Hijacked Nest camera blares warning about North Korean missiles headed to U.S.

A hacker hijacked a Nest security camera and blasted a warning about three North Korean intercontinental ballistic missiles headed to Los Angeles, Chicago, and Ohio.

Hijacked Nest camera blares warning about North Korean missiles headed to U.S.
Google
Current Job Listings

Imagine watching a football game on TV when your Sunday afternoon is ruined by a detailed warning being blasted out about “three North Korean intercontinental ballistic missiles headed to Los Angeles, Chicago and Ohio.” Except the emergency warning did not affect the TV – the football game kept going, CNN and other news station didn’t mention it all. That’s when a Bay Area family realized the warning came from the Nest security camera sitting on their TV. They hadn't even realized their Wi-Fi connected Nest camera had a speaker or a microphone.

Regarding the nuclear attack warning, Laura Lyons told The Mercury News:

“It warned that the United States had retaliated against Pyongyang and that people in the affected areas had three hours to evacuate,” Lyons said Monday. “It sounded completely legit, and it was loud and got our attention right off the bat. … It was five minutes of sheer terror and another 30 minutes trying to figure out what was going on.”

Eventually, Nest told the Lyons a hacker had likely gained access to their camera thanks to credentials harvested from a third-party data breach. Google, which owns Nest, claimed the cameras being hijacked are due to customers using compromised passwords and using two-factor verification would eliminate the security risk is “nearly all cases.”

The Lyons family was the first known victim of an imminent nuclear attack warning coming from a hacked Nest camera, but there have been plenty of other scary hoaxed threats coming from hijacked IoT devices. The Lyons, who had no idea this was an actual thing, believe Nest has “a responsibility to let customers know if that is happening. I want to let other people know this can happen to them.”

Other cybersecurity news

Bomb threat and sextortion spammers abuse GoDaddy authentication weakness

Speaking of fake but frightening warnings, Brian Krebs reported that the attackers behind the bomb threat emails sent in December — as well as those behind sextortion spam — abused an authentication weakness at GoDaddy to hijack more than 5,000 domains. The majority of the “domains were registered long ago and are still owned by dozens of Fortune 500 and Fortune 1000 companies.”

GoDaddy may be the world’s biggest domain name registrar, but researchers Matthew Bryant and Ron Guilmette told Krebs that GoDaddy and other managed DNS providers don’t do much checking when someone with an existing account claims ownership over a domain that actually controls a domain name.

There are some big, recognizable company names on the list of over 4,000 domains abused in the 2018 spam bomb threat hoax campaign. GoDaddy, for example, has over 100 DNS servers. The spammy attackers were able to hijack domains after creating a free account at GoDaddy that was assigned the same DNS servers used by Virtualfirefox.com, owned by Mozilla, and then claim ownership of that domain. Afterwards, they told GoDaddy to allow email to be sent with that domain from an internet addresses under their control. In the Spammy Bear campaign, it was a server in the Russian Federation.

GoDaddy admitted to Krebs on Security, “After investigating the matter, our team confirmed that a threat actor(s) abused our DNS setup process.”  

Bryant added, “A lot of providers are of the opinion that it’s down to a user mistake and not a vulnerability they should have fix. But it’s clearly still a big problem.”

SUBSCRIBE! Get the best of CSO delivered to your email inbox.