Now Security Researcher Matt Jakubowski claims that he has managed to hack the Hello Barbie system to extract wi-fi network names, account IDs and MP3 files, which could be used to track down someone's home. "You can take that information and find out a person's house or business. It's just a matter of time until we are able to replace their servers with ours and have her say anything we want," Jakubowski warned. Mattel partnered with ToyTalk to develop "Hello Barbie." ToyTalk CEO Oren Jacob said: "An enthusiastic researcher has reported finding some device data and called that a hack. While the path that the researcher used to find that data is not obvious and not user-friendly, it is important to note that all that information was already directly available to Hello Barbie customers through the Hello Barbie Companion App. No user data, no Barbie content, and no major security or privacy protections have been compromised to our knowledge." A petition by the Campaign for a Commercial-Free Childhood asking Mattel to drop the doll has already been signed by over 6,000 people.
NOTE: The original reporting of this hack appears to have been this NBC-Chicago newscast.
Mielke reached that conclusion after analyzing Nest Cam's power consumption. Typically a shutdown or standby mode would reduce current by as much as 10 to 100 times, Mielke said. But the Google Nest Cam's power consumption was almost identical in "shutdown" mode and when fully operational, dropping from 370 milliamps (mA) to around 340mA. The slight reduction in power consumption for the Nest Cam when it was turned "off" correlates with the disabling of the LED power light, given that LEDs typically draw 10-20mA.
In a statement to The Security Ledger, Nest Labs spokesperson Zoz Cuccias acknowledged that the Nest Cam does not fully power down when the camera is turned off from the user interface (UI). "When Nest Cam is turned off from the user interface (UI), it does not fully power down, as we expect the camera to be turned on again at any point in time," Cuccias wrote in an e-mail. "With that said, when Nest Cam is turned off, it completely stops transmitting video to the cloud, meaning it no longer observes its surroundings." The privacy and security implications are serious. "This means that even when a consumer thinks that he or she is successfully turning off this camera, the device is still running, which could potentially unleash a tidal wave of privacy concerns," Mielke wrote.
The disclosure comes as a sister program that collects Americans' phone records in bulk is set to end this month. Under a law enacted in June, known as the USA Freedom Act, the program will be replaced with a system in which the NSA can still gain access to the data to hunt for associates of terrorism suspects, but the bulk logs will stay in the hands of phone companies.
The newly disclosed information about the email records program is contained in a report by the NSA's inspector general that was obtained through a lawsuit under the Freedom of Information Act. One passage lists four reasons the NSA decided to end the email program and purge previously collected data. Three were redacted, but the fourth was uncensored. It said that "other authorities can satisfy certain foreign intelligence requirements" that the bulk email records program "had been designed to meet."