If a Google Nest account is compromised by a malicious hacker that’s not bad news for the legitimate owner of the account, it’s also bad news for Google.
Google doesn’t want its family of home products – ranging from smart speakers, thermostats and smoke detectors to security cameras and doorbells – to gain a reputation for poor security.
News stories about families being ‘scared to death’ by a hacked Nest security camera warning of an imminent missile attack or hackers telling owners via the speaker how to fix their IoT security might seem funny at first, but they’re no laughing matter.
And upset customers damage the reputation of Google Nest and Google’s brand.
So I wasn’t that surprised to hear that Google has announced that it is encouraging users to strengthen their security.
Google thinks one of the best ways to do that is to migrate your Nest account to a Google account.
But if you aren’t willing to switch to a Google account for your Nest then in the next few months Google will start enforcing an extra layer of account protection on its users:
“Two-factor authentication has long been available to all users as a way to prevent the wrong person from gaining access to your account, even if they have your username and password. Starting this spring, we’re requiring all Nest users who have not enrolled in this option or migrated to a Google account to take an extra step by verifying their identity via email.”
So, how does that extra step work?
Google says you will receive an email from [email protected] with a six digit verification code (rather like the ones that can be generated by authentication apps or a key fob your company may have given you to log into your corporate network when working remotely)
If you don’t enter the verification code then you won’t be able to access your Nest account.
An unauthorised party will certainly find it much harder to break into your Nest account with this system in place – unless, of course, they also have access to your email account!
In addition, Google says that it has already put in place additional security measures in an attempt to reduce the likelihood of automated attacks such as credential stuffing from succeeding.
Other measures the company has taken include introducing login notifications, where every time someone logs in to a Nest account they will automatically receive an email message telling them so action can be taken immediately if required.
Furthermore, Google says it is now checking passwords to see if they might have been previously exposed in past breaches at third-party sites of login credentials, or if it is easy to guess. If your password has previously been seen in a breach, it’s not a good idea to reuse it for your Nest (or indeed any other) account.
Password reuse is one of the most common mistakes made and also one of the riskiest things you can do the internet. You should have unique passwords for each account – and if you find it hard to remember them all (I can’t imagine how you could remember them all) you should use a decent password manager to do the job for you.
Don’t make it any easier for your IoT devices to be compromise. Strengthen the security on your Nest devices by following Google’s advice.
tags
Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s.
View all postsNovember 14, 2024
September 06, 2024