No, Nest Cams are not hacked to pose fake nuclear weapons threats
The scream may have been real. Chop? Not so much. But the fact that a family spent five minutes fearing that North Korea launched intercontinental ballistic missiles in the United States is definitely an educational moment for the rest of us.
Mercury News [19659004] has the story of Laura Lyons, a mother in Orinda, California whose Nest security camera gave her family what she called "five minutes of pure terror" – when she Suddenly, a legitimate emergency warning was heard that Los Angeles, Chicago and Ohio only had hours to evacuate before being hit by nuclear weapons.
It turned out that the warning came from their Nest Cam ̵[ads1]1; and reportedly informed a Nest customer service guide that they could have been victims of hacking. As Mercury News and others point out, it's not even the first time.
But unlike the headlines you might read around the web, the camera itself was not hacked. Nest's safety was not violated. This is not the story of a cute thief breaking into a poorly protected entity.
A Google spokesman confirmed The Verge that MerkuriusNews proposed is correct: in these cases, the user's credentials were already damaged:
These recent reports are based on customers who use compromised passwords (exposed through breaches of other sites). In almost all cases, two-factor verification eliminates this type of security risk.
This is the story of someone who used the same password more than once for both Nest and some other non-related websites that were broken. From that point on, it is not necessary to hack the camera – until Lyons has changed the password, someone can use the compromised credentials to log in to the regular & nbsp; nest app. No hacking tools needed.
This is definitely a scary thing for the owners as it happened to, but this is not a story of smart home hacking, it's a story of password hygiene and not the reuse of the same passwords for everything. https://t.co/dGK2VJuc2G
– dan seifert (@dcseifert) January 22, 2019
It's not even like the "hackers" needed to do anything special to send a soundcream : Like most of these cameras, there is a built-in feature (in this case "Talk and List") that lets you talk to someone over the Internet standing in front of the camera.
And it's a pretty easy way to start Protecting against password break, one that Nest has offered since March 2017: Tofactor authentication.
Tofaktorauth (2FA) is not perfect. Especially the type that depends on text messages. I would recommend an authentication app and maybe a security key, depending on what you do. But 2FA is remarkably easy to set up and use, offered by virtually every major internet service, and is usually a kind of non-brainer, considering how many password breaks we see these days, and how many people tend to reuse weak passwords.
You can also try a password processing.
Everyone with a Nest unit, PLEASE:
1) Log in https://t.co/3WHnKRRsVv
2) Click the icon in the upper right of your screen
3) Click "Account Security "
4) Click the button next to" 2-step confirmation "to ON
5) Enter your phone number. https://t.co/YpoD7rnoAJ– Matt Linton ⚕️⚒️ (@ 0xMatt) January 22, 2019
Google says it looks at several protections for Nest as well. "We are actively introducing features that will reject compound passwords, allow customers to monitor access to their accounts, and track remote entities that misuse credentials," reads part of a statement.
The only place that Google can no doubt be due to is that you don't tell Nest users that this type of nightmare fuel exists – that they can also find a stranger shouting threats over the internet, now that it has happened several times.
But the company has actually taken some action last month, and proactively reset passwords that appeared to be violations and prevented compromised passwords was from being reused and urging customers to adopt 2FA, according to a statement issued by the company on December 19.
Should Nest have gone out of the way to announce that the cameras can be used to start a nuclear focus, when there is nothing uniquely vulnerable to Nest's cameras compared to those of competing brands? It seems like a stretch to me.