Slashdot Mirror

← Back to Stories (view on slashdot.org)

Green Light Or No, Nest Cam Never Stops Watching (securityledger.com)

Posted by Soulskill on from the how-to-lose-trust dept.

chicksdaddy writes: How do you know when the Nest Cam monitoring your house is "on" or "off"? It's simple: just look at the little power indicator light on the front of the device — and totally disregard what it is telling you. The truth is: the Nest Cam is never "off" despite an effort by Nest and its parent Google to make it appear otherwise. That, according to an analysis of the Nest Cam by the firm ABI Research, which found that turning the Nest Cam "off" using the associated mobile application only turns off the LED power indicator light on the front of the device. Under the hood, the camera continues to operate and, according to ABI researcher Jim Mielke, to monitor its surroundings: noting movement, sound and other activity when users are led to believe it has powered down.

Mielke reached that conclusion after analyzing Nest Cam's power consumption. Typically a shutdown or standby mode would reduce current by as much as 10 to 100 times, Mielke said. But the Google Nest Cam's power consumption was almost identical in "shutdown" mode and when fully operational, dropping from 370 milliamps (mA) to around 340mA. The slight reduction in power consumption for the Nest Cam when it was turned "off" correlates with the disabling of the LED power light, given that LEDs typically draw 10-20mA.

In a statement to The Security Ledger, Nest Labs spokesperson Zoz Cuccias acknowledged that the Nest Cam does not fully power down when the camera is turned off from the user interface (UI). "When Nest Cam is turned off from the user interface (UI), it does not fully power down, as we expect the camera to be turned on again at any point in time," Cuccias wrote in an e-mail. "With that said, when Nest Cam is turned off, it completely stops transmitting video to the cloud, meaning it no longer observes its surroundings." The privacy and security implications are serious. "This means that even when a consumer thinks that he or she is successfully turning off this camera, the device is still running, which could potentially unleash a tidal wave of privacy concerns," Mielke wrote.

32 of 199 comments (clear)

  1. video transmission by NostalgiaForInfinity · · Score: 5, Insightful

    With that said, when Nest Cam is turned off, it completely stops transmitting video to the cloud, meaning it no longer observes its surroundings

    That should be easy enough to check, shouldn't it?

    1. Re:video transmission by Lumpy · · Score: 4, Insightful

      Yep, yet these morons did not even try to look for that. Honestly the whole "story" is a bunch of speculation from people that dont know anything at all about the technology they are looking at.

      --
      Do not look at laser with remaining good eye.
    2. Re:video transmission by fche · · Score: 2

      It's the slashdot poster's erroneous paraphrasing that made this "problem" seem worse:

      "ABI Research, [...] found that turning the Nest Cam "off" using the associated mobile application only turns off the LED power indicator light on the front of the device" ... which exaggerates what the report said. They didn't say the power-off ONLY turned the LED off.

    3. Re:video transmission by quenda · · Score: 2

      Submission is a beat-up, but TFA has some significance.
      I believe any indicator on a webcam should be hardware. Unhackable. It should be fed from the power supply to the sensor, which is not difficult to do.
      Otherwise, privacy is compromised. And trust. I use a webcam with a physical slide-down lens cover, because I don't trust the indicator LED, and this story has validated that.

      Also, there is the issue of unnecessary standby power consuming gigawatts 24/7. You'd think a branch of "don't be evil" would be working to reduce that.

    4. Re:video transmission by serbanp · · Score: 2

      Sorry Lumpy, but if the design draws almost as much in standby as in fully-on mode, its power design is crappy. All bits that are not used for keeping the network connection alive can be disabled; the network portion should be responsible only for a reasonable percentage of the power being burned - 91% is not reasonable.

    5. Re:video transmission by Anonymous Coward · · Score: 2, Funny

      There was a set-top box here where the power usage increased when put into standby. Apparently it had no standby feature and some new law required it. They hacked an implementation in by starting an extra process that overwrites all pixels with black and all audio samples with zero, increasing the CPU load to almost 100% (as it was not done by the hardware video decoder). There was a lawsuit over this, but the device was found compliant, as the standby mode was there as asked for in the law.

