A woman living in the Bay Area says she got a hoax warning last weekend that the US was under nuclear attack. The warning came from an unlikely place: her Nest Cam.
Laura Lyons of Orinda, California told the San Jose Mercury News that her smart home security camera was infiltrated after it said on Sunday that three North Korean missiles were headed to Los Angeles, Chicago and Ohio. The warning was preceded by a blaring alarm, Lyons told the newspaper.
The message said the US was retaliating and affected areas had three hours to evacuate, she said. Lyons checked news stations for coverage of the apparent attack, but found nothing. When she realized the message was coming from the Nest Cam sitting above her TV, she called the company, which is part of Google, to find out what was going on.
Lyons said a representative told her that she was a victim of a “third party hack.” Lyons didn’t respond to a request for comment.
Nest says Lyons’ device was most likely compromised by a stolen password.
“Nest was not breached,” a spokeswoman said on Tuesday. “These recent reports are based on customers using compromised passwords (exposed through breaches on other websites). In nearly all cases, two-factor verification eliminates this type of the security risk.
“We take security in the home extremely seriously, and we’re actively introducing features that will reject comprised passwords, allow customers to monitor access to their accounts and track external entities that abuse credentials.”
Still, as companies like Google, Amazon and Samsung try to convince consumers to turn their homes into hubs full of internet-connected gadgets and appliances, a scare like the one Lyons experienced could sour people from bringing those devices into their houses.
This isn’t the first time Nest’s cameras have been infiltrated by outsiders. In December, a hacker took over the camera of a man in Arizona to warn him of security vulnerabilities. In another case last month, a hacker told a couple through the device he’d kidnap their child.
Security experts have been warning for years that smart home devices are vulnerable to hackers. Some vulnerable devices come with bugs that hackers can exploit. To prevent hackers from using stolen passwords to log into security cameras and other connected devices, experts say companies need to educate users on how to use better security. Betsy Cooper, founding director of the Aspen Policy Hub, said that would help keep hackers out of security cameras and other internet connected “things.”
Consumers can choose to use a stronger password and enable extra security features like two-factor authentication — but they aren’t required to do so. Device makers should flip that around, Cooper said. For example, they could turn on two-factor authentication by default and leave it up to consumers to turn it off if they don’t want it.
“Companies should shift the way that they think about those things,” Cooper said, “so they’re not making stronger security so easy to avoid.”
People can check if any of their passwords have been caught up in known data breaches using sites like Have I Been Pwned or Mozilla’s Firefox Monitor. Some websites will also flag your password for you if it’s been caught up in a breach, using a tool from the login company Okta.
The Smartest Stuff: Innovators are thinking up new ways to make you, and the things around you, smarter.
Special Reports: Techhnews’s in-depth features in one place.