Site icon Sophos News

Google to force Nest users to turn on 2FA

Nest owners, if you aren’t already flying with two-factor authentication (2FA) on your accounts, get ready for Google to push you into spreading those security wings.
On Tuesday – which, appropriately enough, was Safer Internet DayGoogle announced that in the spring (or in the fall, for those in the Southern Hemisphere), it will start forcing users of its Nest webcams and other products to use 2FA to secure their accounts.
Nest users who haven’t yet enrolled in the 2FA option or migrated to a Google account will be required to take an extra step by verifying their identity via email, Google said in a blog post. When a new login hits your Nest account, you’ll get a login notification from account@nest.com containing a six-digit verification code. Without that code, anybody trying to get into your account will be locked out.
That should help with, say, keeping creeps from talking to your baby through a Nest security cam, or trying to crank up your Nest thermostat to tropical levels, both of which have happened to people who say they weren’t aware that 2FA is an option.
Google:

This will greatly reduce the likelihood of an unauthorized person gaining access to your Nest account.

Google started sending out login notifications for Nest accounts in December 2019. Sometimes, simply being told that somebody’s logged into your account is all it takes to spot suspicious activity, Google said:

Every time someone on your account logs in you’ll receive an email notification. That way if it wasn’t you, you can take action immediately.

Credential-stuffing-b-gone

Earlier this year, Google also addressed the problem of automated attacks such as credential stuffing – a type of attack that’s on the rise. Between November 2017 and June 2018, internet content delivery company Akamai estimated that its customers fielded 30 billion credential-stuffing attempts.
As Akamai went on to report in April 2018, three of the largest credential stuffing attacks against streaming services in 2018 – ranging in size from 133 million to 200 million attempts – followed close on the heels of reported data breaches, indicating that hackers were likely testing stolen credentials before selling them.
Google said on Tuesday that Google accounts already come with protection against credential-stuffing, but earlier this year, it began applying an anti-stuffing-attack technology on Nest accounts that haven’t migrated to Google accounts. That technology – called reCAPTCHA Enterprise – sniffs out attacks from bots that scrape email addresses and content, post spam and try to brute-force stolen user credentials on a huge scale.
And, just like reCAPTCHA v3, reCAPTCHA Enterprise can tell the difference between bots and humans without forcing users to jump through hoops – no ticking of boxes, no tedious visual puzzles that force you to check all the boxes with a bus or crosswalk in them.
Google’s also been proactively checking lists of breached passwords when users supply a password for their Nest accounts, to see if the password has been exposed in credential breaches outside of Google – a tactic it had already been using for months on its browser via a Chrome extension. It’s one way to keep users from committing the all too common security sin of reusing passwords.
Google says it’s also proactively resetting accounts when it detects suspicious activity. It is also issuing automatic updates, disallowing default or easy-to-guess device passwords, and performing verified boot: a way to ensure that all executed code comes from a trusted source (usually device OEMs), rather than from an attacker or code corruption.

Best practices to secure Nest devices

Finally, Google provided this list of security best practices for your Nest products:


Latest Naked Security podcast

LISTEN NOW

Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.

Exit mobile version