Hijacked Nest devices highlight the insecurity of the IoT

IoT devices, such as Nest cameras and thermostats, continue to be hacked. To prevent that, follow smart password practices and turn on 2FA.

Security flaws in baby cam monitors
Morgan (Creative Commons BY or BY-SA)

People who purchase Internet of Things (IoT) devices, such as Nest thermostats and security cameras, likely don't realize the potential problems that can arise if the services go down, like they did recently with Nest thermostats — making it impossible to keep a house warm in winter or cool in summer. Nor are they aware that hackers could take control of their devices if they don't follow smart password practices, such as not reusing passwords or failing to set up two-factor authentication (2FA).

But they are learning the hard way. Recently a family had their Nest camera hijacked, and the hacker had it blare fake warnings about North Korean intercontinental ballistic missiles heading for the U.S. Then there's the Texas couple who, in December, heard “sexual expletives” coming from the Nest Cam baby monitor in their 4-month-old son’s room. The mom, Ellen Rigney, said, “So we turned on the light in our room, we turned that camera on, and he told us to turn off the light and said I’m going to kidnap your baby — I'm in your baby’s room.” Thankfully there was not actually a kidnapper in their baby’s room.

Fast forward to January, and there are more frightened Nest owner parents. An Illinois family told NBC they heard a deep male voice coming from a Nest security camera in their 7-month-old baby boy’s room. Not only had the hacker taken control of the camera, but he had remotely cranked up the Nest thermostat to 90 degrees!

Arjun Sud, who owns $4,000 worth of Nest IoT products, including 16 Nest cameras, two Nest thermostats and a security system, said he hadn’t used 2FA because he didn’t know it was an option. He says Google and Nest should have alerted him about the 2FA option and “notified him when someone else accessed his account.” He called it a “blame game where they (Google/Nest) blamed me, and they walked away from it.”

As for the hijacked devices, Google has said:

Nest has reset all the accounts where customers reused passwords that were previously exposed through breaches on other websites and published publicly. Even though Nest was not breached, these customers were vulnerable because their credentials were freely available on the Internet. Each customer has received instructions on how to establish new credentials. For added password security, we're preventing customers from using passwords which appear on known compromised lists. As before, we encourage all customers to use two-factor verification for added account security, even if your password is compromised.

Also recently, Nest fixed a bug that, from Jan. 25 to 30, caused the IoT camera’s green indicator light to come on as if someone were accessing the live view mode. Nevertheless, it frightened a group of moms who believed their cameras had been hacked.

But Nest is just one brand of IoT devices, a mere drop in a swelling ocean of “smart” devices — many of which have pathetic security.

More IoT security news

Hacker exploits LIFX mini smart light bulb flaws to extract Wi-Fi credentials, encryption key

It took a hacker less than an hour to hack a smart light bulb and extract the Wi-Fi username and password, which was stored in plaintext on the connected bulb’s memory. The security researcher, going by LimitedResults, demonstrated three vulnerabilities in an internet-connected LIFX mini white light bulb. Besides extracting the user’s Wi-Fi credentials from the LIFX mini, an IoT device that costs $20 to $25, LimitedResults also extracted the RSA private encryption key and root certificate, as well as discovered the device had no security settings whatsoever. Despite the failings, LIFX claimed “data security is a priority” when it announced new firmware that closed the three gaping security holes. It is worth noting that this is not the first time the company has been accused of shoddy security that exposed Wi-Fi passwords.

Spying capabilities of secret security camera in smart lamp

Besides the security pitfalls in the insecure IoT, there is a plethora of privacy pitfalls. Even if you don’t personally embrace IoT, you could potentially still come under its surveillance umbrella by doing nothing more than staying at an Airbnb rental.

Digital Trends pointed out that Panasonic’s HomeHawk floor lamp, as seen on Indiegogo, comes with a tiny hidden security camera that has a 140-degree wide-angle lens, has motion detection technology, has color night vision, has HD recordings and gives owners the ability to view lie footage. In theory, the lamp’s owner could get away from the “ugly and obvious” mounted security cameras, but the capabilities take on a much more sinister tone when considering it could be used in an Airbnb.

“Think about where these things could be placed,” Digital Trends added, “spying on us without us knowing it: doctor’s offices, rental houses, public bathrooms, the living rooms or bedrooms of our significant others, hotel rooms. You get the idea. If home surveillance technology is making its way into a benign floor lamp, what’s next? A spying couch?”

State of IoT security report reveals systemic security and privacy hazards

A recent State of IoT Security Report (pdf) by Pepper IoT and Dark Cubed found some flaws, such as in an IoT light bulb, were so serious that “it is beyond what could be considered a mistake.” The researchers pointed out, “When you have to open up a line of communications to China and enable real-time location sharing just to dim a lightbulb, you should be concerned.”

After Dark Cubed purchased a dozen off-the-shelf IoT devices from retailers such as Walmart, Best Buy, Amazon and MicroCenter, the cybersecurity firm found that “by installing just 12 IoT devices” our “personal information and other data began spreading across the globe.” The accompanying map with the report drills the fact home.

The researchers were “shocked” by the findings, and “coming from security experts that expected things to be insecure, that is saying something. While we certainly expected to find vulnerabilities and weaknesses, the obvious nature of the security flaws we found was surprising. These flaws were so blatant and obvious that it is more than just a mistake, it is a systemic issue that needs to be addressed.”

Scott Ford, CEO at IoT platform and service provider Pepper IoT, said, “Just as retailers wouldn’t sell unsafe toys, tainted lettuce or products with toxic chemicals, they have a responsibility to sell safe and secure IoT devices to consumers.”

Dark Cubed CEO Vince Crisler added, “If we do not address the problem of insecure consumer IoT devices and the lack of respect for consumer privacy soon, it is going to be too late. Just because the space is complex and rapidly developing is not an excuse for retailers and regulators to turn a blind eye. In fact, the opposite is true. Retailers must consider security as a part of their buying processes and government must consider regulations that focus on consumer protections.”

Copyright © 2019 IDG Communications, Inc.

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!