My Nest camera system was hacked last night (and other smart home camera hackery)

[China]

Hacker spoke to baby, hurled obscenities at couple using Nest camera, dad says

 

An Illinois couple said a hacker spoke to their baby through one of their Nest security cameras and then later hurled obscenities at them, CBS station WBBM-TV reports. Arjun Sud told the station he was outside his 7-month-old son's room Sunday outside Chicago and he heard someone talking.

 

"I was shocked to hear a deep, manly voice talking," Sud said. "… My blood ran cold."

 

Sud told WBBM-TV he thought the voice was coming over the baby monitor by accident. But it returned when he and his wife were downstairs.

 

The voice was coming from another of the many Nest cameras throughout the couple's Lake Barrington house. "Asking me, you know, why I'm looking at him — because he saw obviously that I was looking back — and continuing to taunt me," Sud said.

 

The hacker hurled obscenities at them, including the N-word, Sud said. "It was terrifying," his wife Jessica Sud told WBBM-TV.

 

Click on the link for the full article

[Springfield]

UPDATE:

 

Thanks for bumping the thread @China.  I spoke to someone with Nest yesterday on the phone.  I told him all that happened, what I had done and what my suspicion was.  He agreed that it was likely that someone had gained access to my Nest system by using a compromised email and password combo.  He said that their engineering team was looking into it and I would be contacted with more detailed info.  I still refuse to use their products until I can be assured how the breaches happened and that what I’ve done will prevent it from happening again.

 

In further reading, there was a huge data dump called “Collection 1” that happened just days before my own nest cam was hacked.  It contained emails and passwords.  Some 773 million of them.  Biggest data dump ever from

what I understand.

 

See here: In total, there are 1,160,253,228 unique combinations of email addresses and passwords

 

 

Edited January 31, 2019 by Springfield

[bearrock]

Does Nest use two factor authentication?  At least for new device and/or new ip logins?  If not, why not?

[Destino]

I assume anything connected to the net will be, not might be, hacked.  As such I don’t have many internet connected devices in my home other than those that I have for that purpose.  

[Springfield]

44 minutes ago, bearrock said:

Does Nest use two factor authentication?  At least for new device and/or new ip logins?  If not, why not?

 

As of the time of my hack (two weeks ago), Nest only offered 2FA as an OPTION.  Not sure why or why not but given my circumstance, I think they should make it mandatory.

[PokerPacker]

32 minutes ago, Destino said:

I assume anything connected to the net will be, not might be, hacked.  As such I don’t have many internet connected devices in my home other than those that I have for that purpose.  

It's only paranoia if there aren't really after you.

[bearrock]

13 minutes ago, PokerPacker said:

It's only paranoia if there aren't really after you.

 

You guys know that jumbo has us on surveillance right?  Be sure to say hi whenever you walk past a shiny surface in your house

[PokerPacker]

13 minutes ago, bearrock said:

 

You guys know that jumbo has us on surveillance right?  Be sure to say hi whenever you walk past a shiny surface in your house

Why do you think I walk around my place naked?

[Captain Wiggles]

1 hour ago, Springfield said:

 

As of the time of my hack (two weeks ago), Nest only offered 2FA as an OPTION.  Not sure why or why not but given my circumstance, I think they should make it mandatory.

 

Thanks. Never knew it was an option. 

[tshile]

Just as a PSA on this..... for the most part, majority of these cases are caused by some other system being hacked and you using the same email address (since everything seems to use email addresses as usernames now) and password for your systems. 

 

Changing your wifi password to be stronger and enabling 2FA is great. 

 

Not using the same password everywhere is the real answer. 

 

And 2FA is also a real answer but ****ty text message based 2FA is a joke and I wouldn’t trust it for anything serious. 

[tshile]

I just looked, nest is indeed using ****astic SMS 2FA

 

youd be more secure if you just used a password manager and made sure your passwords were different for every service 

 

sms 2FA is the equivalent of “I’ll send you the username in one email and the password in another”

 

it makes it a little harder to get in

 

it is not a secure system. 

 

So keep your 2FA but also stop using the same password everywhere. 

[tshile]

Also, Incase someone wants to chime in about google vs me on security, NIST removed sms 2FA from its list of acceptable 2FA solutions. 

