If the internet’s army of creeps isn’t busy blasting bogus warnings about fake nuclear warhead missiles through people’s Nest security cameras, they’re trying to parboil kids by jacking up the Nest thermostat.
A smart-home aficionado in the US state of Illinois told NBC News that he and his wife haven’t slept well in days, after a stranger accessed his Nest home security cameras and thermostats.
Arjun Sud – whom NBC described as an “avid” user of smart-home technology – told the station that shortly after he and his wife put their 7-month-old baby boy to bed on 20 January 2019, they heard a strange noise coming out of the room. When Sud went to investigate, he said, he heard a deep, male voice coming from a Nest security camera that was installed in the nursery – one of 16 he owns, in addition to a security system and two Nest thermostats.
In addition, Sud found that somebody with a) too much time on their hands and b) the password to his Nest gadgets had remotely tinkered with the thermostat, jacking up the temperature to a balmy 90 degrees Fahrenheit (32°C).
Google, which owns Nest, told NBC that it’s aware of similar reports about customers using compromised passwords that were exposed on breaches on other websites.
The advice from Google, and from cyber security experts – including, of course, from us here at Naked Security – is to use unique passwords and two-factor authentication (2FA) to keep cyber intruders from breaking into smart-home devices, be they smart thermostats, baby monitors or other internet-enabled webcams.
Sud isn’t happy with that answer. He told NBC that he didn’t know that 2FA was an option. He wants to return $4,000 worth of Nest products, he wants his money back, and he wants Google and Nest to accept responsibility for not alerting him that 2FA is an option and giving him a heads-up when somebody else accesses his account.
Sud:
It was simply a blame game where they blamed me, and they walked away from it.
Sud’s wrath is understandable. It’s frightening to realize that an intruder could have been eavesdropping on what should be his family’s intimate, private conversations or spying on their child.
Still, we have to ask…
Who’s to blame, here?
Nest didn’t acquire a 2FA option until March 2017. Better late than never, it said at the time – after all, plenty of internet of things (IoT) gadgets still didn’t have it.
2FA involves authenticating yourself via not just a password, but also by a secondary code. Sometimes that code is sent via SMS – though, given phishing attacks that can nab one-time passcodes sent via text, that’s not the most secure option.
Secondary codes can also be accessed through a code-generating app such as Google Authenticator, Authy, or Sophos Authenticator (also included in our free Sophos Mobile Security for Android and iOS). Another option is a hardware 2FA key, such as Yubico or Google’s Titan.
No question, 2FA adds a security layer to authentication. But is it Google’s responsibility to make sure that Sud and other Nest users know about 2FA? And how do they know what users don’t know?
People need to take responsibility for their online safety. We should all know better by now than to reuse passwords and leave ourselves liable to dirtworms taking our credentials from one breach and stuffing them in to other online services until they gain entry, be it to our online bank accounts, our social media accounts, our smart-home gadgets, or the plethora of other places and things we want to keep locked up.
This is a well-known attack called credential stuffing. Unfortunately, it’s successful far too often, given how many people have the bad habit of reusing the same passwords in several places. It’s like somebody found a key on the sidewalk. Lo and behold, it’s the only key used to secure every house on the block. Jackpot!
LEARN MORE IN OUR NAKED SECURITY LIVE VIDEO
(Watch directly on YouTube if the video won’t play here.)
Credit where credit’s due
To give credit where credit’s due, in May 2018, Google’s Nest division sent alerts to some users, telling them to change their passwords after it learned that their credentials had been involved in a data breach.
Google’s not alone. Facebook and Netflix, among many other big sites, also prowl the internet looking for your username/password combos to show up in troves of leaked credentials.
Sometimes they use gentle recommendations to change your password. Sometimes they lock users in a closet, as Facebook did when it found its users’ credentials had also been used on Adobe.
