The importance of password hygiene presents itself as Nest cameras turned against owners

News
By last updated

Never let the truth get in the way of a good headline, they say. (And I should know — I've been writing headlines for 20 years.)

But if the following headline from the San Jose Mercury News sounds just a little too sensational, you're right. It is.

"5 minutes of sheer terror": Hackers infiltrate East Bay family's Nest surveillance camera, send warning of incoming North Korea missile attack"

That's a mouthful. And it's also incorrect.

https://twitter.com/mdrndad/status/1087861524738334721

ORINDA — Laura Lyons was preparing food in her kitchen Sunday when the lazy afternoon took a turn for the absurd. A loud squawking — similar to the beginning of an emergency broadcast alert — blasted from the living room, the Orinda mother said, followed by a detailed warning of three North Korean intercontinental ballistic missiles headed to Los Angeles, Chicago and Ohio."It warned that the United States had retaliated against Pyongyang and that people in the affected areas had three hours to evacuate," Lyons said Monday. "It sounded completely legit, and it was loud and got our attention right off the bat. … It was five minutes of sheer terror and another 30 minutes trying to figure out what was going on."

The story, as you might have surmised by now, involves some Nest cameras and someone who shouldn't have gaining access to them. But the first question you need to ask (and presumably a reporter needs to ask) is how did someone gain access to the hardware.

In this case, the camera owner's account was compromised. If I have your email and password and can log into your Nest account, I can say whatever I want through your Nest devices' speakers. That's how they work.

Sure, folks probably were terrorized for 5 minutes. But nobody infiltrated anything. They came in through the front door.

How to set up two-factor authentication in your Nest app

We cannot (and should not) blame the victim here. This is a pretty awful attack, even if it ultimately didn't do any physical damage. (Though who knows how long the lurkers were lurking and what they might have seen and heard through the cameras.)

But it's once again another example of why password hygiene is so important. Unique passwords must be used. Password managers should be employed. Two-factor authentication must be used whenever it's available. (Nest has 2FA at the account level, but it only uses SMS tokens, which aren't as secure as folks would like to think. It's also optional and not on by default.)

The internet (and the next-generation Internet of Things) was not built with security in mind. It's up to us to protect ourselves.