Hacker talks to baby through Nest security cam, jacks up thermostat

If the internet’s army of creeps isn’t busy blasting bogus warnings about fake nuclear warhead missiles through people’s Nest security cameras, they’re trying to parboil kids by jacking up the Nest thermostat.

A smart-home aficionado in the US state of Illinois told NBC News that he and his wife haven’t slept well in days, after a stranger accessed his Nest home security cameras and thermostats.

Arjun Sud – whom NBC described as an “avid” user of smart-home technology – told the station that shortly after he and his wife put their 7-month-old baby boy to bed on 20 January 2019, they heard a strange noise coming out of the room. When Sud went to investigate, he said, he heard a deep, male voice coming from a Nest security camera that was installed in the nursery – one of 16 he owns, in addition to a security system and two Nest thermostats.

In addition, Sud found that somebody with a) too much time on their hands and b) the password to his Nest gadgets had remotely tinkered with the thermostat, jacking up the temperature to a balmy 90 degrees Fahrenheit (32°C).

Google, which owns Nest, told NBC that it’s aware of similar reports about customers using compromised passwords that were exposed on breaches on other websites.

The advice from Google, and from cyber security experts – including, of course, from us here at Naked Security – is to use unique passwords and two-factor authentication (2FA) to keep cyber intruders from breaking into smart-home devices, be they smart thermostats, baby monitors or other internet-enabled webcams.

Sud isn’t happy with that answer. He told NBC that he didn’t know that 2FA was an option. He wants to return $4,000 worth of Nest products, he wants his money back, and he wants Google and Nest to accept responsibility for not alerting him that 2FA is an option and giving him a heads-up when somebody else accesses his account.


It was simply a blame game where they blamed me, and they walked away from it.

Sud’s wrath is understandable. It’s frightening to realize that an intruder could have been eavesdropping on what should be his family’s intimate, private conversations or spying on their child.

Still, we have to ask…

Who’s to blame, here?

Nest didn’t acquire a 2FA option until March 2017. Better late than never, it said at the time – after all, plenty of internet of things (IoT) gadgets still didn’t have it.

2FA involves authenticating yourself via not just a password, but also by a secondary code. Sometimes that code is sent via SMS – though, given phishing attacks that can nab one-time passcodes sent via text, that’s not the most secure option.

Secondary codes can also be accessed through a code-generating app such as Google Authenticator, Authy, or Sophos Authenticator (also included in our free Sophos Mobile Security for Android and iOS). Another option is a hardware 2FA key, such as Yubico or Google’s Titan.

No question, 2FA adds a security layer to authentication. But is it Google’s responsibility to make sure that Sud and other Nest users know about 2FA? And how do they know what users don’t know?

People need to take responsibility for their online safety. We should all know better by now than to reuse passwords and leave ourselves liable to dirtworms taking our credentials from one breach and stuffing them in to other online services until they gain entry, be it to our online bank accounts, our social media accounts, our smart-home gadgets, or the plethora of other places and things we want to keep locked up.

This is a well-known attack called credential stuffing. Unfortunately, it’s successful far too often, given how many people have the bad habit of reusing the same passwords in several places. It’s like somebody found a key on the sidewalk. Lo and behold, it’s the only key used to secure every house on the block. Jackpot!


(Watch directly on YouTube if the video won’t play here.)

Credit where credit’s due

To give credit where credit’s due, in May 2018, Google’s Nest division sent alerts to some users, telling them to change their passwords after it learned that their credentials had been involved in a data breach.

Google’s not alone. Facebook and Netflix, among many other big sites, also prowl the internet looking for your username/password combos to show up in troves of leaked credentials.

Sometimes they use gentle recommendations to change your password. Sometimes they lock users in a closet, as Facebook did when it found its users’ credentials had also been used on Adobe.

Don’t get locked in the closet, and don’t trust that such companies are always going to watch your back when you reuse passwords. Sometimes they will. Sometimes they won’t. Sometimes they don’t have enough time: the creeps go about credential stuffing too fast.

Instead, we should all make sure to have a unique set of credentials – one unique, strong set for every site, every service. That goes for all of us, whether or not we’re Nest users. Even if you’re sin-free, make sure your family, your friends, your colleagues and anybody else you can think of are choosing strong passwords, at least 12 characters long, that mix letters, numbers and special characters.

Better yet, think about using a password manager. Granted, they’re not perfect, but they’re pretty good: they’ll not only create tough, unique passwords, but they’ll also store them for you so you don’t have to remember a set of tangled-spaghetti passwords.