PSA - Do Not Make Your Nest Cam Public Just To Access The Stream

Be aware of privacy implications before you make your Nest cam public.

By Den Delimarsky in Security

January 6, 2018

Nest logo with a lock

We really love the Nest Cam in our apartment. I was recently investigating how the Nest cam works from the inside, as I thought I could access the stream directly. The short answer - you can’t, because the stream is behind DRM protection.

However, I’ve also realized that a lot of other people are looking for a similar solution, and the approach taken is not only wrong, but flat-out dangerous. What appears to be the mainstream “workaround” is to share the camera as a public one, and then Nest will generate a link that can be embedded in other web pages. Then, users can pick up the m3u8 link to their stream and use it with third-party software to keep track of the camera and capture the stream.

Please, DO NOT MAKE YOUR CAMERA PUBLIC unless you want the content to be public. The URLs generated follow a very predictable pattern, and the camera unique identifier can be easily substituted. More than that - some of the generated links are indexed by various search engines, and are (somehow) included in various code repositories.

When you make the camera public, do not ever trust advice that nobody will be able to guess the URL - they will. If it is facing the internet with no authentication - it will be discovered.

Subscribe to The Den:

A monthly newsletter about technology, machine learning, security, and just tinkering with code.

Feedback

Have any thoughts? Let me know on Twitter!