Home surveillance manufacturer Nest has dismissed reports of secret surveillance by its internet-connected Nest Cam.
Earlier this week, ABI Research reported that the Nest Cam keeps drawing a healthy amount of current, even when it is switched off. The researchers suggested that the camera is still working and likely observing, as it draws 343mA while off, and up to 370mA or 418mA while on.
ABI’s Jim Mielke said that the high power consumption suggests that the webcam does not power down, and instead continues to record the surroundings. “Typically a shutdown or standby mode would reduce current by as much as 10 to 100 times,” he said.
Unsurprisingly, Nest dismissed reports vehemently, saying that its camera does not keep recording when it is turned off. The reason for its high current usage, a spokesperson told the Register, is so it can wake up and and record video at a moment’s notice rather than have to power up.
When Nest Cam is turned off from the user interface, it does not fully power down, as we expect the camera to be turned on again at any point in time. ...
With that said, when Nest Cam is turned off, it completely stops transmitting video to the cloud, meaning it no longer observes its surroundings.
The research by the “teardown team” at ABI found that the Nest Cam’s LED power did turn off when users enacted the power down command, accounting for the slight power drain reduction, but as the device never actually turned off or powered down, this was where the concern was.
At Naked Security, we’ve written many times about hackers using webcams or baby monitors to spy on people.
As the Internet of Things expands continuously, the most basic tools may be left behind when it comes to security.
Ld Elon
Happens on windows phone 8.1, can tell its phone being used as web camera as it gets warm equal to using the camera in normal use.
Tom
I’ve wondered about the IoT and the cloud management of devices. For example, if you have a Nest thermostat that “learns” when you are home, that information could be used to tell bad guys when they could burglarize your home. More likely, if Google saw that you kept your house temperature at 60 F, they could sell the information to retailers of fleece clothing to send or place ads.
MikeP_UK
It appears that the camera does not enter any standby mode at all, only turning off the LED indicator. That means the camera functionality is still potentially available and might be vulnerable to a decent hack. The response from Nest is disingenuous and pretty meaningless.
Most electronic equipment draws a lot less power when in standby mode, a set-top box for example generally draws about 50W when operating but usually less than 1W in standby. So as the power demand hardly drops, it almost certainly does not go into standby and most definitely does not go Off properly (when it would draw zero power).
JohnP
Wouldn’t it be easy to verify by using a packet sniffer and monitor any packets streaming from the camera? Just monitor packets when it’s on, then shut it down and note any differences.
Paul Ducklin
Maybe, maybe not. For example, I have a sound recorder with a “previous few seconds” mode in which, when you turn it off, it records anyway, into a circular buffer, that is used as the start of any new recording. In other words, when it’s off, it’s actually on…but how to tell?
Greg
Yes but then there wouldn’t be a story would there…
Troy
Really, an article that states a device that has excess power consumption is a major security threat!
Has no one bothered to inspect the actual traffic being sent across the wireless from the device to some unknown secret location where all this data is being stored….. (It’s not that hard to do and as security researchers I would have expected more analysis from Sophos)
I’m not defending Nest in anyway but I can understand their point of view and there response
The cameras could very well have a continuous recording buffer in the camera that isn’t transmitted from the device until told to but has the ability to send the past few minutes prior to an event/request to start recording, and again this could be validated by looking at the traffic being sent from the device.
And besides, judging from Nest smoke detectors their firmware isn’t the greatest in their products.
I’d be far more concerned about how vulnerable the thing is over how much power it draws especially when it is designed to run off continuous power and power saving doesn’t really offer anything here.
Paul Ducklin
Determining _what is actually being sent_ is not quite as simple as “sniffing.” As you say, there might be a recording buffer, and so the device might very well be on (in some non-trivial senses of on) even when you might consider it off.
It certainly sounds as though the device is still capturing data…Nest says only that it doesn’t transmit anything, not that the camera actually shuts down and stops measuring the state of each pixel while it’s off. I think that’s what concerned the people who did the power measurement…just how much of the device’s functionality is off when the device is off. You can’t tell that from external traffic.