      Current versions do really power down the box.

  2. Reasons why I don't like the Internet of Things. by Anonymous Coward · · Score: 5, Insightful

    Here's a list of reasons why I don't like the Internet of Things:

    1) Internet of Things devices could watch me while I sleep.

    2) Internet of Things devices could watch me while I pee.

    3) Internet of Things devices could watch me while I make kaka.

    4) Internet of Things devices could watch me while I pleasure myself.

    5) Internet of Things devices could watch me while I wash my body in the shower.

    6) Internet of Things devices could watch me while I relax in the tub.

    7) Internet of Things devices could watch me while I brush my teeth.

    8) Internet of Things devices could watch me while I make passionate love to my wife.

    9) Internet of Things devices could watch me while I brush my hair.

    10) Internet of Things devices could watch me while I read a book.

    11) Internet of Things devices could watch me while I read Slashdot.

    12) Internet of Things devices could watch me while I bake cake.

    13) Internet of Things devices could watch me while I put in my contact lenses.

    14) Internet of Things devices could watch me while I get ready to play golf.

    15) Internet of Things devices could watch me while I do my laundry.

    16) Internet of Things devices could watch me while I think about rugby.

    17) Internet of Things devices could watch me while I tie my shoes.

    18) Internet of Things devices could watch me while I celebrate the 4th of July.

    19) Internet of Things devices could watch me while I water my flowers.

    20) Internet of Things devices could watch me while I eat ham.

    21) Internet of Things devices could watch me while I use my stapler to staple documents.

    22) Internet of Things devices could watch me while I chew bubble gum.

    23) Internet of Things devices could watch me while I check the oil in my car.

    24) Internet of Things devices could watch me while I look for my TV remote.

    25) Internet of Things devices could watch me while I blow my nose.

    26) Internet of Things devices could watch me while I rearrange my stamp collection.

    27) Internet of Things devices could watch me while I listen to the Backstreet Boys.

    28) Internet of Things devices could watch me while I do my calisthenics.

    29) Internet of Things devices could watch me while I search for a paper clip.

    30) Internet of Things devices could send information about me to advertisers.

    31) Internet of Things devices could let advertisers use the data unsuspectingly collected about me while I sleep.

    32) Internet of Things devices could let advertisers use the data unsuspectingly collected about me while I pee.

    33) Internet of Things devices could let advertisers use the data unsuspectingly collected about me while I make kaka.

    34) Internet of Things devices could let advertisers use the data unsuspectingly collected about me while I pleasure myself.

    35) Internet of Things devices could let advertisers use the data unsuspectingly collected about me while I wash my body in the shower.

    36) Internet of Things devices could let advertisers use the data unsuspectingly collected about me while I relax in the tub.

    37) Internet of Things devices could let advertisers use the data unsuspectingly collected about me while I brush my teeth.

    38) Internet of Things devices could let advertisers use the data unsuspectingly collected about me while I make passionate love to my wife.

    39) Internet of Things devices could let advertisers use the data unsuspectingly collected about me while I brush my hair.

    40) Internet of Things devices could let advertisers use the data unsuspectingly collected about me while I read a book.

    41) Internet of Things devices could let advertisers use the data unsuspectingly collected about me while I read Slashdot.

    42) Internet of Things devices could let advertisers use the data unsuspectingly collected about me while I bake cake.

    43) Internet of Things devices could let advertisers use the data unsuspectingly coll

  3. Idiots by Anonymous Coward · · Score: 5, Insightful

    So, when faced with the question of 'does this device stop transmitting to the cloud' the "researcher" decided to monitor the power consumption of the device as opposed to, you know, seeing it if is actually transmitting video to the cloud?

    How does stuff like this make it to the front page?

