January 24, 2019

Picture the scene.

It’s an ordinary day.  You’re at home with your partner and children.  When, all of a sudden, you hear:

ALERT! This is an emergency broadcast.  Three North Korean missiles have been launched towards London, Manchester and Edinburgh.  The British Government have retaliated against Pyongyang and you should evacuate affected areas immediately.  The strike is expected to hit within three hours, please evacuate immediately.

It sounds like something straight out of a movie, right?  Unfortunately for a California family, they experienced a similar even in what they could only describe as “sheer terror”, when their Nest smart security camera began broadcasting a similar message -that three missiles were inbound to Chicago, Los Angeles and Ohio.

It had been an ordinary day for mother of the family, Laura Lyons when she heard the “legitimate-sounding emergency warning” and thought they had only hours to evacuate:

It sounded completely legit, and it was loud and got our attention right off the bat… It was five minutes of sheer terror and another 30 minutes trying to figure out what was going on.

In fact, Lyon’s 8-year old son was so terrified, that he crawled underneath a rug.

In the proceeding 30 minutes, Lyon’s called the emergency services and also Nest, and was able to confirm that the warning was in fact a hoax, with a Nest customer service supervisor suggesting that their Nest security camera may have even been hacked.

Prior to the incident, the family had not even known the security camera was capable of audio output, never mind the fact that the device could be hacked so were understandably worried when they had heard the initial broadcast.

So, was Nest’s overall security breached or was it a device specific issue?

Despite reports circulating online to the contrary, it is most likely that Lyon’s security camera itself was hacked due to password vulnerabilities, as opposed to Nest’s overall security being breached.  It’s also possible that the hackers actually watched the family’s reaction, live, via the compromised security camera.

Yet, the possibility of a hack inducing 5-minutes of “sheet terror” should provide us with all with a very timely lesson about our user of internet-connected devices (often referred to as the Internet of Things or “IoT devices”) and how to protect them.

In this case, the Lyon’s family had made the common mistake of reusing a password that had been used for another online service or account – which was likely compromised and then used to compromise the Nest security camera.

Passwords are so often reused time and time again on the internet, often without much consideration as to the impact their reuse could have.

Will it happen again?

Chances are, most definitely.  As this issue is specific to the individual device, it’s highly likely that owners of other internet connected devices, such as the Nest security camera, will also suffer similar hacks unless they take action to prevent it.

In fact, it didn’t take long for the Lyon’s family to grow (understandably) angry after they learned that a number of Nest camera owners had also experience similar hacks in recent weeks, albeit not warning on imminent missile strikes in that case.

How can internet connect devices be secured?

  • Be sure to always use a unique password for every single account
  • If the above sounds a tough ask (it is!) then we recommend making use of a reputable password manager
  • Enable two-factor verification (or two-step authentication as it is also known) on the device (in this specific case, the Nest app).

I’ve got a Nest device – what can I do?

If you’re a Nest device user, we’d recommend navigating to nest.com and then clicking the icon in the top right hand corner of the screen.  Here, you will see Account Security > 2-Step Verification and then set this to ON.  You’ll then need to link this up to your mobile number.

Google, the owners of Nest, have since provided a statement since the incident in which they explained:

We’re actively introducing features that will reject comprised passwords, allow customers to monitor access to their accounts and track external entities that abuse credentials.


Share this: