Longstanding, unpatched Bluetooth vulnerability lets burglars shut down Google security cameras


#1

Originally published at: http://boingboing.net/2017/03/22/fools-paradise.html


#2

You know what else defeats security cameras? Any of the following:

Hoodies worn properly. A pair of wire cutters. A can of spray paint. A ski-mask.

The building where I work was burglarized two weeks ago. The burglars just walked around wearing hoodies and looking at the ground. Their faces were not visible from the cameras mounted near the ceilings.

Blue-tooth vulnerabilities might be interesting to programmers and tech fanboys, but they’re probably not on the radar of most burglars.


#3

This is terrible in principle, but in reality, how often will an actual burglar encounter this system? And then, as @jim1234 says, there’s the hoodie problem…


#4

(Trigger warning, I’m about to get on my high horse about something not relevant to this thread)

Not to detract from your unfortunate experience, but…

if they were burglars, you were burgled…
if you were burglarized, they were burglarizers…
if they were burglarizers, you were burglarizered…
if you were burglarizered,they were burglarizerers…

It’s turtles all the way down, simply for want of the use of a simple word like burgled. Whoever first coined burglarize should be drowned in a vat of grocers’ apostrophes. :wink:


#5

These cameras trigger a burglar alarm; they serve as motion detector. Disable them, you disable the motion detector.


#6

Not “defeats”, exactly. Many consumer-level security cameras are designed to alert the owner to activity when they aren’t home. If my camera tells me that there’s activity in my house when I’m out at dinner, and the included screenshot shows me somebody who isn’t supposed to be in my home, I still get to call the police to my house. No clothing choice is going to circumvent that.

Wire cutters do indeed work, but only if the wires are exposed. And given that most home burglaries are crimes of opportunity, any home that is going to require more tools to burgle than the house next door is likely going to get a pass.


#7

I don’t know about you guys, but I’m looking forward to seeing this vulnerability realistically exploited on Mr. Robot, and ham-handedly approximated on some crime procedural show.


#8

What happens if you give the camera a real SSID and password combo to connect to? e.g. a Portable Hotspot? Does it then “forget” the original one or does it keep a list of remembered wifi names? If it simply updates to the new details and never reconnects again to the old details it would be trivial to change the wifi setup then disconnect the hotspot leaving the cameras totally disconnected… but yeah… hoodies.


#9

I would rather they flood the area with knockout gas and then say “I did a thing!” so I can call the police.


#10

“Burglarize” has a perfectly cromulent meaning, derivable from the word itself.

Burglars burgle people - break into their homes and steal their stuff.

Burglarizers burglarize people - teach them how to burgle and encourage them to do so.


#11

Indeed - if it tries to connect to a wifi network that isn’t there, it goes back in a minute or so to the original one.

But if it connects to a wifi network that is there, but just doesn’t have working internet access, would it stay connected to that network as long as it could, not doing anything useful?


#12

I’m sure that the word “burglarize” was carefully selected after experimentation.


#13

Agreed - its meaning is perfectly cromulent in the context you describe, but not in the context it was used by the original poster who (in?)advertently embiggened the word ‘burgle’ to ‘burglarize’ and hence changed the entire sense of his post. As you say, burglars might be said to burglarize people. Not buildings, as the OP claimed.

I think I’d better stop ‘entering and breaking’ this thread now.


#14

I remember the first time I saw this Shadowrun at a gaming store. We have arrived.

Except, we still need elves…and magic.


#15

Please name these people who say all of the above things. Be specific because I’m saying this is your personal straw man and is mythical. You seem to be talking about different groups of people and conflating their views.

Of course, I don’t know a single person who works with security bugs who says “We should sue security researchers for reporting bugs.” What do I know? I only work in security and run a large bug bounty program though. I do agree that sure, once or twice, large corporate entities have sued a person for research. I’ve never seen any security person say that this happening was a good idea and it was pretty universally derided by security professionals and hackers.

I don’t know of a single security involved person who argues for this view and that are proponents of suing people. I’d love to see where they “argue” these things since that implied that in spoken or written words, specific individuals have done so and can be named.

So I want names of the specific people who have said these things (all of them together).


#16

I don’t know which example(s) Cory had in mind, but lawsuits to squelch the release of info regarding software vulnerabilities are definitely a thing.


#17

Yes, FireEye and Adobe have done it (once each as far as I know). Given the size of the security industry and the number of vulns disclosed over the last two decades, that’s a damn low number of lawsuits. If someone has a list of lawsuits filed in this space (which would be public record), I’d love for it to be produced. It might behoove the EFF to do so to strengthen their arguments.

It just isn’t something you hear about anecdotally, either amongst security people or when you go to Black Hat, DEFCON, RSA, etc. It is mostly a bullshit concern if you’re dealing with a tech company.

I, personally, receive disclosures from third parties for a major browser as my day job. I spent many many years working for one of the other major browsers as well. I talk with a lot of people at other companies and who are security researchers because it is the space I work in and part of my work. By and large, people aren’t walking around worried about being sued by a company.

Cory seems to be conflating different people and a bunch of “this might happen” as a solid given espoused by some person or persons to raise awareness of what is largely a hypothetical issue (and to beat the drum of one of his justifications for his opposition to the EME standard at the W3C).

Google actually has a very good track record overall and is one of the best in the industry for working with security researchers (no, I don’t work for them).


#18

Yeah, “Proponents of … argue that” is almost of a kind with the “some people say” formula of rabble-rousers everywhere, (such as the 45 team).


#19

It really annoys me that the dropcam can’t have a Ethernet option. Even a chromecast you can get a power supply that includes an Ethernet jack.


#20

persons unknown in police uniforms could do the trick, though