Bought a second-hand Nest Cam? It might have been spying on you

Anyone who has been following news stories in recent years will be all too aware of the importance of wiping devices of any personal information before giving them away or selling them on eBay.

After all, it would be disastrous if the new owner of your old device were able to access your personal data, such as your family photographs or passwords.

But what’s surprising to some is that occasionally the individual at risk is not the person selling the device but instead the individual purchasing it.

That risk was underlined last week by a report on Wirecutter.

Reporters revealed that even if you initiated a factory reset of the popular Nest Cam Indoor home security camera, connected to third-party partner services via Works with Nest, it might still be possible for a user to access its video feed:

A member of the Facebook Wink Users Group discovered that after selling his Nest cam, he was still able to access images from his old camera—except it wasn’t a feed of his property. Instead, he was tapping into the feed of the new owner, via his Wink account. As the original owner, he had connected the Nest Cam to his Wink smart-home hub, and somehow, even after he reset it, the connection continued.

We decided to test this ourselves and found that, as it happened for the person on Facebook, images from our decommissioned Nest Cam Indoor were still viewable via a previously linked Wink hub account—although instead of a video stream, it was a series of still images snapped every several seconds.

Thankfully, Google acted swiftly after seeing the hullabaloo that resulted from the report in Wirecutter, and rolled out a fix for the issue – meaning that Nest Indoor Cam users should now be safe.

But this problem of what to do about leaky second-hand internet-connected devices persists.

And it’s not a new phenomenon.

In 2017, for instance, IBM’s Charles Henderson described how, over two years after he had traded his car to an authorised dealer, he was still able to access it via a smartphone app.

Despite deauthorising his account, and resetting the Bluetooth, as well as surrendering all the car keys at the time of sale, Henderson’s mobile app never forgot his old car.

The result? Henderson could track his old car’s location, trigger its horn, adjust its climate control, send it new Sat Nav directions, and even remotely unlock the vehicle.

And a new purchaser wouldn’t necessarily have a clue.

Remember – whether the IoT device you’re thinking of purchasing or accepting as a gift is as small as a Nest Cam or as big as a motorcar – it makes sense to be cautious about what information it might be gathering about you, and who it might be sharing it with.