 

https://www.zdnet.com/article/nist-blog-clarifies-sms-deprecation-in-wake-of-media-tailspin/#ftag=CAD-00-10aag7e

 

and in mid 2017 google moved to get people off sms 2FA for their stuff because, as they say, it’s not secure

 

https://gsuiteupdates.googleblog.com/2017/07/better-experience-for-sms-2-step-verification.html?m=1

 

why, in 2019, a google-owned company going through a huge PR crisis of hacked equipment is recommending SMS 2FA is a question someone should ask them. 

[bearrock]

Not gonna defend sms 2fa (though cell phone companies share a big part of the blame for their security holes), but in a sea of users with spectacularly bad security, sms 2fa might be enough to get dumbass teenagers to move onto the next target.  

 

With a truly determined hacker, the means to keep you safe may not be worth the trouble.  And it's not like password managers are impervious to hacking either.

 

What's that they say about only as strong as the weakest link?  Total hack proof security for the home user is likely beyond our means and not worth the effort.  With that said, Tshile's point is well taken.  If you have video footage of your home streamable to the net, you may want to at least spring for a premium account password manager with a physical second factor authentication.

[tshile]

Phone companies are the entire reason it’s not secure. Their inability to secure their customers lines is the entire issue. This might sound absurd to people that aren’t charged with knowing this, but porting someone’s number that isn’t yours is a trivial task. 

 

People with numbeds ties to business accounts have extra protection but residential accounts don’t. 

 

So yes, it’s better than nothing. But it’s not much better than nothing, and if the data it’s protecting is important (like a bank account) then you’d be foolish to consider it anything other than not better than nothing. 

 

Your home cameras? I don’t know. Seems pretty important to me. 

 

I loved the nest I had. Their response on this, which is to blame other sites and people using the same passwords, and then recommend sms 2FA? Google should be embarrassed. 

 

Secure 2FA is easily implemented and easily used by a normal person. Microsoft and google both have Authenticator apps for your phone that are plug-n-play with any system. 

 

(Though someone like fortinet would take issue with the ‘security’ of those two systems, and be right, for a casual person it’s good enough)

 

 

Nest should get drug through the mud for this. 

(Not because the systems are getting hacked, it’s not their fault people use the same passwords everywhere, but for recommending a security approach that was determined inadequate *years* ago when more secure systems are easily available FROM THEIR OWN PARENT COMPANY)

 

Edited February 1, 2019 by tshile

[Springfield]

@tshile

 

Thanks for your input.  Totally respect your opinion/knowledge on a subject like this.

[Malapropismic Depository]

On 1/13/2019 at 11:43 AM, PokerPacker said:

This is exactly why I am not on board with all the smart-home stuff.  I'll take a dumb-home, thank you.

 

It's getting to the point where it's unavoidable.

We may soon get to the point, for example, where all TV's being sold are smart TV's.

Although I guess for that you could put drapes over the whole TV when you're not using it, but then again, that wouldn't stop them from getting audio from your house.

[tshile]

6 hours ago, Springfield said:

@tshile

 

Thanks for your input.  Totally respect your opinion/knowledge on a subject like this.

 

Thanks. I’m just really angry at nest

 

theres been a big change in mentality inside the developer and IT communities about security of data and systems over the last few years. Realizing the governments lack of ability, competence, and care factor when it comes to regulating the industry and educating the public and holding companies accountable, there’s been a push for collective ownership by those of us in sector to design systems and take every opportunity to help where we can. Large for profit enterprises that compete in the same space are forming organizations where  they share what they can (without losing competitive advatage) to help protect everyone else. 

 

So when nest comes out with this idea of using a system was determined flawed years ago and is being abadoned, at a time where adequate solutions are easily implemented, it’s irritating. 

 

The  message from nest here is - sms 2FA is adequate. That’s what nest users that don’t know any better are taking away from this even if they don’t realize it. 

 

Nest, whether they realize it or not (and they should realize it), as a company with much clout in the general public has failed in that regard. Which is why I went on an angry rant about it. 

 

This missed a huge huge opportunity here to be good stewards of the IOT community. It’s disappointing. 

Edited February 1, 2019 by tshile

[Springfield]

Now question:  What is a better form of 2FA than sms?

[tshile]

8 minutes ago, Springfield said:

Now question:  What is a better form of 2FA than sms?

 

Generally speaking something that generates a random code every 60 seconds. For the longest time that required having a physical token that was in sync with the system. Over time the device would fall out of sync because it can’t sync time with a source and electronics inherently drift in time if they can’t sync, so you’d have to replace them every year or so. So they were expensive and all sorts of cumbersome. 

