Welcome to the Morning Read, a daily post where I recommend and discuss a white paper, blog post, chapter of a book, or some sort of text I find useful for DFIR analysts.
Today’s Morning Read has been cited in a few news outlets, but focuses on a bug disclosure from Jason Doyle, a security researcher. You can find a copy of Jason’s disclosure here:
Jason’s public disclosure was March 17, 2017, however updates are still being made to the README (18 hours ago as of this post).
Overview
As a huge fan — and user — of smart, connected home devices, I’m always intrigued when these types of vulnerabilities come along. I can’t ignore the growth of these devices in our lives, and of course they only open new avenues of hacking for both good and bad guys. As a digital forensic analyst, I certainly cannot ignore what this means for the future of investigations. Will there be a day that we receive a thermostat, an Alexa, and two outside cameras to help solve a crime?
In Jason’s disclosure, he discusses three bugs he discovered that allow for disabling of Google Nest and Dropcom Cameras. The vulnerabilities, as you can see in the GitHub page above, deal with Bluetooth attacks. The attacks are focused on abusing the always-on (even after setup) Bluetooth to either crash and reboot (obviously not recording during this time), or to drop off of the programmed WiFi network in search of a new SSID. The camera stops recording during this time also.
To date, no patch is available, although one has allegedly been prepared and will be out shortly. Additionally, you cannot disable Bluetooth on these devices. I’m reminded of this classic:
Highlights
- Bluetooth is never disabled even after initial setup. It’s an odd spot to be in when your device cannot disable Bluetooth and it becomes a primary attack vector.
- The attacks require that the attackers be in BLE range (about 100m max). This range may seem trivial to someone about to physically break into a building — but I’m sure some folks can find a way to extend it. I’ve seen some of these wireless protocols stretched over LONG distances.
Suggestions for Analysts
If this article proves one thing to me, it’s that the work of digital forensic analysts is not going to get any easier in the future. Just when we thought we had Linux/Mac/Windows IR nearing “automation”, industry went ahead and released a whole new, multi-billion dollar line of device types. Luckily, security concepts and principles are still the same. I mean, Bluetooth is Bluetooth.
If you work in an organization that utilizes smart devices heavily, your team must be diligent about securing these devices. Select products that have good patching history, and allow for customization. One of the flaws, I think, in these camera devices, is that they only allow for cloud storage. There’s a lot of requirements in simple guarantee. If you can roll your own on-site storage, consider a device you have more control over than something fancy and new that you have no control over.
Until tomorrow!