  4. FUD at least sort of. by samantha · · Score: 4, Interesting

    From the piece: "With that said, when Nest Cam is turned off, it completely stops transmitting video to the cloud, meaning it no longer observes its surroundings." .
    So whether its camera is all the way off or in warm standby isn't very relevant to privacy if no information is being sent out. For instance if I wanted a unit to act only as a movement tracker this would be a good thing to have a camera for but no sending information out. Now the question is why does it need to send video from in my home to the cloud at all? Why can't I just store video locally if I am interested in that or see out of its camera live? I am not sure I understand the use cases of this device.

    1. Re:FUD at least sort of. by vivaoporto · · Score: 2, Insightful

      Not FUD at all. There is an expectation when you turn of a camera / motion detector that it will stop performing its main function (filming, detecting motion) and just do nothing instead.

      imagine a faucet that, when turned off, instead of stopping the flow of water it simply closed the loop in the sink, storing the water somewhere locally for further reuse.

      People would not appreciate the fact that it is not letting the water go away because they want the faucet to stop running water when off.

    2. Re:FUD at least sort of. by Daetrin · · Score: 5, Insightful

      #1 It's a spokesman for Nest saying that it isn't transmitting when you think you've turned it off.

      #2 If the device is already hardwired to allow it to shut down the LED without shutting down the camera then it's only one software update/hack away from transmitting while it appears to be off. (Assuming that such a "feature" hasn't already been included and is just waiting for a signal to activate.)

      I don't think i tend towards excessive paranoia, but having a camera attached to the internet with a power switch which doesn't actually power it down seems a bit sketchy to me. Even if Nest/Google the corporation has fully honorable intentions the situation still seems liable to potential abuse.

      --
      This Space Intentionally Left Blank
    3. Re:FUD at least sort of. by Luthair · · Score: 3, Informative

      I don't think i tend towards excessive paranoia, but having a camera attached to the internet with a power switch which doesn't actually power it down seems a bit sketchy to me. Even if Nest/Google the corporation has fully honorable intentions the situation still seems liable to potential abuse.

      Note its an off button in an app. In order for the user to be able to turn it back 'on' from an app the camera cannot power down. Personally I wouldn't use a cloud connected camera for a variety of reasons but this sounds as if its working exactly as one would expect.

    4. Re:FUD at least sort of. by misosoup7 · · Score: 4, Informative

      But if you are worried about it transmitting when off, it's actually very easy to check with packet sniffers. This really shouldn't even be a he said she said argument. There is a really clear and simple way to test this:

      1. Turn Nest Camera to "off" mode, ie the Green LED is off. 2. Start up wireshark and see if the Nest Camera is transmitting to the anything and where it's transmitting to.

      Now, repeat the above with the Nest fully turned on. Compare the packets captured. Is the camera talking to the same servers and transmitting similar amount of data?

      You can tell much more objectively this way then speculating what is or isn't doing based on power usage.

    5. Re:FUD at least sort of. by aXis100 · · Score: 2

      It is good engineering practice that when you "soft" power something down, all unnecessary circuits get switched into low power/standby modes, and you only retain just enough functionality to detect the "power on" signal. It takes some effort to do well but it's not rocket science.

  5. Re:non-story by Anonymous Coward · · Score: 2, Informative

    The problem is it's still recording when it shouldn't be. There is also the fact that you can't even delete YOUR videos that have been uploaded to their servers. They simply don't allow it.

  6. Yep by markdavis · · Score: 4, Insightful

    >"The truth is: the Nest Cam is never "off" despite an effort by Nest and its parent Google to make it appear otherwise."

    And this surprises anyone? I work on the EXPECTATION that equipment that uses cloud services outside my control, and is not open source, and always connected to the Internet is just that.... uncontrolled.

    Even if it were "off", there is nothing to prevent it from being turned on remotely or being changed to do so with an automatic update. Promises made by companies mean almost nothing to me... if you can even understand them when it is followed by 10 pages of incomprehensible legal jargon.

    And then there are the security risks that have nothing to do with the manufacturer. If it is connected, it can be compromised by someone.

