Skip to content
Naked Security Naked Security

Used Nest cams were letting previous owners spy on you

Google says it's fixed the issue, but we haven't heard details on how many, and which, products were affected.

A former Nest cam owner recently found that he could still see images from his old security camera, even after performing the factory reset you’re supposed to do before you offload your gizmos.

The real problem: he wasn’t seeing a feed of his own property. Instead, he was seeing the new owner’s place, via his Wink account. Wink is a brand of software and hardware that connects with, and controls, smart-home devices.

According to a report from Wirecutter, the original owner – a member of the Facebook Wink Users Group – said that he’d connected the Nest Cam to his Wink smarthome hub. Somehow, resetting it didn’t cut the cord: the feed, via a series of stills, from his former camera to his Wink account didn’t go away.

After the Wirecutter report was published on Wednesday, Google – owner of Nest – sent a statement to the publication to let them know that it had fixed the issue and that users’ devices will be automatically updated:

We were recently made aware of an issue affecting some Nest cameras connected to third-party partner services via Works with Nest. We’ve since rolled out a fix for this issue that will update automatically, so if you own a Nest camera, there’s no need to take any action.

Re-testing of a Nest Indoor Cam and the Wink Hub confirmed that the issue has indeed been corrected.

We don’t know what the problem was, or how Google fixed it.

In fact, there’s a lot of “we dunno!” to go around in the Internet of Things (IoT) – things that are going to be plugged into your life, your living room, your bedroom or what have you. It might be wise to keep that in mind when you’re considering purchasing preowned versions of these kind of cameras, locks and other devices outfitted with microphones.

At Christmas we told you about Mozilla’s IoT gift guide, which ranked popular IoT gifts in terms of their security. If you buy a second-hand connected device, always perform a factory reset on it and set up new credentials. If you’re buying new, make sure the device can receive security updates and replace any default passwords with strong, unique ones of your own, straight away.

2 Comments

Another case of “we fixed it ‘cos someone [else] highlighted a basic security flaw in our product”.
And/or…. “we forgot to include resetting this feature during the hard reset that customers can perform”. That’s my spidey-senses tingling :)

I moved from a house 3 years ago, to a different state. I was still able to access and control my Nest Smart Thermometer from my computer in the new home until I deleted the link. It Is a Brave New World! Pass the Soma.

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?