Over the past few weeks, a pair of horrifying headlines have turned unwarranted fears about smart homes into reality:
- “‘5 minutes of sheer terror’: Hackers infiltrate East Bay family’s Nest surveillance camera, send warning of incoming North Korea missile attack,” reported the Mercury News.
- “Homeowner’s Blood ‘Ran Cold’ as Smart Cameras, Thermostat Hacked, He Says,” wrote Chicago’s NBC5.
But today, Nest released its counter—an email to customers saying definitively, “Nest security has not been breached or compromised.”
So what’s going on with these terrifying intrusions of privacy? Plainly stated, Nest is placing the blame on owners of its products who have been reckless with their passwords. But that shouldn’t be the end of the issue. The smart home company also deserves a slice of the blame pie.
According to the email from Rishi Chandra, the company’s vice president and general manager, Nest users may have been targeted because the Internet is overflowing with email addresses and passwords that have been sucked up in countless data breaches of other, less tech-savvy companies.
“For example, if you use your Nest password for a shopping site account and the site is breached, your login information could end up in the wrong hands,” writes Chandra. “From there, people with access to your credentials can cause the kind of issues we’ve seen recently.”
Faceless Dark Web hackers selling login info online makes for a convenient scapegoat—even if there is an abundance of truth to Nest’s claims. But a vulnerability that large and obvious shouldn’t stop the one of world’s tech-savviest companies from buttoning up that hole as tightly as possible.
In the email, Chandra says Nest, a part of Google and one of the world’s largest tech conglomerates, Alphabet, proactively scours the web for accounts compromised by breaches and prevents passwords that appear on known lists, a proactive step that sounds similar to Google’s new Password Checkup tool. It also recommends that users enable two-step verification (also known as two-factor authentication, or 2FA) and use strong passwords to block unauthorized users from accessing their camera, thermostats, smoke detectors, and other smart home devices.
These are smart tactics, to be sure, but they aren’t best practices. As a long-time Nest user, I cannot recall ever being prompted by the app or website to sign up for 2FA. And until I started writing this piece, I have never changed my password, dating back to at least 2016. In fact, though Nest currently requires a string of “at least 8 characters, including upper and lowercase letters, numbers, and symbols,” my now-defunct password didn’t meet those requirements. A better suggestion would be for Nest to require its customers to employ 2FA. In addition, it could issue a mass-password reset, prompting old users like me to get up-to-date on the company’s requirements.
Taking the security a step further, the company also could integrate support for password management apps like 1Password or LastPass into the Nest app. These kinds of password vaults make and store passwords so complex that they’re nearly impossible to crack (or remember). I used one myself to make my Nest hacker-proof, just now.
But in my defense, the reason I originally recycled the password for my Nest account wasn’t just because I’m lazy. It’s because oftentimes Nest camera feeds fail, and the only thing you can do to reboot them is to log out of the app. When it’s 3 a.m. And I want to check in on my sleeping children, plugging in a string of random characters to reset the app is untenable. But, that’s the state of Nest’s security today, I guess.
Nest did not reply to a request for comment about its email customers, so it’s unclear if the company has ever prompted users to sign up for 2FA, beyond announcing the security feature in 2017. What is clear is that the increasingly popular security measure is not required by an app that can allow hackers to peer into a house, crank up (or lower) its heat, and test its smoke alarms. In plain terms, that’s dangerous.
In recent years, Nest has had its share of growing pains, but it has grown nonetheless. Adding products, services, and features has been necessary to keep it at the top of the smart home category. So in the face of such horror stories, why doesn’t Nest require something as simple as a password reset for all its users, have its app push 2FA security at login, or—even bolder—just require that users implement it?
Perhaps because it’s easier and cheaper simply to blame users.
