Insecure security cameras sound like a joke, but aren’t

Reports recently surfaced that Google was alerted to security holes in its IoT security camera products and declined to patch them. This was quite frightening for two reasons. First, the fix was apparently straightforward, and second, the hole was readily and easily available to burglars with even a modicum of tech savviness.

Meanwhile, eBay seems to be encouraging users to downgrade their security defenses by giving up the hardware tokens they use for two-factor authentication and relying on text messages instead. Yes, eBay suggested that users make themselves more vulnerable to identity thieves. With these two recent incidents, is it any wonder that IT is suspicious about whether major companies are taking security seriously?

Let’s start with the Google situation. At issue is a series of products marketed as Nest Dropcam, Nest Dropcam Pro, Nest Cam Outdoor and Nest Cam Indoor. The Boing Boing story linked above provided more details:

“Researcher Jason Boyle discovered that sending long wifi network names or passwords to cameras over their Bluetooth interfaces (which cannot be disabled) will cause them to reboot. It would be trivial for a home intruder to reboot all the cameras in a home before breaking in. More seriously, a camera that is passed a malformed wifi network name can be made to disconnect from its home wifi for 60-90 seconds. This time can be extended by feeding it a stream of malformed wifi names,” the story said. It added that another flaw “allows the attacker to force the camera to temporarily disconnect from the wireless network to which it is connected by supplying it a new SSID to connect to. If that particular SSID does not exist, the camera drops its attempt to associate with it and return to the original Wi-Fi network, but the whole process can last from 60 to 90 seconds, during which the camera won’t be recording.”

To be fair, these attacks do require the burglar (or, for that matter, murderer or rapist) to engage in a bit of physical gymnastics. The attacker first needs to get close enough to the camera to access Bluetooth — distances vary based on device and environment and it can even vary from initially making the handshake to maintaining the connection. But these are security cameras, so the attacker must achieve this potentially very short distance while also staying out of the camera’s view. After all, if the attacker is filmed before initiating the connection, the point of this exercise may be lost.

This problem is hardly insurmountable. But it involves studying the camera beforehand to learn the proper angle and positioning needed to access Bluetooth without being seen.

Another logistical challenge arises if the property is protected by multiple cameras. The blackout period referenced here (generally shy of 90 seconds) could be enough time to force entry, but it’s unlikely to be enough to complete the crime and escape. Hence, a network of nine or ten cameras may make this hole fairly trivial.

Those disclaimers all disclaimed, for the typical home that might have just one camera focusing on the front door, this could be a very significant hole.

So why didn’t Google fix it in the months it was given? Did it fear that confirming the hole’s existence — which a patch would presumably do — would undermine Google’s marketing messaging? That would be a terrible reason to leave a hole unpatched, but without a better explanation offered by Google, it’s a place to start.

Another question: Why was Bluetooth access enabled for a security device designed to be mounted outdoors? Bluetooth generally has weak, if any, authentication, on the premise that extreme physical proximity implies authorization. Does that premise hold up in the case of an outdoor security camera?

Now we turn to eBay. It asked customers who already had good security to soften their defenses.

Part of the rationale is the age-old security-versus-convenience thinking, where companies fear that insisting on robust security will inconvenience customers to the point where they don’t bother or where they will look for companies that are easier to work with. But that doesn’t seem to be the key issue here, since eBay was approaching customers who were already using better security.

The particulars of the eBay situation were laid out in a story in KrebsOnSecurity.

eBay wanted Brian Krebs “to switch from using a hardware key fob when logging into eBay to receiving a one-time code sent via text message,” the story said. “I found it remarkable that eBay, which at one time was well ahead of most e-commerce companies in providing more robust online authentication options, is now essentially trying to downgrade my login experience to a less-secure option. The move by eBay comes just months after the National Institute for Standards and Technology (NIST) released a draft of new authentication guidelines that appear to be phasing out the use of SMS-based two-factor authentication. NIST said one-time codes that are texted to users over a mobile phone are vulnerable to interception, noting that thieves can divert the target’s SMS messages and calls to another device, either by social engineering a customer service person at the phone company, or via more advanced attacks like SS7 hacks.”

eBay apparently said that the change “was more about bringing authentication in-house (the security key is made by Verisign) and that eBay hopes to offer additional multifactor authentication options in the future.”

That makes no sense. If that was eBay’s concern, it would have waited until it had created — or purchased — its own hardware tokens and then simply offered the tokens to existing customers and offered those customers an incentive to switch.

To ask customers with good security to abandon it now — without offering a comparably secure alternative — is absurd. If eBay wanted to send the message that it doesn’t care about protecting its customers or its data, it picked an ideal way to do it.

Physical tokens are excellent authentication devices, coupled with other elements, since they pose considerable obstacles to long-distance attackers. Then again, if homeowners chose to store their hardware tokens on top of their Google security cameras, they may have some issues.