Hijacked Nest cam broadcasts bogus warning about incoming missiles

A hacker took over a Nest security camera to broadcast a fake warning about three incoming intercontinental ballistic missiles (ICBM) launched from North Korea, sending a family into “five minutes of sheer terror.”

Laura Lyons, of Orinda, California, told the Mercury News that she was preparing food in her kitchen on Sunday when a “loud squawking – similar to the beginning of an emergency broadcast alert” blasted from the living room, followed by a detailed warning about missiles headed to Los Angeles, Chicago and Ohio.

The newspaper quotes her:

It warned that the United States had retaliated against Pyongyang and that people in the affected areas had three hours to evacuate. It sounded completely legit, and it was loud and got our attention right off the bat… It was five minutes of sheer terror and another 30 minutes trying to figure out what was going on.

Her frightened 8-year-old son crawled under the rug while Lyons and her husband looked at the TV in confusion: why was the station airing the NFC Championship football game, instead of an emergency broadcast?

The couple eventually realized that the warning was coming from their Nest security camera, perched on top of the TV. After multiple calls to 911 – the US emergency number – and to Nest, they eventually figured out that they’d been the victims of a prank. A Nest supervisor told them on Sunday that they’d likely been victims of a “third-party data breach” that gave the webcam hijacker access to the Nest camera and its speakers.

The Lyons family went from terror to anger after they learned that Nest knew about a number of such incidents – though this was the first that involved a nuclear strike – but hadn’t alerted customers. What Laura Lyons told Mercury News:

They have a responsibility to let customers know if that is happening. I want to let other people know this can happen to them.

And what she posted on a local family Facebook group:

My son heard it and crawled under our living room rug. I am so sad and ANGRY, but also insanely grateful that it was a hoax!!

At any given time, it’s safe to assume that there’s a slew of Internet of Things (IoT) devices getting hacked, and not because the company suffered any kind of breach.

Like, say, last month, when an e-intruder used a baby monitor linked to a Nest camera to broadcast “sexual expletives” and threats to kidnap the baby.

Or, say, the creep who hacked into a Nest camera in October to ask a 5-year-old if he’d taken the school bus home, what toys he was playing with, and to shut up when the boy called for his mommy.

Another recent hack came in from a guy who described himself as a white-hat hacker. Don’t mind me, I just want to let you know that your camera is a sitting duck, he told a surprised but grateful Nest owner…

Shields UP! to keep out fake missiles

…who, hopefully, did exactly what that benevolent camera hijacker advised: change his password and set up two-step verification (2SV), also known as multiple- or two-factor authentication (MFA or 2FA).

Whether you call it MFA, 2FA or 2SV, it’s an increasingly common security procedure that aims to protect your online accounts against password-stealing cybercrooks.

For their part, in the wake of the missile prank, the Lyons family disabled the speakers and microphone on their Nest camera, changed the passwords and added 2FA.

Nest parent company Google responded to the white-hat incident, which happened last month, by saying that yes, it’s aware that passwords exposed in other breaches may be used to access its cameras (or your Facebook account. Or your credit card account. Or your eBay or PayPal or Netflix accounts, or, well any of your accounts where you use the same login). Nest cameras can’t be controlled wirelessly without a username and password created by the device owner.

If Nest owners use that same username/password combination for multiple online services, then miscreants can grab them whenever any of those other services gets breached. Then it’s just a matter of trying to log in all over the place to see what other accounts they can get into with the reused login. Online banking? Email accounts? Social media accounts? All of the above?

It’s known as credential stuffing. Because a lot of users have the bad habit of reusing the same passwords across several websites, the tactic is successful far too often.

On the plus side, Nest devices don’t come with default logins that users need to change to ward off hijackers. It’s up to users to come up with unique, difficult to crack password/user name combos that they don’t use anywhere else. If you have a hard time creating and remembering unique, properly convoluted passcodes, you might consider using a password manager (see caveats regarding mobile versions) to create, and store, them for you.

The advice not to reuse passwords isn’t meant just to keep your camera from getting hijacked and used to threaten your kids or broadcast bogus nuclear war alerts. It’s to keep your everything from getting broken into, hijacked, used to scare the bejeezus out of you and your family, and/or vacuumed clean of funds, as the case may be.

Of course, a password can get cracked even if it’s unique. That’s what makes 2FA such a good failsafe: even if creeps guess your password, they still have to have that second factor to get into your stuff. At Naked Security, we’re very pro-2FA, and we hope that all Nest owners flip that switch to keep out the camera hijackers.

Use 2FA whenever it’s available, for that matter. But do keep in mind that it’s not infallible. Last month, we saw a sneaky phishing campaign that beat 2FA. The most secure option is to use a FIDO U2F (or the more recent FIDO2) hardware token such as the YubiKey because they will refuse to log you in to an imposter site.