Nest cameras are a pretty popular consumer security device but businesses have also turned to them as a solution. GitHub user Jason Doyle has discovered a new bug that is affecting Nest cameras, allowing an attacker to disable them via Bluetooth for up to 90 seconds. This means someone could potential have plenty of time to disable the cameras and slip past their view before they recover. That’s a huge security risk for both consumer users and business users. Doyle has reported the bug to Google, who owns Nest, and he did so back in October of last year. While Google has acknowledged the bug, there has been no response on if it has been fixed.
UPDATED (03/21/2017 01:26p ET): Nest has responded to our article via Twitter stating that they have developed a fix for this issue and should be pushing it out soon.
@techaeris Thanks for reaching out. We’re aware of this issue, developed a fix for it, and will roll it out to customers in the coming days.
— Nest (@nest) March 21, 2017
The issue, according to Doyle’s post, is that Bluetooth connectivity is never disabled after the initial setup of the device. Using Bluetooth, the camera is supplied with a different SSID, which causes it to leave its current Wi-Fi network in an attempt to associate with it. After 60 to 90 seconds, it returns back to the original network.
Bluetooth is necessary to initially set up either of these cameras and can be used to change the settings or to configure the device later on. However, Bluetooth cannot be disabled, which means that there might not currently be an available workaround, Doyle told The Register.
The Internet of Things (IoT) has become a popular tech field that many people are flocking to, but there has been debate over the strength of IoT security. This Nest camera’s Bluetooth bug is just another ding on the strength of that security and I’m sure the debate will deepen even further over connecting anything and everything to the Internet.