Do you have a Nest product in your home? Nest, best known for
Nest makes several home devices along with their market leading thermostats. They make webcams, smoke and carbon monoxide detectors, locks, video doorbells and a security system. All interconnected and manageble via an app or the web. In other words, all connected to the internet. This makes them incredibly convenient, but also incurs some risk, as do all connected devices. While I mention Nest by name, many manufacturers could be at risk.
Here’s the issue. Nest has had some embarrassment of late, where hackers have been able to gain access to user accounts and take control of the devices in someone’s home. Reports reference thermostats changing temperature when the owner of the device was not the one to make the change. More concerning are reports of Nest’s webcams being taken over by hackers.
In the case of the webcams, hackers could watch what is happening in the home. Perhaps more disturbing are the reports of hackers using the webcam’s microphone and speaker to actually interact with someone in the home. In effect, the hackers are able to break into the home without ever physically being there. In one recent report, the hackers played pornographic sounds through the webcam, which was located in a child’s room. Frightening.
Many reports suggest the reason this is possible is because companies like Nest only require a username and password to login to these devices. These manufacturers worry if they make logging in more complex, like requiring two-factor authentication or using other methods to verify the user is who they say they are, will make users look to easier to use products. In response to the well-publicized issues with Nest’s products, the company asked users to enable a two-step login process that relies on a entering a unique code sent to the user via text message when logging in. This is a step in the right direction, albeit long overdue and in response to negative press, instead of a proactive approach to making sure their products are as safe as possible from hackers.
Another reason these types of vulnerabilities exist is because many people use weak passwords. Additionally, a majority of people use the same username and password to access multiple sites. The problem is that when one of these sites is hacked and user credentials are stolen, they are often posted online and then used to gain access to accounts at other sites. A practice known as credential stuffing is often employed. This is where hackers use software to test known usernames and passwords against online sites, to see if the hacker can get in to your account. It’s not as complicated as it may sound.
Obviously, the best defense is a good offense. You should use a unique username and password combination for every web site you login to. You should enable two factor authentication everywhere it is supported. If it’s not, you should seriously consider not using the site or product until it does. How can you find out if your user accounts have been compromised? Check the web site https://haveibeenpwned.com. Enter your email address and the site will let you know if your account has been exposed and if so, which website exposed it. Make sure you change the password on that site, or delete your account completely if you no longer need it.
Most importantly, if you have accounts that have been breached, be absolutely sure you change your password on any site where you may have used the same password. Even if you are fortunate enough not to have one of your accounts exposed, do some digital spring cleaning. Check your online accounts and be sure each one uses a unique and complex password. You’ll be glad you did.