Last week we reported on a story concerning Nest security cameras. It was discovered that at least two camera models were affected by a Bluetooth bug that could allow an attacker to disable the cameras remotely. Nest reached out to us quickly after the initial story and informed us they were working on a software update and were aware of the problem. Today, the company has reached out to us again to let us know that software update is available for all and the Bluetooth bug is now patched.
From our original story:
GitHub user Jason Doyle has discovered a new bug that is affecting Nest cameras, allowing an attacker to disable them via Bluetooth for up to 90 seconds. This means someone could potential have plenty of time to disable the cameras and slip past their view before they recover. That’s a huge security risk for both consumer users and business users. Doyle has reported the bug to Google, who owns Nest, and he did so back in October of last year.
The issue, according to Doyle’s post, is that Bluetooth connectivity is never disabled after the initial setup of the device. Using Bluetooth, the camera is supplied with a different SSID, which causes it to leave its current Wi-Fi network in an attempt to associate with it. After 60 to 90 seconds, it returns back to the original network.
Bluetooth is necessary to initially set up either of these cameras and can be used to change the settings or to configure the device later on. However, Bluetooth cannot be disabled, which means that there might not currently be an available workaround, Doyle told The Register.