mostlysignssomeportents:

A security researcher has published a vulnerability and proof-of-concept
exploits in Google’s Internet of Things security cameras, marketed as
Nest Dropcam, Nest Dropcam Pro, Nest Cam Outdoor and Nest Cam Indoor;
these vulnerabilities were disclosed to Google last fall, but
Google/Nest have not patched them despite the gravity of the
vulnerability and the long months since the disclosure.

Researcher Jason Boyle discovered that sending long wifi network names
or passwords to cameras over their Bluetooth interfaces (which cannot be
disabled) will cause them to reboot. It would be trivial for a home
intruder to reboot all the cameras in a home before breaking in.

More seriously, a camera that is passed a malformed wifi network name
can be made to disconnect from its home wifi for 60-90 seconds; this
time can be extended by feeding it a stream of malformed wifi names.

It’s a sobering example of how even well-resourced, professionally
managed companies can fall down on the job when it comes to security.
Proponents of giving companies the power to sue security researchers who disclose defects in their products argue that companies are generally responsive to security vulnerability disclosures, and that any unauthorized disclosures are, by definition, irresponsible.

But if Google can’t be relied upon to patch showstopper bugs in their
flagship home security products over a six-month period, who can?

https://boingboing.net/2017/03/22/fools-paradise.html