Security News

Bug Allowed Second Hand Nest Cams to 'Spy' on New Owners

If you have a second-hand Nest Cam Indoor (home security camera), you may be shocked to learn that the previous owner can still see vision through it.

The flaw was discovered by a Nest Cam owner, whose camera had been integrated with their Wink smarthome-hub (app that "allows you to monitor and manage everything in your home"). After they sold their Nest Cam, they could still view images of the new owner's home through the camera via his Wink account.

While a 'factory reset' is (usually) a sure fire way of starting over, the Nest Cam Indoor has no factory reset option ...

When reporters at Wirecutter read of this, they ran a test and found that, despite the instructions stating: "To reset one of these cameras, simply remove it from your account", this didn't work.

After buying a new Nest Cam Indoor camera and signing it up to a 'Nest Aware' account, they removed it from the account, as per the instructions. They created a new account for the camera (as someone would do if they bought it) and were able to "view a live stream successfully through the Nest mobile app" and a stream of still images (from the Nest cam), via their Wink app.

Upon hearing about the flaw, Google - the parent company of Nest - issued the following: "We were recently made aware of an issue affecting some Nest cameras connected to third-party partner services via Works with Nest. We've since rolled out a fix for this issue that will update automatically, so if you own a Nest camera, there’s no need to take any action. We retested, using a Nest Indoor Cam and the Wink Hub, and can confirm that the issue has been corrected."

When asked how Google corrected the error, they responded: "We usually don’t share how a fix was pushed out for various reasons - the statement is our update of record for this."

. . .

If you want to stay notified of vulnerabilities that affect you, register for a weekly security report customised to your stack.

Receive alerts for vulnerabilities, zero-days, security news and more

Try our FREE 14-day trial. See an example email

Example email for SecAlerts