Don’t get locked in the closet, and don’t trust that such companies are always going to watch your back when you reuse passwords. Sometimes they will. Sometimes they won’t. Sometimes they don’t have enough time: the creeps go about credential stuffing too fast.
Instead, we should all make sure to have a unique set of credentials – one unique, strong set for every site, every service. That goes for all of us, whether or not we’re Nest users. Even if you’re sin-free, make sure your family, your friends, your colleagues and anybody else you can think of are choosing strong passwords, at least 12 characters long, that mix letters, numbers and special characters.
Better yet, think about using a password manager. Granted, they’re not perfect, but they’re pretty good: they’ll not only create tough, unique passwords, but they’ll also store them for you so you don’t have to remember a set of tangled-spaghetti passwords.
JF
I know about googles own 2FA but i didnt know that nest had 2FA until this article. Just set mine up. Thank you
thedrogsofwar
Disappointing that Nest uses SMS for the MFA method, though. You’d think being owned by Google, they would at least be able to use Googles own Authenticator app.
Gregg
Your headline is disengenious at best and borderline libelous . There was no hacking. Someone bought Passwords from security breaches and accessed their nest account. That’s not the fault of nest and your headline by calling it “hacking” implies that nest is not secure.
Paul Ducklin
I hear you but I don’t agree. You have inferred that we are blaming Nest but I don’t accept that we implied it, any more than a headline like “Mac malware on the loose” implies that Apple was somehow remiss or at fault for someone else’s cybercriminality. Nest is a common and popular brand, and it’s relevant here because Nest makes both cameras and thermostats, and in this case the crook got into both at the same time.
As for fretting about using the term “hacker” to describe a cybercriminal where the break-in wasn’t particularly sophisticated and didn’t require low-level coding or the exploitation of a vulnerability…
…IMO that ship sailed 25 years ago, and “hacker” can now be unexceptionally considered to be a synonym for “a cybercrook who got in”, in addition to any more deeply technical meanings it also has.
Arjun Sud
Thank you So much for telling our story and helping us raise awareness . As I pointed out to Nest when this happened to us , they should have had basic measures especially as a Security Product that alerted us when our account was accesed by a hacker. Gmail, Netflix even Steam send you suspicious login alerts and Nest, despite having our location did none of that.
They should have also had Logging available so we could check who logged into our account , from what device and when, but they have none of that.
Shamefully when we asked them for the logs, they said they did not have them , how is this possible ! Absolutely unbelievable .At this point we don’t know how long our family was being watched – a day, weeks , months or longer .
They could have blurred the entire address in their system but now whomever did they knows exactly where we live.
We have had our account since Gen 1 thermostat, well before 2 factor was enabled, and as an average consumer Nest should have educated us that it was available And what it did instead of that they sent us product marketing emails and nothing informing us about this feature.
I appreciate you sharing our story and I hope that this helps us in raising awareness so this never ever happens again to anyone. Shame on Nest for putting out a PR statement denying any of the points I told them about as stated above. [Video link deleted.]
Paul Ducklin
May I earnestly suggest that you watch the video embedded in the article above entitled “How to stop a hacker home invasion…”?
Caleb
I just don’t understand how you can own ~ $4,000 worth of -security- equipment and not know what 2fa is or how to enable it. That literally baffles me. I understand what happened and I’m sorry for your traumatic experience. I just don’t believe that aspect of this story.
Arjun Sud
We created our Nest Account when we got the Gen 1 thermostat and then added equipment over time . There was no 2 factor authentication when we originally created our account and we Never ever got an email letting us know that it was added ( although we got tons of marketing product emails ) so we were unaware that 6 -7 years later they added the feature.
Anonymous
My neighbor’s car was “hacked” overnight (again!) as they leave their doors unlocked frequently. Now they blame the manufacturer for not contacting them to lock their vehicle and holds them responsible for the “hack” (as it is controlled throug a key FOB system).
