Home network security monitoring: Nest device hacking
Our home network security monitoring series is back. In this issue, we want to talk about some IoT security headlines that occurred recently— all of which revolve around a particular set of IoT devices.
You may have guessed these popular smart home devices would be included in this month's issue. Nest has been in the news quite a bit these last few months, particularly for their security cameras being involved in a series of cyber attacks.
Image from Nest
What happened during these attacks?
Hacked Nest camera used with baby monitor sends threats to family
Back in December, one family shared details regarding their experience being hacked when they heard a stranger's voice come through their baby monitor, which was linked to the Nest camera in the baby's room. The hacker was able to gain access to this camera, and also to the Nest camera that was in their room. The hacker claimed to be in the baby's room, threatening to kidnap. The family learned they had been hacked when they discovered no one was in the room, and proceeded to shut down their WiFi and call the police.
Hacked Nest camera sends family a false missile warning
Last month, news broke out regarding a California family's Nest security camera being hacked. The family received a false warning regarding a missile attack that was said to be heading for Los Angeles, Chicago, and Ohio. The family recalls the incident as "sounding completely legit":
“It warned that the United States had retaliated against Pyongyang and that people in the affected areas had three hours to evacuate,” Lyons told the Mercury News."
The family was able to get a hold of Nest and to their dismay, learned they had been the victims of a cyber attack.
Hacked Nest cameras take control of family's household
At the beginning of this month, another story regarding hacked Nest cameras made headlines. A family in Illinois was targeted, whose home had several Nest cameras and a Nest thermostat powered on. The hacker gained access to the Nest cameras, using them to talk to and watch the family. What was seemingly more frightening in this attack however was that the hacker's ability to gain control of the family's Nest thermostat, raising the temperature up to 90 degrees. The family realized they were hacked and quickly disconnected their cameras while calling both Nest and the police.
Hacked Nest camera by a security researcher aims to warn device owner (and general public) of Nest vulnerabilities
I thought I'd end our discussion of Nest camera hacks on a brighter note. In this recent story, a security researcher hacks into a home's Nest camera, but without the malicious intent one would expect... Take a look:
What has Nest said regarding these attacks?
In regards to these IoT security headlines, Nest has provided a statement that says their security has not been breached and that it all comes down to the passwords being used. In each of these stories, Nest advises the victims to take the following course of action:
- Choose a strong, unique password
- Enable two-factor authentication
The company is not taking ownership for any of these attacks, but rather leaving it to the consumer to address on their own via these suggestions.
What does Minim think?
I caught up with our security experts at Minim to see what they thought about these device vulnerabilities and Nest's response to the matter. What was gathered from our talk was that Nest, from a business standpoint, isn't doing anything wrong because their security was indeed not breached and they also support multi-factor authentication (MFA).
From a user experience and support standpoint however, Minim feels Nest could have done more to alert the user that they may be the target for a cyber attack (i.e., take a proactive security approach like we do at Minim). If the device was found to have a connection from a new IP or unknown device, Nest could have taken the time to notify the user that they may be at risk and to ensure that their two-factor authentication was indeed enabled. Many of those who were hacked weren't even aware that Nest offered two-factor authentication!
Looking forward, Minim hopes Nest will take some of the ownership for these attacks and work towards reducing the likelihood of these situations occurring in the future.