News

Bug Allowed Second Hand Nest Cams to 'Spy' on New Owners

Giulio Saggin
Giulio Saggin
Tuesday, 28 November 2023

If you have a second-hand Nest Cam Indoor (home security camera), you may be shocked to learn that the previous owner can still see vision through it.

The flaw was discovered by a Nest Cam owner, whose camera had been integrated with their Wink smarthome-hub (app that "allows you to monitor and manage everything in your home"). After they sold their Nest Cam, they could still view images of the new owner's home through the camera via his Wink account.

While a 'factory reset' is (usually) a sure fire way of starting over, the Nest Cam Indoor has no factory reset option ...

When reporters at Wirecutter read of this, they ran a test and found that, despite the instructions stating: "To reset one of these cameras, simply remove it from your account", this didn't work.

After buying a new Nest Cam Indoor camera and signing it up to a 'Nest Aware' account, they removed it from the account, as per the instructions. They created a new account for the camera (as someone would do if they bought it) and were able to "view a live stream successfully through the Nest mobile app" and a stream of still images (from the Nest cam), via their Wink app.

Upon hearing about the flaw, Google - the parent company of Nest - issued the following: "We were recently made aware of an issue affecting some Nest cameras connected to third-party partner services via Works with Nest. We've since rolled out a fix for this issue that will update automatically, so if you own a Nest camera, there’s no need to take any action. We retested, using a Nest Indoor Cam and the Wink Hub, and can confirm that the issue has been corrected."

When asked how Google corrected the error, they responded: "We usually don’t share how a fix was pushed out for various reasons - the statement is our update of record for this."

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203