Several vulnerabilities in Google’s indoor Nest cam allowed for ‘complete takeover’ and data leaks

Indoor Nest camera found to contain multiple vulnerabilities that could be exploited to leak data and hijack the device, experts warn

  • Google’s Nest camera patched several flaws that opened it up to attack 
  • Some of the exploits shut the camera down while other allowed total takeover
  • They target an application protocol used widely in Nest products 
  • All of them have been patched after researchers alerted Google 

Security researchers have discovered eight different bugs in Google’s Nest security camera that would allow hackers to take the camera offline or steal its data.

According to a post from researchers at Cisco Talos, the vulnerabilities, which have already been reported to Google and subsequently patched, affected the Nest Cam Indoor IQ — a product that they describe as ‘one of Nest Labs’ most advanced internet-of-things devices.’

The bug opened up the device to a range of attacks, they said.

Google’s nest camera was found to contain several vulnerabilities that opened the camera up to attack and ‘complete takeover.’

Among the potential hacks were several Denial of Service (DoS) attacks that would allow a hacker to effectively disable the camera completely. 

DoS attacks typically involve overloading a system or device by repeatedly sending requests until the target either freezes, shuts down, or is otherwise rendered completely useless. 

Perhaps even more unnerving than shutting down a camera, however, were vulnerabilities that would allow hackers to attain what researchers call ‘full device control.’

This specific hack involves sending the camera what are called ‘packets’ of executable information, that would allow one to reconfigure the device to pair to their own Nest app, essentially transferring full ownership of the camera.

It’s unlikely that this vulnerability would have been exploited however, since it involves using a brute force attack, which repeatedly enters an encryption key, over the period of a month before working.  

All of the hacks exploited code in what’s known as Weave, an open-source application protocol that Google says ‘is already running in Nest products around the world.’

According to ZDNet, Google has already rolled out an automatic update for the cameras, so no user intervention is required to safeguard their device.

‘We’ve fixed the disclosed bugs and started rolling them out to all Nest Camera IQs. The devices will update automatically so there’s no action required from users,’ a Google spokesperson told ZDNet.

In lighter news, Google also recently announced that it will begin letting Nest users migrate their accounts to Google after announcing that it is integrating the formerly independent company into its broader smart home business in May. 


Nest Hub Max will launch this summer for $229

Nest Hub Max will launch this summer for $229

Google’s latest smart home device has a built in camera for video-chatting and even indoor security.

At the annual I/O developer conference, the firm unveiled the $229 Nest Hub Max that combines the features of Nest and Home Hub devices.

It has a 10-inch HD display, smart camera, and a rear-facing woofer to provide ‘full stereo sound.’

Nest Hub Max can be used to keep an eye on your home when you aren’t there, and comes with the ability to enable notifications for motion or unfamiliar people.

Google Duo capability also means it can be used for video calling on iOS and Android devices. ‘You can also use Duo to leave video messages for other members of your household,’ Google notes.

Nest Hub Max will launch in the US this summer for $229, along with the UK (£219) and in Australia (AUS$349).

The Nest Hub Max has a built-in camera with a wide-angle lens and 10-inch display

The Nest Hub Max has a built-in camera with a wide-angle lens and 10-inch display