Posted in Shoddy Security

Major security holes found in Google’s Nest

Don’t use “smart home” technology. Just don’t.

After last week’s heated debate about whether Google Nest owners should be able to turn off their webcam’s recording LED, this week they have something more conventional to worry about – security flaws.

The list of vulnerabilities recently discovered by Cisco Talos researchers relate to one model, the Nest Cam IQ Indoor camera.

As $249 webcams go, this one has plenty of features, including a 4K resolution sensor, facial recognition, noise and echo cancellation, and Google’s Voice Assistant integration to control other Nest products.

There are eight CVE-level vulnerabilities in total, five relating to the Weave protocol binary built into the camera (used to set it up), and three in the Openweave interface (this being the open source version of Weave).

Some of these exploits allow the device to be taken over, or hijacked.

Google claims it’s patching the affected hardware, but cautions that updates may take a while to roll out.

Meanwhile, lots of Nest users are still angry about Google’s decision to cripple the toggle for the Nest cam’s LED status light.