Sign in to follow this  
Springfield

My Nest camera system was hacked last night (Update 1/31)

Recommended Posts

Morning all,

 

Last night my Nest IP camera system was hacked.  I have several IoT devices in my house.  Two Nest camera (one in each of my kids rooms), Two Arlo cameras (outside cameras), an Ecobee thermostat, several Sonos speakers, a couple Amazon Dots.  The convenience of these connected devices is great.  This story will be a good reminder to keep your stuff secure.

 

Last night, I was getting my two kids ready for bed.  I was in the youngest child’s (2) room getting ready to change his diaper while my oldest (4) was getting into his pajamas in his own room.  My oldest child walks into the room and asks for help buttoning up his shirt.  From the camera in the room I hear, “Button up his shirt ****.”  Taken slightly by surprise, my mind goes into action.  I’ve heard of IP cameras being hacked before but never thought it would happen to me.  “Go downstairs to your mom.” I tell my two kids.  I walk over to the camera and put my finger over the lens so it can’t see me.  “I can’t see you ****” I hear from the camera.

 

From my oldest child’s room, next door over, I then hear the same voice from that camera.  I take the camera that I was holding a finger over and point it down towards the wall.  I get out of the room and log into my Nest account.  I immediately change the password, the login email and enable two factor authentication.  I heard nothing from the cameras after that.

 

Spooked, but more rather angry that this happened to me, I spent the next couple of hours securing all of my stuff.  My first concern is how EXACTLY this person gained access to my Nest cameras.  I googled but mostly returned sensationalist stories of this same instance happening to other people.  A reddit thread directed me to the website www.haveibeenpwned.com where I plugged in the email associated with my Nest account login.  That email had been hacked, multiple times over.  It was an old outdated email from when I had Cox internet years ago.  My hunch is that this person had a dump of emails and passwords and was able to gain access through simple brute force.

 

I contacted Nest and chatted with support staff.  They’ll be elevating my case to senior support and I should hear back from them in 3-5 days.  My hope is that they can confirm that someone used my old email and password to access my account that way.

 

I changed my WiFi password to something MUCH longer, changed the login and password to any account that used that old email.  I’ll probably go through and change any logins for important stuff today, banks, credit cards, etc.  Huge pain in the ass.

 

Ultimately, I want this to be a warning to anyone who may be using connected cameras or other devices that can be used for listening.  Make sure your stuff is secure.  Use two factor authentication if possible.  I don’t believe that this is someone who hacked into my system locally through WiFi, I think this is someone (he sounded like a punk Asian kid/young adult) from anywhere across the globe.

 

Thats all.

Edited by Springfield
  • Like 1
  • Thanks 2
  • Sad 3

Share this post


Link to post
Share on other sites

We have some connected home devices (Echo, Nest thermostat, etc), but this is exactly why we opted for a closed circuit baby monitor.  It's marginally less convenient, but we had heard stories exactly like this and, no thanks. 

 

This also raises the issue of how our country has gotten to the point where hacks of people's private information is viewed basically without alarm, and the companies who allow this information to be vulnerable face very little in the way of repercussion. 

  • Like 1
  • Thanks 1

Share this post


Link to post
Share on other sites
7 minutes ago, PleaseBlitz said:

This also raises the issue of how our country has gotten to the point where hacks of people's private information is viewed basically without alarm, and the companies who allow this information to be vulnerable face very little in the way of repercussion. 

Indeed.  Facebook is only starting to suffer consequences because their lack of giving two ****s about protecting your private information got in the way of politics.

Edited by PokerPacker
  • Like 1

Share this post


Link to post
Share on other sites
17 minutes ago, PleaseBlitz said:

 

This also raises the issue of how our country has gotten to the point where hacks of people's private information is viewed basically without alarm, and the companies who allow this information to be vulnerable face very little in the way of repercussion. 

 

In your legal opinion, should the host company (Nest in this case, owned by Amazon?) be held liable?  Or rather should a law be made to offer bigger punishment to them or require a certain line of security?

 

I think our congress, on both sides of the aisle are woefully inept in this regard.

  • Like 1

Share this post


Link to post
Share on other sites
49 minutes ago, PokerPacker said:

This is exactly why I am not on board with all the smart-home stuff.  I'll take a dumb-home, thank you.

 

Yep, not into it.  Don't think I ever will be.  

 

**** Alexa, I can start a playlist myself.

Share this post


Link to post
Share on other sites
Just now, Spaceman Spiff said:

 

Yep, not into it.  Don't think I ever will be.  

 

**** Alexa, I can start a playlist myself.

My question with Alexa is, why can't a device like that be stand-alone?  Why must it phone home?

Share this post


Link to post
Share on other sites
Just now, PokerPacker said:

My question with Alexa is, why can't a device like that be stand-alone?  Why must it phone home?

 

Cause they probably want to keep track of how people use it, what commands they give it, etc.

Share this post


Link to post
Share on other sites
3 minutes ago, Springfield said:

 

In your legal opinion, should the host company (Nest in this case, owned by Amazon?) be held liable?  Or rather should a law be made to offer bigger punishment to them or require a certain line of security?

 

I think our congress, on both sides of the aisle are woefully inept in this regard.

 

I don't give legal opinions on the internet.  Or for free. :)

 

In my personal opinion as someone familiar with the law, to your first question, I think if a company is negligent in keeping people's information private, then yes, absolutely they should be held liable.  And they are to an extent, there is almost always a class-action suit against the company.  The problem with class actions is that the lawyers make a ton of money, the people who suffered the consequences tend to get comically little in the way of reparations.  

