After last week’s heated debate about whether Google Nest owners should be able to turn off their webcam’s recording LED, this week they have something more conventional to worry about – security flaws.
As $249 webcams go, this one has plenty of features, including a 4K resolution sensor, facial recognition, noise and echo cancellation, and Google’s Voice Assistant integration to control other Nest products.
There are eight CVE-level vulnerabilities in total, five relating to the Weave protocol binary built into the camera (used to set it up), and three in the Openweave interface (this being the open source version of Weave).
Three (CVE-2019-5043, CVE-2019-5036, CVE-2019-5037) could be used to bring about denial-of-service, two allow code execution (CVE-2019-5038, CVE-2019-5039) two make possible information disclosure (CVE-2019-5034, CVE-2019-5040) and one (CVE-2019-5035) is described as a “pairing brute force vulnerability.”
However, the two with the highest severity scores are CVE-2019-5035 and CVE-2019-5040 – the first potentially allowing device takeover, the second potentially allowing data from the device to be intercepted.
It’s unlikely that these flaws could be exploited remotely and a few of them would require some effort even from the local network.
According to Google, the Nest Cam IQ will update itself automatically as long as it is connected to the internet, but users should bear in mind that:
We push updates to Nest cameras in batches. Because we don’t push the update to all Nest cameras at the same time, you might not get it immediately.
While updating can’t be initiated manually, it is possible to check the firmware version by selecting a camera using the Nest app, tapping on Settings in the top right corner, selecting Technical Info and looking for the current version.
The updated version is 4720010. If you see anything earlier than this, that means updating hasn’t happened yet.
And don’t forget, if you’re using a second-hand Nest webcam – make sure the previous owner can’t use it to spy on you either.