The scare might have been real. The hack? Not so much. But the fact that a family spent five minutes fearing that North Korea was launching intercontinental ballistic missiles at the United States is definitely a teachable moment for the rest of us.
“five minutes of sheer terror”
The Mercury News has the story of Laura Lyons, a mother in Orinda, California whose Nest security camera gave her family what she called “five minutes of sheer terror” — when she suddenly heard a legitimate-sounding emergency warning that Los Angeles, Chicago and Ohio had only hours to evacuate before they might be hit by nuclear weapons.
It turned out the warning came from their Nest Cam — and reportedly, a Nest customer service supervisor suggested that they might have been victims of a hack. As the Mercury News and others point out, it isn’t even the first time.
But contrary to the headlines you might be reading around the web, the camera itself wasn’t hacked. Nest’s security wasn’t breached. This isn’t the story of a sly thief breaking into someone’s poorly-protected device.
A Google spokesperson confirmed to The Verge that what the Mercury News suggested is correct: in these cases, the user’s credentials were already compromised:
These recent reports are based on customers using compromised passwords (exposed through breaches on other websites). In nearly all cases, two-factor verification eliminates this type of the security risk.
This is the story of someone who used the same password more than once, for both Nest and some other unrelated website that got breached. From that point on, there’s no need to hack the camera — until Lyons changed her password, anyone could use the compromised credentials to log into the plain ol’ Nest app. No hacking tools necessary.
this is certainly a terrifying thing for the owners that it happened to, but this isn’t a story about smart home hacking, it’s a story about password hygiene and not reusing the same passwords for everything. https://t.co/dGK2VJuc2G— dan seifert (@dcseifert) January 22, 2019
It’s not even like the supposed “hackers” needed to do anything special to send a audio scare: Like most of these cams, there’s a built-in feature (in this case, “Talk and Listen”) that lets you speak to someone over the internet who’s standing in front of the camera.
And there’s a pretty simple way to start protecting against password breaches, one that Nest has offered since March 2017: Two-factor authentication.
Two-factor auth (2FA) isn’t perfect. Particularly the kind that relies on text messages. I’d recommend an authenticator app and maybe even a security key, depending on what you do. But 2FA is remarkably easy to set up and use, offered by practically every major internet service, and is generally kind of a no-brainer, considering how many password breaches we see these days and how many people tend to re-use weak passwords.
You might also try a password manager.
Everyone with a Nest device, PLEASE:1) Log into https://t.co/3WHnKRRsVv2) Click the icon in the upper right hand corner of your screen3) Click “Account Security”4) Click the button next to “2-Step Verification” to ON5) Enter your phone number. https://t.co/YpoD7rnoAJ— Matt Linton ⚕️⚒️ (@0xMatt) January 22, 2019
Google says it’s looking into additional protections for Nest too, though. “We’re actively introducing features that will reject comprised passwords, allow customers to monitor access to their accounts and track external entities that abuse credentials,” reads part of a statement.
The one place where Google arguably might be to blame is for not telling Nest users that this kind of nightmare fuel exists — that they, too, might find a stranger shouting threats over the internet, now that it’s happened several times.
Any internet-connected camera, regardless of brand, could be “hacked” this way
But the company actually did take some action last month, too, proactively resetting passwords that appeared to be breached, preventing compromised passwords from being reused, and encouraging customers to adopt 2FA, too, according to a statement the company sent out December 19th.
Should Nest have gone out of its way to advertise that its cameras could be used to start a nuclear scare, when there’s nothing uniquely vulnerable about Nest’s cameras compared to those from rival brands? That seems like a stretch to me.