    There is a reason I don't have certain devices in my home. This stuff is going to get worse and worse. People should probably reflect on why one wants or needs everything to be connected to a third-party service or always connected to the Internet. Just because it seems "cool" doesn't mean it is a great idea or that there is no potential hidden cost.

    1. Re:Yep by markdavis · · Score: 2

      >"You say "cool", I say useful. I used my Dropcam (back when it was still called that) to catch my landlord entering my apartment illegally."

      And why couldn't you do that with a camera that uses your OWN web services or your own private software? And why did it have to be on the Internet in order to record? Those are exactly my points. Not everything has to have some third-party service or connectivity to be useful. The third-party service might, indeed, be convenient... buy security and privacy are both typically at odds with convenience.

  7. Fuck IOT by GerryGilmore · · Score: 4, Insightful

    Look, I'm not a Luddite by any means (got started with Data General back in 1976 but am currently in development of a web-based app using Laravel, so - welcome to my lawn!), but the current trend of "internet-ize everything and we'll figure out security, basic expectations, etc. later" is ridiculous! I love my flat-panel TV but, when it comes time to buy my next one, it will NOT be a "smart" TV. A TV is a fucking receiver - period. I'm OK with having it (STV) as an option on models clearly marked as such, and I know that some of the FB/Twitter-oriented crowd will just love the idea of sharing what they're currently watching, commenting on it, etc. But.....count me TF out!

  8. Re:non-story by Dereck1701 · · Score: 5, Insightful

    If its not transmitting the data to the internet, and doesn't have the capacity to store video/audio streams itself its not "recording". That said any device with a video/audio input should have hardware based light indicating if that capability is powered or not. No form of software updating/hacking should be able to disable that functionality.

  9. Re:non-story by Assmasher · · Score: 2

    Because when the "power is off" it is not off.

    Why not just say "it is not transmitting"? ...because people want to be able to turn it off.

    Next thing you know they'll change their EULA to say "...when powered off we reserve the right to send data to Google services..."

    --
    Loading...
  10. flawed "research" by lophophore · · Score: 5, Insightful

    30 mA will light most modern LEDs screaming bright. Or very bright, at least.

    Deciding that the camera is not uploading images to the cloud based on power consumption is like deciding that water is wet by looking at clouds... I did not see any mention of ethernet packet capture in TFA. You want to see if the thing is uploading? show me some captured packets.

    The argument is specious at best. It is a wireless camera, administered over an internet connection. In "power down" mode it still needs a way to be powered back on -- so it needs to keep its microprocessor and wifi radio on.

    The researcher says that power down mode should reduce current by 10-100 times. Let's see. 1/10 of the 322 mA cited for 360p "video record -- no motion" would be 32 mA. I'm gonna go out on a limb here and say you cannot run a microprocessor and wifi radio at that power level. And the 1/100th? 3.2 mA? NFW.

    TFA is a troll, perhaps by a shill. it is a crock of shit, and it stinks.

    --
    there are 3 kinds of people:
    * those who can count
    * those who can't
  11. Re:Reasons why I don't like the Internet of Things by GuB-42 · · Score: 5, Funny

    The Internet of things is not hearing the sound of thousands of scroll wheels...

  12. Crappy engineering by FrankSchwab · · Score: 2, Insightful

    So, to have an IOT thermostat I have to give it around 350 ma @ 5 v (over 1.5 watts) 24 hours a day, 7 days a week? That's roughly 13 kWh over the space of a year.

    It must be nice to design devices where someone else has to pay for the sloppy engineering.

    /frank

    --
    And the worms ate into his brain.
  13. Re:non-story by MightyYar · · Score: 2

    To most of us, a camera that technically has power flowing to it but isn't actually doing anything is still off. This is like an epic pedantic troll comment, but it's a whole article.

    --
    W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
  14. Trust by gurps_npc · · Score: 4, Insightful
    We all know we can trust google (owner of Nest) to:

    1) Respect our privacy

    2) Ignore/Fight NSA warrants to let them use the Nest to look into your home with the light turned off.

