Nest Cam ‘Continues Running When Switched Off’

The Nest Cam, a popular security camera sold by Google-owned Nest, does not shut down when users think they’ve switched it off, raising security concerns, researchers have said.

Market analysts ABI Research found in an analysis of the device that when a user switches Nest Cam off, all that really turns off is an LED indicating the device is running.

“Typically a shutdown or standby mode would reduce current by as much as 10 to 100 times,” said ABI Research vice president of teardowns Jim Mielke in an advisory. “In this case, the current drain only changed slightly when given the turn off command, reducing from 370mA to 340mA. This means that even when a consumer thinks that he or she is successfully turning off this camera, the device is still running.”

The slight drop in power intake is due to the LED switching off, ABI said.

“It appears Nest Cam is working around the clock,” Mielke said.

Researchers have pointed out the dangers of millions of “Internet of Things” devices, such as security cameras, being connected to the Internet, often by users with little awareness of security. Aside from privacy risks, such devices can be hacked en masse and used to direct attacks against others, industry observers have pointed out.

Nest said that when the device is switched off, it does remain in a state of readiness, but no longer transmits video.

“When Nest Cam is turned off from the user interface (UI), it does not fully power down, as we expect the camera to be turned on again at any point in time,” the company stated. “With that said, when Nest Cam is turned off, it completely stops transmitting video to the cloud, meaning it no longer observes its surroundings.”

Privacy protection

The company added that the device uses 128-bit SSL to encrypt video, safeguarding it from intruders whether the device is operation or switched “off”.

The camera, introduced in June along with a new smoke alarm and thermostat, offers 1080p video and night vision quality that’s superior to that of its predecessor, Nest’s Dropcam. Nest acquired Dropcam for $555m (£368m) last year.

Nest Cam went on sale in the UK for £159 in July.

The camera streams video live to mobile phones or computers and can also be linked to a cloud service called Nest Aware, which retains a history of what’s recorded that can be accessed from remote devices.

The camera is also used by vloggers on Google’s YouTube Live to stream continuous video feeds.

Camera vulnerabilities

Internet-connected video cameras are a common target for hackers, according to security experts, as they are sold in large numbers and are often set up in a way that leaves them vulnerable to attack – for instance, by users who don’t change the default username and password.

Security Incapsula said last month it recorded a 240 percent increase in malicious activity on its cloud-based security network in March of last year, most of it originating from compromised cameras.

The company said it recently found a denial-of-service attack was being directed at one of its customers using 900 hacked cameras.

All of the devices used in the attack were accessible using their default login credentials, and were targeted by an automated software tool that specifically searched for this vulnerability, Incapsula said.

“This goes to show just how easy it is to locate and exploit such unsecured devices,” Incapsula said in an advisory.

Are you a security pro? Try our quiz!