 

I think your second question is more important.  And there I think that their should be a much higher standard of care for companies that are holding vast amounts of consumer data and not keeping it secure.  Again, it's a question of what steps the company took.  If the company took all appropriate steps given their level of sophistication but got hacked anyways, then they shouldn't get raked over the coals.  If a company is, I dunno, Facebook, and their entire business model is mining personal information and they are a $500 billion tech company, then they should be required to go to the ends of the earth to keep that **** secure (as opposed to what they actually do, which is evidently nothing). 

 

  • Like 3
  • Thanks 1

Share this post


Link to post
Share on other sites

Hacking into a ring camera probably means they hacked into your ring account (as opposed to your local WiFi) because you don’t have to set up port forwarding to use ring so it sends all of the data to the the cloud, then back to you.  

 

Share this post


Link to post
Share on other sites

@Springfield I think I probably speak for all of us when I say that I hope that nothing bad happens to you and yours, that it was just some dumb kids playing a prank and nothing sinister.  

  • Like 8

Share this post


Link to post
Share on other sites
3 minutes ago, Spaceman Spiff said:

@Springfield I think I probably speak for all of us when I say that I hope that nothing bad happens to you and yours, that it was just some dumb kids playing a prank and nothing sinister.  

 

Thats my assumption as well.  By the sound of this guy, I could whoop his candy ass.  I’m not worried.

 

Thank you though.

Edited by Springfield
  • Like 3
  • Thanks 1

Share this post


Link to post
Share on other sites
3 minutes ago, Springfield said:

 

Thats my assumption as well.  By the sound of this guy, I could whoop his candy ass.  I’m not worried.

 

Thank you though.

 

 

  • Haha 1

Share this post


Link to post
Share on other sites

Hackers infiltrate east bay family's NEST surveillance camera send warning of incoming north korea missile attack

 

ORINDA — Laura Lyons was preparing food in her kitchen Sunday when the lazy afternoon took a turn for the absurd. A loud squawking — similar to the beginning of an emergency broadcast alert — blasted from the living room, the Orinda mother said, followed by a detailed warning of three North Korean intercontinental ballistic missiles headed to Los Angeles, Chicago and Ohio.

 

“It warned that the United States had retaliated against Pyongyang and that people in the affected areas had three hours to evacuate,” Lyons said Monday. “It sounded completely legit, and it was loud and got our attention right off the bat. … It was five minutes of sheer terror and another 30 minutes trying to figure out what was going on.”

 

Lyons and her husband stood slack-jawed in the living room, terrified but also confused because the television continued airing the NFC Championship football game. As their scared 8-year-old son crawled underneath the rug, the couple realized the apocalyptic warning came from their Nest security camera atop their living room television.

 

After many panicked minutes and phone calls to 911 and to Nest, the couple learned they likely were the victims of a hacker. 

 

Click on the link for the full article

Share this post


Link to post
Share on other sites
On 1/13/2019 at 11:43 AM, PokerPacker said:

This is exactly why I am not on board with all the smart-home stuff.  I'll take a dumb-home, thank you.

+1  they will never be perfectly secure as well. Even if it's a priority to us, it's not the manufacturers, and that's in many cases intentional.  Amazon is NOT your friend, they've already said that

Edited by Renegade7

Share this post


Link to post
Share on other sites

@PleaseBlitz touched in something that I think gets lost a lot in these customer computer security issues. 

 

The company is NOT doing it's due diligence if security options like MFA are options versus required default.  They are not doing their due diligence if antimalware isn't built into the device and that being normal, even if heuristic based versus signature because of the platform. 

 

They are definetly not doing their due diligence if California has to pass a law forcing manufacturers to randomize default passwords on devices because they can easily be looked up online, and the company should go further and not let you use the device until you change that password.

 

Until we stop spray painting IoTs with security versus having it poured into the concret of the foundation, every IP address you have in your house is just waiting to get hacked, so more is not a good thing.  I get the conveience, but we've outputted our coverage here and seriously need to regroup.

On 1/13/2019 at 12:37 PM, Spaceman Spiff said:

 

Cause they probably want to keep track of how people use it, what commands they give it, etc.

Amazon doesn't need that. Even Microsoft has a checkbox asking if you want to give info to them on usage for their own research.

Edited by Renegade7

Share this post


Link to post
Share on other sites
1 hour ago, China said:

Hackers infiltrate east bay family's NEST surveillance camera send warning of incoming north korea missile attack

 

Lyons and her husband stood slack-jawed in the living room, terrified but also confused because the television continued airing the NFC Championship football game. As their scared 8-year-old son crawled underneath the rug, the couple realized the apocalyptic warning came from their Nest security camera atop their living room television.

 

After many panicked minutes and phone calls to 911 and to Nest, the couple learned they likely were the victims of a hacker. 

 

Click on the link for the full article

I'm sorry, can we all stop the very serious discussion about personal security and instead discuss the fact that an 8 year old tried to hide under a rug? Did he also cover his eyes and scream "you can't see me!"?

Share this post


Link to post
Share on other sites

That's terrifying Springfield.. i hope you got rid of the system.

Count me as one perfectly happy with a dumb house. I'm nervous having a smart TV.

 

~Bang

  • Like 1

Share this post


Link to post
Share on other sites
4 hours ago, Elessar78 said:

Why's he got to be Asian ****?

 

Cause I have lots of Asian friends.  I know what punk Asian teenagers sound like.  I’d even go so far to say that he sounded more Korean, less Viet or other southeast Asian.

Edited by Springfield

Share this post


Link to post
Share on other sites
6 minutes ago, Springfield said:

 

Cause I have lots of Asian friends.  I know what punk Asian teenagers sound like.  I’d even go so far to say that he sounded more Korean, less Viet or other southeast Asian.

True. True. Asia's a big place. 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.