Just a week after Google received a mixed response for forcing all Nest camera devices LED to remain on when the camera is in use, Google has another crisis at their hands. According to an article published by Cisco Talos researchers, Google’s Nest Cam IQ Indoor camera has multiple security vulnerabilities.
The Nest Cam IQ currently retails for $249 and has plenty of features but the newly discovered vulnerabilities make it less secure. Overall Cisco Talos researchers discovered eight vulnerabilities, five relating to the Weave protocol binary built into the camera, and three in the Openweave interface. Three (CVE-2019-5043, CVE-2019-5036, CVE-2019-5037) could be used to bring denial-of-service, two allow code execution (CVE-2019-5038, CVE-2019-5039), two make possible information disclosure (CVE-2019-5034, CVE-2019-5040) and one (CVE-2019-5035) is described as a pairing brute force vulnerability. The silver lining here is that it’s unlikely that these will be exploited as they are hard to execute and might require substantial effort.
Google has already released the update and the Nest Cam IQ will update itself automatically as long as it is connected to the internet but there’s a catch. Google is releasing the update in batches so not all the Nest Cam owners will get the update immediately. The updated version is 4720010 so if you’re using Nest Cam IQ then you can head to Settings>Technical Info and match the current version to make sure you have the updates installed.