and Nest joined in May and the tech giant has been slowly working toward an integration of user accounts.

Email invitations are now being sent to users to begin the changeover process, which will require a single sign-in for the product line. Users were concerned that Amazon Alexa's control functionality might break due to the changes but Google and Amazon have worked together to launch an updated skill to prevent any disruption to smart homes. 

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0