Today, Google is doing something it should have done weeks or months ago: it’s emailing owners of its Nest security cameras that they should really, really pick a better password, enable two-factor authentication (2FA), and be vigilant if they don’t want strangers to hijack those cameras and peek into their homes over the internet, which has actually been happening in some instances, including a fake nuclear bomb threat that really freaked one family out.
The thing is, Google’s email doesn’t actually say why people should be vigilant right now. It doesn’t mention the camera scares at all.
“We’ve heard from people experiencing issues with their Nest devices,” reads a painfully generic line in the email.
The word “camera” doesn’t appear in the email once
“People with access to your credentials can cause the kind of issues we’ve seen recently,” reads another.
Nowhere does the email describe the “kind of issues” that “we’ve seen.” In fact, the word “camera” doesn’t appear in the email even once.
To be fair, it’s a lose-lose situation for Google, which isn’t exactly responsible for this problem and doesn’t want to scare people off.
If the company clearly states precisely why now is a good time for you to enable 2FA, it might scare people away from buying its security cameras. People might not realize that, no matter how hardened a camera’s security might be, it only takes one data breach anywhere in the world to expose a username and password that you might have used on your Nest camera as well. At that point, hackers don’t need to hack: they just log in with your own account.
It’s not Google’s fault if you’re using the same password for everything. Seriously, stop that. Use a password manager. Turn on 2FA now.
But it is Google’s responsibility to warn its customers of the danger here, and it’s only kind of-sort of doing that today. So why don’t we help out Google a bit with this post?
Here’s the Nest email in full:
In recent weeks, we’ve heard from people experiencing issues with their Nest devices. We’re reaching out to assure you that Nest security has not been breached or compromised. We also want to remind you of a few easy things you can do to get the most out of Nest’s security features.
For context, even though Nest was not breached, customers may be vulnerable because their email addresses and passwords are freely available on the internet. If a website is compromised, it’s possible for someone to gain access to user email addresses and passwords, and from there, gain access to any accounts that use the same login credentials. For example, if you use your Nest password for a shopping site account and the site is breached, your login information could end up in the wrong hands. From there, people with access to your credentials can cause the kind of issues we’ve seen recently.
We take protecting our users’ security very seriously. For added password security, the team looks across the internet to identify breaches and when compromised accounts are found, we alert you and temporarily disable access. We also prevent the use of passwords that appear on known compromised lists. While we can’t stop password breaches across the internet, we’re committed to limiting the impact of compromised credentials on Nest Accounts.
While we continue to introduce additional security and safety features, we need your help in keeping your Nest Account secure. There are several ways for you to protect your home and family. Here’s what you can do:
•Enable 2-step verification: The most important thing you can do is enable 2-step verification. Security experts agree that 2-step verification offers an additional layer of security. You’ll receive a special code every time you sign in to your account. It’s easy to do – find the steps here.
•Choose strong passwords: Create a strong password and only use it for your Nest Account.
•Set up Family Accounts: Don’t let other people use your email and password to sign in to the Nest app. Invite them to share access to your home with Family Accounts.•Be alert: Be on the lookout for phishing emails designed to trick you into sharing your email address and password.
•Protect your home network: Keep your home network router software up to date and only share those credentials with people you trust. Set up and use a guest network if your Wi-Fi router supports it.
It’s a great responsibility to be welcomed into your home, and we’re committed to keeping you and your Nest devices safe.
If you have questions or need additional help, please reach out to Nest Support.
VP/GM of Nest
Here’s an example of a slightly transparent warning from Nest rival Arlo, which could also use work:
Being transparent with its customers might help, but Google could also take some more concrete steps to protect against this problem, like requiring users to create strong passwords and set up 2FA to begin with or make a conscious decision to opt out if they want to be less secure. Google could also have Nest adopt the same 2FA system it uses for its web apps, which is oddly missing here.
Google did roll out an unrelated tool this week to protect against password breaches, though: this Password Checkup extension for Google Chrome.