In separate incidents, hackers terrorize camera owners by taking advantage of poor password hygiene.
DOZENS OF NEST camera owners were contacted this week by a disembodied voice urging them to subscribe to PewDiePie’s YouTube channel. A voice from a Nest security camera informed a family of three on Sunday that North Korean missiles were on their way to Ohio, Chicago, and Los Angeles. A couple was startled out of bed in December when they heard sexual expletives coming from their baby’s room through a monitor. Then, on their Nest cameras, they heard a hacker say, “I’m going to kidnap your baby, I’m in your baby’s room.”
Hackers accessing live feeds from video baby monitors have been the epitome of internet of things security woes for years. However, this new wave of startling webcam takeovers serves as a stark reminder that the IoT crisis is much broader—and far from over.
Laura Lyons of Orinda, California, and her family called 911 before realizing they’d been pranked in the case of the hoax North Korean missile strike, first reported by the Mercury News. A hacker used a username and password combination found in a previous data breach to gain access to the Lyons’ Nest account and control of their internet-connected camera. “I want other people to understand that this can happen to them,” Lyons told the Mercury News.
While it appears to be a one-time occurrence, the weak—or often nonexistent—credentials that protect routers, networked printers, and webcams represent a widespread crisis. It is frequently simple for attackers to obtain the keys to the kingdom. They can then infect devices with malware to monitor web traffic, or they can conscript devices into larger collective computing armies known as botnets. They could also play North Korean missile pranks.
“As the benefits and hype surrounding IoT grows, challenges in securing these systems may be overlooked. I could go on and on about the issues “says Jatin Kataria, a research scientist at Red Balloon, an embedded device security firm. “This is not the last report of this type we will see.”
“A house has windows, but we also use curtains for privacy. The same is true for IoT devices.” – RED BALLOON, JATIN KATARIA
The fact that Nest devices were targeted is particularly telling. In comparison to low-budget IoT companies that don’t prioritize security, Nest has strong defenses, such as consistent HTTPS web encryption and additional cryptographic protections for video streams. In addition, the company does not hardcode administrative credentials, which is a relatively common practice that allows attackers to look up a single password and use it to access every unit of a device they can find.
However, regardless of how difficult it is to hack a Nest camera via a vulnerability, attackers can still find ways to steal passwords and essentially waltz through the front door. According to Nest, attackers in this recent wave of incidents discovered compromised credentials in breaches and then reused them on other accounts.
Motherboard reports that in the case of the PewDiePie fan, the hacker known as SydeFX has compromised thousands of Nest cameras by using this login matching technique, also known as “credential stuffing.”
Similar elements were present in the December baby monitor incident in Houston. Following their justified shock, parents Ellen and Nathan Rigney turned off all devices and Wi-Fi in their home while they called the police and attempted to figure out what was going on.
“Nest was not breached,” Google-owned Nest said in a statement in response to questions about the North Korean missile fraud. “These recent reports are based on customers who used weak passwords (exposed through breaches on other websites). Two-factor authentication eliminates this type of security risk in almost all cases.”
Enabling two-factor authentication means that even if an attacker discovers your account password, accessing the account will be difficult. Unless you are personally targeted or are drawn into a two-factor phishing scheme, the additional security will be adequate. While Nest provides two-factor authentication, it is not enabled by default. Nest also confirmed on Tuesday that it is implementing a permanent feature that will prevent owners from using passwords that were previously exposed in a known breach to protect their Nest accounts.
“We can achieve security through depth right now until IoT defense becomes more mature,” Red Balloon’s Kataria says. This includes taking as many precautions as possible, such as using strong, unique passwords and enabling two-factor authentication when available to protect IoT devices. Kataria adds that he takes extra precautions at home, such as quarantining his IoT devices on a separate Wi-Fi network. Even if you don’t want to go that far, he recommends adding as many protective layers as possible.
“A house has windows, but we also use curtains for privacy,” says Kataria. “The same is true for IoT devices. Make it more difficult for the attackers to carry out their evil plans.”