Dozens of Nest camera owners this week heard a disembodied voice insist that they subscribe to PewDiePie's YouTube channel. On Sunday, a voice emanating from a Nest security camera told a family of three that North Korean missiles were en route to Ohio, Chicago, and Los Angeles. In December, a couple was startled out of bed when they heard sexual expletives coming from their baby's room over a monitor. Then they heard a hacker's voice on their Nest cameras, saying "I’m going to kidnap your baby, I’m in your baby’s room."
For years, internet of things security woes have been epitomized by hackers accessing live feeds from video baby monitors. But this new wave of jarring webcam takeovers has served as a stark reminder that the IoT crisis ranges much wider—and is far from over.
In the case of the hoax North Korean missile strike, first reported by the Mercury News, Laura Lyons of Orinda, California, and her family had already called 911 before realizing they'd been pranked. A hacker found a username and password combination that had been exposed in a previous data breach to break into the Lyons' Nest account, and take control of their internet-connected camera. "I want to let other people know this can happen to them," Lyons told the Mercury News.
While it seems like it should be a singular incident, the weak—or often nonexistent—credentials that protect routers, networked printers, and webcams represent a ubiquitous crisis. It's often trivial for attackers to nab the keys to the kingdom. From there, they can infect gadgets with malware to monitor web traffic, or conscript devices into larger collective computing armies known as botnets. Or they can play North Korean missile pranks.
"As the benefits and hype of IoT grows, challenges in securing these systems may have been sidestepped. I can keep on going forever about the problems" says Jatin Kataria, a research scientist at the embedded device security firm Red Balloon. "This won't be the last report of this type we will be seeing."
"We have windows in a house, but we also use curtains for privacy. It's the same with IoT devices"
Jatin Kataria, Red Balloon
That Nest devices were hit proves particularly illustrative. Compared with low-budget IoT companies that put little thought into security, Nest has strong defenses, including consistent HTTPS web encryption and extra cryptographic protections for video streams. The company also doesn't hardcode administrative credentials, a relatively common practice that lets attackers simply look up one password use it to access every unit of a device they can find.
But however difficult it may be to actually hack a Nest camera through a vulnerability, attackers can still find ways to steal passwords and essentially waltz through the front door. Nest says that attackers in this recent wave of incidents have found credentials compromised in breaches, and then reused them on other accounts.
In the case of the PewDiePie enthusiast, Motherboard reports that the hacker, who goes by SydeFX, has compromised thousands of Nest cameras using this login matching technique, often called "credential stuffing."
The December baby-monitor incident in Houston had similar elements. After their initial, justified horror, parents Ellen and Nathan Rigney turned off devices and Wi-Fi throughout their house while they called the police and tried to understand what was going on.
"Nest was not breached," the company, which is owned by Google, told WIRED in a statement responding to questions about the North Korean missile fraud. "These recent reports are based on customers using compromised passwords (exposed through breaches on other websites). In nearly all cases, two-factor verification eliminates this type of the security risk."
Enabling two-factor means that even if an attacker discovers your account password, it will still be difficult for them to actually succeed in accessing the account. Unless you're being personally targeted or are pulled into a two-factor phishing scheme, the added protection will be solid. While Nest offers two-factor authentication, it's not turned on by default. Nest also confirmed Tuesday that it's adding a permanent feature to prevent owners from using passwords that had previously been exposed in a known breach to protect their Nest accounts.
"What we can do right now until IoT defense gets more mature is to achieve security through depth," Red Balloon's Kataria says. This means taking as many precautions as possible like using strong, unique passwords and turning on two-factor when available to protect IoT devices. Kataria adds that he personally takes additional steps in his home like quarantining his IoT devices on a separate Wi-Fi Network. But even if you don't want to go that far, he emphasizes simply adding as many protective layers as you can.
"We have windows in a house, but we also use curtains for privacy," notes Kataria. "It's the same with IoT devices. Make it harder for the attackers to perform these wicked endeavors."