Hands up who reuses the same password everywhere, even with your Nest. Keep your hand up if you like being spied on by hackers
OK, you, yes, you: You need to read this the most
Nest has urged its customers to not reuse passwords between their smart home gizmos and other websites and services.
This comes after miscreants were spotted taking usernames and passwords leaked or stolen from other websites, and using them to attempt to log into Nest accounts and hijack the internet-connected home gadgets, a type of attack known as credential stuffing.
Rishi Chandra, general manager of the Google-owned smart home outfit, sent an email to all Nest customers on Wednesday noting that the manufacturer had "heard from people experiencing issues with their Nest devices" before running through some security tips to secure their accounts.
Last week, we reported how one bloke, Arjun Sud, realized with horror that trolls had got into his family's account, and used it to change the temperature of their home in Illinois, USA, as well as talk to his seven-month-old baby and shout obscenities into the family's living room. They had no idea how long the scumbags had been watching the family that reportedly had 16 security cameras dotted around their home.
It seems this was not the only occasion. And according to Nest, the likelihood is that dirtbags are trying out usernames and passwords dumped online from unrelated website security breaches, to access Nest accounts where credentials have been reused.
"Even though Nest was not breached, customers may be vulnerable because their email addresses and passwords are freely available on the internet," Chandra's email warned. "If a website is compromised, it's possible for someone to gain access to user email addresses and passwords, and from there, gain access to any accounts that use the same login credentials."
Nest claims to proactively look out for passwords being spilled online, "and when compromised accounts are found, we alert you and temporarily disable access. We also prevent the use of passwords that appear on known compromised lists."
It's a big ugly world out there, though, and so the gizmo biz provides some tips for better account security: use its two-factor authentication service; choose a strong password that you use only for your Nest account; don't share your account login but use the company's shared access service to allow others to your account; keep your router software up-to-date; and be on the lookout for phishing emails.
Internet of shit
Internet-of-things and smart home products are notorious for their terrible security, though Nest is one of the few companies that bakes protection mechanisms into its products from day one. It doesn't matter how many defenses a manufacturer crams in, however, if someone uses the same username and password elsewhere, without multi-factor authentication, or uses a weak password.
Amid polar vortex... Honeywell gets frosty reception after remote smart thermostat tech freezes up for a weekREAD MORE
Given the extremely creepy nature of a complete stranger having access to your home remotely, any security cameras, smoke alarms, thermostats and even potentially the front door if someone has the Nest-Yale door lock, netizens should be highly motivated to lock down their accounts, suggesting that it is a simple lack of awareness that causes them to be lax.
Nest could, of course, do more. It doesn't, for example, provide users with an access log so they can see if something unusual has happened. And it doesn't provide advanced security options such as limiting access to approved IP addresses.
That said, the recent account hacks can no doubt be put down to the nearly universal lack of understanding of electronic security that exists among the majority of internet users.
Even if you don't have a Nest, don't reuse the same passwords across your devices. Also, set up two-factor or multi-factor authentication where possible, and be vigilant for phishing emails that try to trick you into entering your username, password, and authentication code. ®
- Black Hat
- Common Vulnerability Scoring System
- Cybersecurity and Infrastructure Security Agency
- Cybersecurity Information Sharing Act
- Data Breach
- Data Protection
- Data Theft
- Digital certificate
- Identity Theft
- Kenna Security
- Palo Alto Networks
- Trusted Platform Module
- Zero trust