Skip to content
Naked Security Naked Security

Hijacked Nest cam broadcasts bogus warning about incoming missiles

A hacked Nest camera broadcast the fake warning about incoming North Korean missiles, sending a family into “five minutes of sheer terror.”

A hacker took over a Nest security camera to broadcast a fake warning about three incoming intercontinental ballistic missiles (ICBM) launched from North Korea, sending a family into “five minutes of sheer terror.”

Laura Lyons, of Orinda, California, told the Mercury News that she was preparing food in her kitchen on Sunday when a “loud squawking – similar to the beginning of an emergency broadcast alert” blasted from the living room, followed by a detailed warning about missiles headed to Los Angeles, Chicago and Ohio.

The newspaper quotes her:

It warned that the United States had retaliated against Pyongyang and that people in the affected areas had three hours to evacuate. It sounded completely legit, and it was loud and got our attention right off the bat… It was five minutes of sheer terror and another 30 minutes trying to figure out what was going on.

Her frightened 8-year-old son crawled under the rug while Lyons and her husband looked at the TV in confusion: why was the station airing the NFC Championship football game, instead of an emergency broadcast?

The couple eventually realized that the warning was coming from their Nest security camera, perched on top of the TV. After multiple calls to 911 – the US emergency number – and to Nest, they eventually figured out that they’d been the victims of a prank. A Nest supervisor told them on Sunday that they’d likely been victims of a “third-party data breach” that gave the webcam hijacker access to the Nest camera and its speakers.

The Lyons family went from terror to anger after they learned that Nest knew about a number of such incidents – though this was the first that involved a nuclear strike – but hadn’t alerted customers. What Laura Lyons told Mercury News:

They have a responsibility to let customers know if that is happening. I want to let other people know this can happen to them.

And what she posted on a local family Facebook group:

My son heard it and crawled under our living room rug. I am so sad and ANGRY, but also insanely grateful that it was a hoax!!

At any given time, it’s safe to assume that there’s a slew of Internet of Things (IoT) devices getting hacked, and not because the company suffered any kind of breach.

Like, say, last month, when an e-intruder used a baby monitor linked to a Nest camera to broadcast “sexual expletives” and threats to kidnap the baby.

Or, say, the creep who hacked into a Nest camera in October to ask a 5-year-old if he’d taken the school bus home, what toys he was playing with, and to shut up when the boy called for his mommy.

Another recent hack came in from a guy who described himself as a white-hat hacker. Don’t mind me, I just want to let you know that your camera is a sitting duck, he told a surprised but grateful Nest owner…

Shields UP! to keep out fake missiles

…who, hopefully, did exactly what that benevolent camera hijacker advised: change his password and set up two-step verification (2SV), also known as multiple- or two-factor authentication (MFA or 2FA).

Whether you call it MFA, 2FA or 2SV, it’s an increasingly common security procedure that aims to protect your online accounts against password-stealing cybercrooks.

For their part, in the wake of the missile prank, the Lyons family disabled the speakers and microphone on their Nest camera, changed the passwords and added 2FA.

Nest parent company Google responded to the white-hat incident, which happened last month, by saying that yes, it’s aware that passwords exposed in other breaches may be used to access its cameras (or your Facebook account. Or your credit card account. Or your eBay or PayPal or Netflix accounts, or, well any of your accounts where you use the same login). Nest cameras can’t be controlled wirelessly without a username and password created by the device owner.

If Nest owners use that same username/password combination for multiple online services, then miscreants can grab them whenever any of those other services gets breached. Then it’s just a matter of trying to log in all over the place to see what other accounts they can get into with the reused login. Online banking? Email accounts? Social media accounts? All of the above?

It’s known as credential stuffing. Because a lot of users have the bad habit of reusing the same passwords across several websites, the tactic is successful far too often.

On the plus side, Nest devices don’t come with default logins that users need to change to ward off hijackers. It’s up to users to come up with unique, difficult to crack password/user name combos that they don’t use anywhere else. If you have a hard time creating and remembering unique, properly convoluted passcodes, you might consider using a password manager (see caveats regarding mobile versions) to create, and store, them for you.

The advice not to reuse passwords isn’t meant just to keep your camera from getting hijacked and used to threaten your kids or broadcast bogus nuclear war alerts. It’s to keep your everything from getting broken into, hijacked, used to scare the bejeezus out of you and your family, and/or vacuumed clean of funds, as the case may be.

Of course, a password can get cracked even if it’s unique. That’s what makes 2FA such a good failsafe: even if creeps guess your password, they still have to have that second factor to get into your stuff. At Naked Security, we’re very pro-2FA, and we hope that all Nest owners flip that switch to keep out the camera hijackers.

Use 2FA whenever it’s available, for that matter. But do keep in mind that it’s not infallible. Last month, we saw a sneaky phishing campaign that beat 2FA. The most secure option is to use a FIDO U2F (or the more recent FIDO2) hardware token such as the YubiKey because they will refuse to log you in to an imposter site.


“we’re very pro-2FA, and we hope that all Nest owners flip that switch to keep out the camera hijackers.”

I hope that Nest and other IoT manufacturers ‘enforce’ the use of 2FA in their products.


One problem with enforcing 2FA is that it’s not universally popular – lots of people still don’t like it, refuse to use it, and resent being told they ought to. You can argue that a company as powerful as Google is the right sort of business to bite the bullet and force all its customers to switch to the path that is currently less well trodden…


That could be said about any security improvements… In the meantime, we’ll see more articles like this one


Using 2FA has it’s downsides if you are in an environment where you can’t have access to half of your 2FA (i.e. an employer who doesn’t allow personal mobile phones at your desk during the day) then you are essentail locked out through no fault of your own.

Now I will admit there are many to work around this in most cases, but they all come with thier own different risks as well.


It’d be great if Nest allowed 2FA via something other than just SMS… I hear their parent company has an Authenticator App and an even more secure 2FA method via the Google app…


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!