A California family has described the ‘sheer terror’ it experienced after its smart security camera began broadcasting a bogus warning that three North Korean missiles were heading to Chicago, Los Angeles, and Ohio.
Laura Lyons, a resident of Orinda, California, told the Mercury News of the scare her family had on Sunday when an internet-connected Nest security camera, sitting on top of a television, broadcast a terrifying warning of intercontinental ballistic missiles launched by Pyongyang.
“It warned that the United States had retaliated against Pyongyang and that people in the affected areas had three hours to evacuate,” Lyons said Monday. “It sounded completely legit, and it was loud and got our attention right off the bat… It was five minutes of sheer terror and another 30 minutes trying to figure out what was going on.”
Lyons’ eight-year-old son was so scared he crawled beneath the family’s rug.
Chances are the cold-hearted hackers were watching the entire panic through the family’s hacked Nest camera.
Before the incident, Laura Lyons and her family had not even been aware that the security camera contained speakers, let alone that the device was at risk of being hacked.
It took some time, and phone calls to Nest and the emergency services, to confirm that the missile strike warning had been a hoax and were likely to have been perpetrated by a hacker who had been able to access the device by using passwords exposed in a separate hack.
In other words, in all likelihood the Nest company – owned by Google – had not been hacked itself but rather the security camera in the Lyons’ home was vulnerable to being hacked because the family had made the mistake of using the same passwords that they had already used elsewhere on the internet.
Such password reuse is sadly one of the most common mistakes people make online. You should always use a unique password for each of your accounts and if you cannot remember it (which is almost certainly the case if you have chosen a unique, hard-to-crack password) then investing a decent password manager is a sensible decision.
The family’s concern turned to anger, however, when Nest admitted that a number of Nest camera owners had had a similar experience in recent weeks – although none which had warned of an imminent missile strike.
Readers may well recall one case we described last month, where a Canadian hacker commandeering control of a Nest camera told its Phoenix-based owner how to better secure it.
The Lyons family would most not likely have not had such a scare if they had taken the sensible step of using a unique, hard-to-crack password and enabled two-step verification (2SV) on their Nest app.
In a statement Nest said it was introducing features to harden the security of its IoT cameras:
“We take security in the home extremely seriously, and we’re actively introducing features that will reject compromised passwords, allow customers to monitor access to their accounts and track external entities that abuse credentials.”
tags
Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s.
View all postsNovember 14, 2024
September 06, 2024