Ben
It amazes me how many people are unable to differentiate negligence for unauthorized. The victims, in this case, didn’t broadcast their credentials all over the place, it was acquired illegally. It was an unauthorized entry. Period. An unlocked door is not an invitation for entry (See “stand your ground” and reasonable expectation of privacy).
I was also a victim of this crime. The intruder then changed my password, locked me out, and reassigned my cameras and I didn’t get a single notification from Nest. The 2FA option was not presented when I set up my account. It wasn’t until I called Nest, and proved that I had physical custody of the cameras (I live in MN and they tracked and located my cameras in IL using the serial numbers). It was only then that the rep informed me of the 2FA option. Like the victim experienced, they took no responsibility for anything.
Paul Ducklin
A closed but unlocked door is, indeed, not an invitation for others to enter (in many jurisidcitions, anyway), but at the same time, if you leave your door unlocked then that’s not the fault of the company that made the lock. Same thing if you lock the door and leave the key under the doormat. Sometimes, the buck stops with you.
It would indeed be nice if Nest had proactively spotted the unauthorised login to your account, but to expect Nest to be able to differentiate *every* request automatically, even when the correct password was used, is IMO unreasonable. If Nest (or any other provider) could reliably tell whether the person logging in was you or not *without relying on the password*, then there would be no need for a password in the first place.
What everyone needs to remember is that if you re-use the same password on multiple sites, you *are* effectively “broadcasting your credentials all over the place”, and a breach by one sloppy site will give the crooks access to all your other accounts. Most online services remind you about that – my bank does its best to persuade you not to use the same PIN on two different bank cards – but I think we have to accept by now that this sort of warning might as well be considered to “go without saying”.
Arjun Sud
I completely agree. Thank you so much for your support. Let’s just hope this never happens to anyone again .
A-kun
Please do not agree with people who are being essentially as much a ignorant as yourself in hopes of looking less an idiot for:
A) Not having a strong password for such a critical system
B) Not caring to know if you are on top of all security measures available for your system as it well seems you missed something or figured “I don’t need this”.
Just to add: I am sorry that this happened, because it affected a baby. And as much as I might blame the hacker who seemed informed enough to have made a less harmful change to denounce he had breached the system, I still hold you as much a guilty part for having these systems around a child without being in absolute control of the system’s security.
Mark
Just sad how people refuse to take accountability. ALERT: you are responsible for what you put in your house AND for ensuring security of both. You can’t blame the company that installed your windows if someone uses it to get it because you didn’t lock the thing. It is unfortunate that this did happen and involved a minor, and yes technology companies need to think about security before and after a product release; this is why you research a product before purchase, and yes you should think about security risk vs reward.
Nothing New
I want to say that this is on the owner and partially on Nests responsibility. Owner for not checking in on features, enhancements or bugs and Nest for poor marketing of this feature. Reality is, people purchase these devices and believe they follow the set and forget configuration.
Resources for the owner – Have I Been Pwned – google it – register all your email addresses and see where your data has been breached. If you want to take action, go after the companies who leaked your data and for failing to properly secure it.
Just a simple question – For any other accounts you own, do you have 2FA enabled? If not, this would be the time to revisit these sites and enable that feature. 2FA managers – Google Authenticator or Authy (preference). A password vault too.
Arjun Sud
I would like to correct 2 factual inaccuracies above please :
1) This occurred on Jan 20th
2) I did not state that Google / Nest should be responsible to tell us about reused passwords . What I had said was that they should alert us if there are suspsiciois logins into our account as Netflix, Steam and Gmail do.
Thank you
Paul Ducklin
Done.
Cynical
Trump would love this conversation, you either want a security wall or you don’t – LOL nobody here would take down their home firewall….
Darla
Stop saying hacker. Stealing someones password isn’t hacking.
Paul Ducklin
Breaking into someone else’s computer without authorisation using an illegally-acquired password…
…is hacking by any reasonable contemporary interpretation of the word.