    3) Write perfect code so that crackers/hackers will never get in and play with it.

    On second thought, these things should be sold with camera covers.

    --
    excitingthingstodo.blogspot.com
  15. Re:Reasons why I don't like the Internet of Things by JaredOfEuropa · · Score: 3, Insightful

    I'm a fan of home automation (a hobby of mine that's increasingly turning into a business). I, and many fellow HA enthusiasts, are firm proponents of the LAN of Things, or even a Separate Network - Controlled By a Hub That is Only Allowed To Connect To the Internet Under Strict Conditions - Of Things. There are plenty of useful ways to automate your home (no, nothing essential or life-changing, but sometimes very convenient), but very little of that requires data to leave the house. And when it does, it should only happen on your own terms. And cameras? The ones around my house have their power cut off externally when we're home, and show a light when they are on (a separate dumb LED on the same power supply). No use taking any chances there.

    --
    If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
  16. Re:non-story by mikael · · Score: 4, Informative

    No, that's just on "standby mode", that's not "off".
    Off is no power running through the circuits, and not doing anything useful.
    Standby is power running through the circuits and not doing anything useful
      On is power running through circuits and doing something useful

    --
    Vintage computer adverts: http://www.vintageadbrowser.com/computers-and-software-ads
  17. Re:non-story by Assmasher · · Score: 2

    ^this

    --
    Loading...
  18. Re:Reasons why I don't like the Internet of Things by Ol+Olsoc · · Score: 4, Insightful

    I'm a fan of home automation (a hobby of mine that's increasingly turning into a business). I, and many fellow HA enthusiasts, are firm proponents of the LAN of Things, or even a Separate Network - Controlled By a Hub That is Only Allowed To Connect To the Internet Under Strict Conditions

    Like over my cold dead body?

    Would you give a warrantee tghat my Washing machine or toaster or heating system will never ever be hacked?

    I love technology, a lot more than many slash dotters do.

    But nothing has ever been put out to be attached to the interwebz has ever been secure.

    And at the tender mercies of people like this:

    http://specialreports.dailydot...

    There are people out there who fuck with people just because they can - and I'm supposed to give them control of my furnace when I'm on vacation in the winter? Shut that sucker off, pipes break, and they have destroyed my house.

    I don't want to have daily mandatory security updates for my refrigerator, or run the risk of some misanthropic sociopath will turn it off for the Lulz. Maybe I pissed off some Slashdotter, so it's time to burst the pipes. Or do you LoT masterminds have insurance against that sort of thing?

    --
    The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
  19. Re: non-story by Anonymous Coward · · Score: 2, Insightful

    Wifi should be completely off.

    You are saying that a wireless product whose main functionality is "you can turn it on and off from the internet" should turn its wifi completely off when it is turned off (from the internet). I'm not a hardware engineer, but there my be some problems with that approach that are not completely trivial to solve.

  20. Re:Reasons why I don't like the Internet of Things by thegarbz · · Score: 2

    4) Internet of Things devices could watch me while I pleasure myself.

    Does the internet of things pay by the hour?

  21. Re:Reasons why I don't like the Internet of Things by AK+Marc · · Score: 2

    I'm a fan of home automation (a hobby of mine that's increasingly turning into a business). I, and many fellow HA enthusiasts, are firm proponents of the LAN of Things, or even a Separate Network - Controlled By a Hub That is Only Allowed To Connect To the Internet Under Strict Conditions - Of Things.

    That's not IOT, that's IOC - Internet of Controllers. Those pushing the IoT want every home device on a unique IPv6 address and able to talk to anything. The only IoT I've seen sold is by shitty wireless companies trying to sell private networks over their mobile systems. Even those selling IoT don't actually want IoT. Because if you don't control it in a single secure central server, you can't extract payment for every use. And it's all about extracting money from people.

    --
    Learn to love Alaska