A Whole Flock Of Google Nest Indoor Camera Issues Found - Patches Ready
By: Jim Stickley and Tina Davis
August 22, 2019
If you’re one to put cameras inside your home, this is for you. Researchers from the Cisco Talos research team said that there is a plethora of vulnerabilities with the Google Nest Cam IQ Indoor cameras. Specifically with version 4620002; all having to do with the Weave protocol. This is used for initial setup and communication with other Nest devices.
If you don’t care to know the specific issues, the main point is that all of them have been fixed by Google and the cameras should update automatically, as long as you didn’t change the settings. So, you don’t have to do a thing. But this is a good reminder to make sure all of your Internet of Things (IoT) devices are kept updated at all times. It’s wise to enable automatic updates whenever possible so you don’t have to worry about doing it manually. It’s so easy to forget to do such things.
There are eight issues of note:
- Exploitable denial-of-service (DoS) vulnerability in the Nest IQ’S Weave daemon –CVE-2019-5043
- Security flaw in the Weave legacy pairing functionality – CVE-2019-5034
- Information leak issue within the WeaveMessageLayer parsing of v. 4.0.2 of Openweave-core. This can cause an integer overflow – CVE-2019-5040
- Code execution vulnerability in the print-tlv command that can be exploited by convincing an unsuspecting user to open a malicious Weave command – CVE-2019-5038
- Code execution vulnerability within the ASN1 certificate writing functionality in Openweave-core version 4.0.2 – CVE-2019-5039
- Brute force issue in the Weave PASE pairing of the camera. Could result in full control of the device – CVE-2019-5035
- Two issues with the Weave error and certificate loading that could lead to a DoS attack – CVE-2019-5036 and CVE-2019-5037
There are certainly many reasons one might want cameras inside his home. However, remember that these days, most or all of the video from those cameras goes directly to the Internet and is held on the company’s cloud storage. Then you are relying on others to protect whatever details get recorded.