(After writing that, I thought I’d see if the New American Oxford Dictionary agrees with me. It does, defining hacking as “us[ing] a computer to gain unauthori[s]ed access to data in a system“. FWIW, the Oxford Dictionary also admits of the old-school sense of a quick and inventive solution to a computer problem. Words can adapt and extend their meaning over time, which is why your phone still tells you that you are “dialling” even though telephones haven’t had dials for 30 years, and why not all hackers are gifted programmers with good intentions.)
Bryan
Wait. Can you rewind that?
Bryan
Duck, it cracks me up that you Anglicized a definition while quoting the New American dictionary.
Your Easter Eggs are fun, and I apologize for not noticing the first time around, but I caught it now.
:,)
Paul Ducklin
Actually, Oxford University Press, which publishes both the Oxford Dictionary of English (ODE, not to be confused with the Oxford English Dictionary, usually called just the OED) and the New Oxford American Dictionary (NOAD), uses the spelling “authorized” in both editions.
If you look up the word “authorize” itself, you will find it as the only accepted spelling in NOAD, and as the preferred spelling in ODE, which admits of “authorise” as a secondary spelling.
(Interesting, when ODE came out in the late 1990s it was NODE; now it is accepted enough to have dropped the “N”. Presumably the MOAD will soon lose its “N” to follow suit, once it’s old enough. Those two dictionaries are the ones you get for “British English” and “American English” when you buy a Mac.)
Sean M Hunter
Choose a better password
This is not hacking
Change your password every 90 days
Security aware
Unauthorized access to a system = hacking. Period.
As already stated, change your password and use something not easily cracked.
Not knowing about 2FA doesn’t give reason to whine and cry like a toddler and demand others take responsibility for a lack of proactive forward thinking.
Clowns.
Arjun Sud
Are you blaming us entirely for this incident?
Paul Ducklin
I don’t think anyone is *blaming* you – the blame clearly lies with the crook who logged in illegally.
I think that what many people find surprising is that you seem to be expecting Google to accept all the responsibility for the conditions that led to the illegal login.
That’s about the long and short of it, I’d say.
A-kun
I’m actually blaming this person as much as the hacker. If the intruder did something awful? Yes. If this person is minimally responsible? I’m going to say yes because to have these systems around a child without being absolutely in control of the system and being up to date with security features? I’m sorry, are you telling me the hacker brute forced a 50 character password?
…. you used a unique, STRONG password, right?
Jim
The user probably uses the same password everywhere, and then one of their other accounts was compromised, they are the victims of credential fishing. To use the “unlocked door” analogy above, the user has all of their locks keyed alike for convenience, and because the shed isn’t that important, when someone stole their shed key, they didn’t worry about the fact that it could open their front door as well. Now they want to blame the lock manufacturer.
If the user knew anything about security, they would use a unique, difficult to guess password. They would have 2fa on all of their other stuff, even if they didn’t know it was available for Nest. The had a crappy password and reused it everywhere and never bothered with 2fa for anything and the manufacturer is supposed to fix their poor security habits.
How on earth is Nest supposed to know that you used our same credentials somewhere else and that other site has compromised? Equally, how are they supposed to know that the hacker logon was suspicious? Do you want an email listing every single IP where you sign on from? Do you want to pay the extra costs for them to set up this kind of alerting? Even if Nest had warned you, the hacker would probably just delete the email, seeing as how you most likely used that password for your email too. Then you could blame the email provider as well.
Hackers are jerks, but it’s not that hard to use basic security hygiene. This could have easily been prevented. For those reading this, do the following if you don’t want to be a victim:
1) Use strong passwords that are difficult to guess but easy to remember
2) Don’t reuse passwords. Ever.
3) Set up 2fa wherever you can.
4) Sign up for alert through breachalarm or go to haveibeenpwned.
Security aware
@Paul, Amazing what unbiased opinions can generate. Thank you.
Wil
there is an entire sub redit and 4chan channel dedicated to unsecured nests.