It seems like everyone is getting into the wireless security camera game with offerings from Nest, Arlo, Dropcam, Samsung and many others out on the market I wondered how secure these devices really are. In this case I am not going to look at many of the implementation details of these devices mainly focusing on the over the air connection and how resistant they are to being rendered useless. Since the purpose of these devices is to give the owner the ability to see areas under supervision in near real-time as well as get alerts and and look at historic footage I wanted to see what it would take to cause these devices to fail this stated purpose. Just a fair word of warning, I only had access to some of the Nest devices for these tests and have extrapolated how these attacks may effect the other devices based on specs and data sheets. Feel free to correct inaccuracies or if you have any of the brands stated above and are willing to lend them I would be happy to test them out.

(Feel free to scroll all the way to the bottom for the TL;DR highlights)

Physical Security

So the first point of concern for me was how physically secure these devices are. Now in the case of the Nest and Arlo devices this depends a lot on where you install them. Both these brands use a magnetic mounting base (Nest IQ Outdoor doesn't) that the camera is held to with magnetism and while this works great and makes for a fairly easy install it also means if your cameras are placed in a location where they are easily reached they can simply be pulled down with little force. In the case of the Arlo this is especially true since it has no wires at all vs the Nest Outdoor which has a power cable that would at least make walking away with it a slight amount more trouble (i.e. you would need to clip the cable). In both of these cases if the device is placed high enough that it would be difficult to reach this can largely be mitigated. The newly released Nest IQ Outdoor Cam uses a different mounting base that clips in and is released with a "key" that is inserted in a small hole and twisted so it should be a bit more resistant to physical tampering although the key is simply a small hex key.

Nests two outdoor offerings the Nest Outdoor Cam and the Nest IQ Outdoor Cam, both of which have power cords but use WiFi as the means for transmitting data. This means in both cases you need to figure out how to protect those cables so that someone can't simply clip or unplug them. This is also fairly easy to reasonably protect using some metal wiring raceway which can be mounted to the walls and the cable can be ran inside which should do a reasonable job protecting it and the outlets can be covered with a security cover that has a lock. So assuming they are physically secure now how hard is it to cause them to stop functioning assuming these physical protections work?

Over the air security

As with some tests for other wireless devices we will not look at attacks you could perform if you have access to the network, things such as arp poisoning, man in the middle attacks or dhcp exhaustion won't be looked at simply because if the attacker has access to your network there are just too many things that could be done to disrupt any device on your network. So instead this will look at what can be done without any special network access and we'll look at one solution to the problem.

So the first tool in the toolkit for disrupting WiFi devices is always the handy and trust worthy deauthentication attack, this is the same attack that was used in last weeks article on finding hidden wifi SSIDs when it was used to accelerate a client reconnect event by causing an active client to disassociate from the AP and reconnect. Now as we would expect once I fired up the deauthentication attack on the Nest Cam my live stream immediately dropped offline. Now while it was offline I wanted to see if it would still record and buffer the footage and send it when it eventually came back online. After about 5 minutes I killed the deauthentication attack and waited for the device to reconnect to the network...and waited...and waited...but the camera didn't come back online even after 30 minutes. The best I can estimate it must have either had a firmware bug or some sort of backoff/max reconnect algorithm that had given up. I had to go to my breaker box and kill the power to the cameras (thanks to those hard to access locked power outlets this was the easiest way to reset them) before they eventually came back online. Once they were back online I tried to see if there was any buffered video that had been uploaded and sadly there was none. I repeated this test with smaller amounts of time to prevent needing power cycles to recover from the failures but each time there was no video so the best I can tell Nest devices do not buffer any video at all, they are sending it online or the aren't. This means any WAN outages or WiFi problems = no security camera footage.

The problem

So why did this work? For those not familiar with how WiFi works i'll give a very quick high level overview. You can think of your connection to your secure wireless access point as having two parts. The data stream which all your traffic is sent over using encryption to protect it and prevent viewing or modification and the management or control channel which uses frames that are open for anyone to see and are used to control access to the wireless channel. One of the features these management frames provide is a way for access points to tell clients to disconnect from them, these disassociate frames are sent by the AP which is "authenticated" by the client simply by verifying the senders MAC address which can easily be spoofed. The was the 80211 spec is designed when clients get these frames they must then disconnect from the access point. The problem with this design is apparently no one thought this may be abused by bad actors and as a result pretty much all wireless devices in use are vulnerable to attacks where you just spam them with disassociation frames so that they can't connect to the network. This is what was done here and as usual it was completely successful.

The solution

So it didn't take long for people to realize this was an issue and by 2009 the IEEE 802.11w standard was approved as an amendment to the IEEE 802.11 standard (WiFi). This added security to management frames sent after authentication had taken place. This protects disassociation/deauthentication frames as well as many other types of management frames I won't cover since they aren't relevant here. Now this standard has been out a long time and is a requirement for WFA certification for 80211n and 80211ac devices. Now before you get too excited and try to figure out how to turn this feature on be warned I have yet to see a consumer access point that really supports it (Some Asus devices have field for "management frame protection" but I have verified with wireshark that this checkbox appears to just be for looks as the RSN capabilities of the AP still don't show capable or required no matter how the option is set). Now thankfully I have equipment that is a bit more enterprise oriented so I was able to go in and enable PMF (protected management frames, also called management frame protection or referred to by the standard 80211w). So after enabling this option on my AP and trying a deauthentication attack again I was surprised to see my camera go offline. There were two possible reasons for this, first the Nest Cameras may not support 80211w which I felt was unlikely given the features wide availability in Linux and Windows wireless stacks and the high likelihood that all of these devices were based on a Linux kernel. The other option was that the AP wasn't actually supporting it, so again I fired up Wireshark and took a look at the RSN capabilities and sure enough "capable" and "required" bit fields for 80211w were both 0...after a little digging I realized it was because the 2nd generation of the Unifi AP's made by Ubiquiti I was using didn't currently support 80211w only the 3rd generation did which at this point is only the UAP-AC-HD which I also happened to have so I moved the SSID over to that AP only and tried again. Eureka! the cameras stayed online even though I was broadcasting disassocaition frames at an extremely high rate. I backed the setting off from required to capable to see if they would still connect and use 80211w even when it wasn't required (to maintain compatibility with other devices) and again the cameras appear to be impervious to the deauthentication attacks now. I would be interested to find out if Arlo and other device also support 80211w but my guess is they do.

The takeaway

Wireless security cameras are convenient especially compared to running ethernet all over your house and drilling holes through walls but in order for them to provide what I'll refer to as a "wired" level of reliability you need to have an access point that supports management frame protection which at the time of writing this isn't many (hopefully this changes as this is a great feature). Your choices at this point are Ubuquiti Unifi gear (only the Gen3 but rumor is it will be added to older generations soon) or Cisco/Meraki or Aruba gear or something like OpenWRT or DD-Wrt which should support it with a new enough build of hostapd and a tweak to the configuration (usually adding the line 80211w=1 for capable or 80211w=2 for required)

TL;DR - Too Long, Didn't Read

Nest outdoor security cameras can be rendered useless by simply performing a deauthentication attack against them. There will be no footage from the point they are knocked offline (which is instantly) till they come back online. I assume based on spec sheets many other brands are similar since they don't seem to mention any type of internal buffer for recording when they are offline. Access Points supporting Management Frame Protection (802.11w) will prevent this from happening and ensure close to a "wired" level of reliability.