Buyer Beware: Used Nest Cams Can Let People Spy on You


We’ve explained before that when you’re selling or giving away your old smart-home devices, it’s critical to do a factory reset on them first in order to protect your data and privacy. We’ve recently learned, however, that even performing a factory reset may not be enough to protect privacy for owners of the popular Nest Cam Indoor. And in a twist, this time the risk is on the side of the person receiving the device, not the person disposing of it.

A member of the Facebook Wink Users Group discovered that after selling his Nest cam, he was still able to access images from his old camera—except it wasn’t a feed of his property. Instead, he was tapping into the feed of the new owner, via his Wink account. As the original owner, he had connected the Nest Cam to his Wink smart-home hub, and somehow, even after he reset it, the connection continued.

We decided to test this ourselves and found that, as it happened for the person on Facebook, images from our decommissioned Nest Cam Indoor were still viewable via a previously linked Wink hub account—although instead of a video stream, it was a series of still images snapped every several seconds.

Here’s the process we used to confirm it:

Our Nest cam had recently been signed up to Nest Aware, but the subscription was canceled in the past week. That Nest account was also linked to a Wink Hub 2. Per Nest’s instructions, we confirmed that our Aware subscription was not active, after which we removed our Nest cam from our Nest account—this is Nest’s guidance for a “factory reset” of this particular camera.

A screenshot on the Nest website with instructions for factory-resetting Nest Cams and Dropcams.
Nest’s instructions for doing a factory reset on the Nest Cam indicate that there is no factory reset button, a common feature on smart-home devices.

After that, we were unable to access the live stream with either the mobile Nest app or the desktop Nest app, as expected. We also couldn’t access the camera using the Wink app, because the camera was not online. We then created a new Nest account on a new (Android) device that had a new data connection. We followed the steps for adding the Nest Cam Indoor to that new Nest account, and we were able to view a live stream successfully through the Nest mobile app. However, going back to our Wink app, we were also able to view a stream of still images from the Nest cam, despite its being associated with a new Nest account.

In simpler terms: If you buy and set up a used Nest indoor camera that has been paired with a Wink hub, the previous owner may have unfettered access to images from that camera. And we currently don’t know of any cure for this problem.

We are unsure what further implications there may be regarding Nest’s video service, including whether it may be vulnerable to other methods or through other smart-home device integrations. We’re also unsure whether this problem affects the entire Nest lineup, including the Nest Cam Outdoor, Nest Cam IQ Outdoor, and Nest Hello video doorbell.

We reached out to Nest for comment about why this is happening, which devices are involved, and what the company plans to do about it, but we haven’t received an official response yet—we’ll update this post when we do.

For now, our advice is to avoid buying a second-hand Nest device and to unplug any used ones you may have already purchased.

Sources

1. How to restart or factory reset your Nest camera or Nest Hello, Google Nest Help

Print Friendly, PDF & Email
Leave a comment
Stay up to date
Register now to get updates on promotions and coupons.

Shopping cart

×