Skip to main content

No, Nest Cams are not being hacked to issue fake nuclear bomb threats

No, Nest Cams are not being hacked to issue fake nuclear bomb threats

/

Hoax, not hack

Share this story

Photo by Vjeran Pavic / The Verge

The scare might have been real. The hack? Not so much. But the fact that a family spent five minutes fearing that North Korea was launching intercontinental ballistic missiles at the United States is definitely a teachable moment for the rest of us.

“five minutes of sheer terror”

The Mercury News has the story of Laura Lyons, a mother in Orinda, California whose Nest security camera gave her family what she called “five minutes of sheer terror” — when she suddenly heard a legitimate-sounding emergency warning that Los Angeles, Chicago and Ohio had only hours to evacuate before they might be hit by nuclear weapons.

It turned out the warning came from their Nest Cam — and reportedly, a Nest customer service supervisor suggested that they might have been victims of a hack. As the Mercury News and others point out, it isn’t even the first time.

But contrary to the headlines you might be reading around the web, the camera itself wasn’t hacked. Nest’s security wasn’t breached. This isn’t the story of a sly thief breaking into someone’s poorly-protected device.

A Google spokesperson confirmed to The Verge that what the Mercury News suggested is correct: in these cases, the user’s credentials were already compromised:

These recent reports are based on customers using compromised passwords (exposed through breaches on other websites). In nearly all cases, two-factor verification eliminates this type of the security risk.  

This is the story of someone who used the same password more than once, for both Nest and some other unrelated website that got breached. From that point on, there’s no need to hack the camera — until Lyons changed her password, anyone could use the compromised credentials to log into the plain ol’ Nest app. No hacking tools necessary.

It’s not even like the supposed “hackers” needed to do anything special to send a audio scare: Like most of these cams, there’s a built-in feature (in this case, “Talk and Listen”) that lets you speak to someone over the internet who’s standing in front of the camera.

And there’s a pretty simple way to start protecting against password breaches, one that Nest has offered since March 2017: Two-factor authentication.

Two-factor auth (2FA) isn’t perfect. Particularly the kind that relies on text messages. I’d recommend an authenticator app and maybe even a security key, depending on what you do. But 2FA is remarkably easy to set up and use, offered by practically every major internet service, and is generally kind of a no-brainer, considering how many password breaches we see these days and how many people tend to re-use weak passwords.

You might also try a password manager.

Google says it’s looking into additional protections for Nest too, though. “We’re actively introducing features that will reject comprised passwords, allow customers to monitor access to their accounts and track external entities that abuse credentials,” reads part of a statement.

The one place where Google arguably might be to blame is for not telling Nest users that this kind of nightmare fuel exists — that they, too, might find a stranger shouting threats over the internet, now that it’s happened several times.

Any internet-connected camera, regardless of brand, could be “hacked” this way

But the company actually did take some action last month, too, proactively resetting passwords that appeared to be breached, preventing compromised passwords from being reused, and encouraging customers to adopt 2FA, too, according to a statement the company sent out December 19th.

Should Nest have gone out of its way to advertise that its cameras could be used to start a nuclear scare, when there’s nothing uniquely vulnerable about Nest’s cameras compared to those from rival brands? That seems like a stretch to me.