This article originally appeared in Infosecurity Magazine on January 25, 2019.
Multiple consumers have reported being terrified after hackers infiltrated the Nest cameras in their homes, with one malicious actor making claims of a North Korean missile threat, according to CBS News.
California resident Laura Lyons reported that malicious actors gained control of her Nest security camera, which belted out a terrifying emergency alert warning them to find shelter because three missiles from North Korea were headed to the US.
Another family in South King County, Washington, reported a hacker gained access to their Nest security camera and verbally assaulted the mother and children, according to K5 News.
What consumers might not understand, though, is that it’s not vulnerabilities that are causing this. “It is the reuse of existing passwords that have already been exposed in previous attacks,” said Laurence Pitt, security strategy director, Juniper Networks.
“If people want to keep these important devices safe, they need to use strong and unique passwords at a minimum, and make the investment in a password management tool (1Password, my favorite, or LastPass, for example). This can help to create strong passwords and then stores them in a safe place so that there’s no need to try and remember them all,” Pitt said.
In a prepared statement shared with Infosecurity, Nest confirmed that there indeed was no vulnerability or breach. “These recent reports are based on customers using compromised passwords [exposed through breaches on other websites]. In nearly all cases, two-factor verification eliminates this type of the security risk.
“We take security in the home extremely seriously, and we’re actively introducing features that will reject comprised passwords, allow customers to monitor access to their accounts and track external entities that abuse credentials.”
News of the hacks has raised questions about who is responsible for the security of in-home connected devices. “Consumers will need to rethink how much of a security risk they’re willing to take in exchange for the convenience of a connected device, appliance, or car,” said Pat Ciavolella, digital security and operations director for The Media Trust.
“The problem with consumers, as I see it, is understanding the security vs. convenience trade-off. It’s a tough choice for companies to make: potentially frustrate a customer by forcing them to do a password reset or allowing the customer to have convenience at the expense of their privacy and/or security,” said Lisa Plaggemier, chief evangelist, InfoSec Institute.
“Consumers are very quick, it seems, to choose convenience. Even when consumers exhibit bad security habits that make them vulnerable (in this case, using the same password on multiple accounts), when something goes wrong, the consumer blames the device provider.
“Bottom line: If more companies would adopt the measures Google is putting in place (forcing password resets, and preventing breached credentials from being reused), I think consumers would start to accept it as ‘normal’ instead of an inconvenience.”