 

 Recently they now have authenticator apps you can install on your phone. This took an expensive and cumbersome system and made it very easy and cheap to set up and use for any person to use. 

 

It’s not perfect and has its own flaws but it’s better than sms 2FA. 

 

The problem is is the people running the stystem, like nest, have to implement it for you to use it. 

Edited February 1, 2019 by tshile

[bearrock]

15 minutes ago, Springfield said:

Now question:  What is a better form of 2FA than sms?

Until Nest gets their act together, you can also use premium version of services like lastpass (password manager, $24 a year).  Update your sensitive password periodically and it has it's own app 2fa (also works with major 2fa apps like google and Microsoft).  The downside is that you need to stay vigilant by updating your password frequently (the idea being that you use different passwords for all sites and change them frequently enough that by the time one site gets hacked and the password gets out to the hackers, it will have been updated to something else and that the password was only for that site.  The access to password manager itself will be protected by a superior 2fa).  If you don't update your passwords or use the same password across all sites, it's not gonna give you that additional layer of protection.

[tshile]

6 hours ago, Malapropismic Depository said:

 

It's getting to the point where it's unavoidable.

We may soon get to the point, for example, where all TV's being sold are smart TV's.

Although I guess for that you could put drapes over the whole TV when you're not using it, but then again, that wouldn't stop them from getting audio from your house.

 

The only thing I can suggest, keeping in mind I’m trying to balance effectiveness with the actual understanding and means most people have, is to not leave your devices connected when you’re not using them. 

 

A smat tv with WiFi? Disconnect it from WiFi when you’re not using it. Connect it when you want, then disconnect. Don’t leave it on all the time. 

 

For me i I use a physical cable (most people don’t have Ethernet jacks in their house though...) so for me it’s a simple unplug the cable and plug it in when I want to use an app. 

 

There are far better solutions but telling people to configure their firewall in certain ways doesn’t get much traction with the general public. 

 

The biggest issue with the IOT stuff is that we know the #1 fix for this is to have manufacturers update their devices when security issues are found. But a manufacturers desire to update devices depends solely on how well it sells, and even then they abandon it once they’ve retired that product line. We see this with cell phones all the time, Samsung or lg will just not put effort into updating phones that do not sell well and as soon as the new galaxy phone comes out Samsung stops updating the old ones. 

 

Hell samsung had a critical vulnerability with some hard drives they sell that made hardware encryption on the device worthless because it’s easily bypassed. 

 

Samsung’s only response was literally - do not use our devices for encrypting data. 

 

When that’s the mentality of manufacturers there’s not a whole lot we can expect the public to know/do to protect themselves. It’s one of the reasons when I built my new house I refused to put Samsung appliances or TV’s in it. They are a terrible company in the IOT space. 

Edited February 1, 2019 by tshile

[Malapropismic Depository]

4 hours ago, tshile said:

  

The biggest issue with the IOT stuff is that we know the #1 fix for this is to have manufacturers update their devices when security issues are found. But a manufacturers desire to update devices depends solely on how well it sells, and even then they abandon it once they’ve retired that product line. We see this with cell phones all the time, Samsung or lg will just not put effort into updating phones that do not sell well and as soon as the new galaxy phone comes out Samsung stops updating the old ones. 

 

 

Kinda see this with computers too, right

For example, Windows stopped updating security patches a while ago, for their Windows 98 OS.

Of course, i'm using an extreme example.

Edited February 1, 2019 by Malapropismic Depository

[justice98]

I went on haveibeenpwned.com and saw my email address had been in some breaches.  So now, what do I do with that information?  Is changing the password enough, or should I scrap the old email address and get a new one?

[bearrock]

2 hours ago, justice98 said:

I went on haveibeenpwned.com and saw my email address had been in some breaches.  So now, what do I do with that information?  Is changing the password enough, or should I scrap the old email address and get a new one?

 

Changing password should be fine.  And be sure not to reuse passwords or better yet, use a password manager with 2fa.  At the very least, don't use the same passwords for things like online forum and financial/bank logins.  Your main email password should always be unique and different from anything else, even banks.

[tshile]

2 hours ago, justice98 said:

I went on haveibeenpwned.com and saw my email address had been in some breaches.  So now, what do I do with that information?  Is changing the password enough, or should I scrap the old email address and get a new one?

What @bearrock said

 

as for changing your email I wouldn’t bother. You’ll wind up going through a lot of work, and I’m sure it won’t be long before your new address is on a list. 

 

Proper password management and shutting down accounts you dont use is perfect.