Tuesday, February 12, 2019

Hacker takes over Google Nest security cam

Talks to family's baby:
An Illinois couple said a hacker spoke to their baby through one of their Nest security cameras and then later hurled obscenities at them, CBS station WBBM-TV reports. Arjun Sud told the station he was outside his 7-month-old son's room Sunday outside Chicago and he heard someone talking. "I was shocked to hear a deep, manly voice talking," Sud said. "My blood ran cold." Sud told WBBM-TV he thought the voice was coming over the baby monitor by accident. But it returned when he and his wife were downstairs. The voice was coming from another of the many Nest cameras throughout the couple's Lake Barrington house. "Asking me, you know, why I'm looking at him -- because he saw obviously that I was looking back -- and continuing to taunt me," Sud said. Later that night, Arjun Sud noticed the Nest thermostat they have upstairs had been raised to 90 degrees. He suspected the hacker was behind that too. Nest's parent company, Google, said in a statement that Nest's system was not breached. Google said the recent incidents stem from customers "using compromised passwords exposed through breaches on other websites."
Let me, err, Google Translate that last bit: Google said that if you use one of these damned things you'd better be a security expert or J. Random Hacker will set your house temperature to whatever he wants and teach your baby interesting vocabulary.

Your mileage may vary, but I will never have one of these things in my house.  And I am a bit of a security expert, thank you very much.


Ken said...

Same here. Thanks for posting this -- this will be very useful in the CRM course I teach (not least because of Google's response).

LindaG said...

Typical of Google.

Our TV doesn't connect to the internet.
I won't have any Ceri or appliance that does either.

Thanks for sharing this.

Divemedic said...

The most likely reason is that the users had a password like "password" or maybe "qwerty" or the ever popular "12345"

Don't use the same password for your airshield as the one an idiot would use for his luggage.

Aaron C. de Bruyn said...

Divemedic is correct. Don't reuse passwords, don't use easy-to-guess passwords. The devices weren't compromised, the users password was.

Divemedic said...

I use lastpass. This is a password wallet that stores your passwords in an encrypted file and fills them in as needed. Then you only need to remember the password for the app. Since you don't have to remember them, you are free to follow best practices:
- When a system allows, my passwords are 15 characters
- They are random and generated by the app
- I use upper and lower case, numbers, and symbols
- I use a different password for every website and application

The app even has a feature where it will generate passwords for you, and it also gives you a security score, so you can see how well you are doing. The charges are low ($10 a year, I think).

I never have to worry about compromised passwords.

McChuck said...

What Divemedic said ++. I've been using the free version for years. Don't forget to download your account periodically, because no business lasts forever.