Nest has responded to recent reports of a security breach, contacting owners of devices like the Nest Cam IQ and Nest Secure to insist that there has been no grand hack of the company. The outreach comes after claims that a US family found their Nest security system had been remotely accessed, and the speaker used to taunt the home’s occupants with racist obscenities.
The incident took place in Illinois, where a family of Nest users heard a stranger’s voice talking in their baby’s room. While they initially concluded that was just baby monitor interference, the voice then spoke through other Nest cameras in the home, including making racist remarks. It’s also alleged that the virtual intruder remotely turned up their Nest thermostat.
When the family contacted Nest, they say they were blamed for not having used sufficient security. “And then they said, ‘Well, you should have used a unique password and two-factor authentication, and if you did, you know, that would be that,” father Arjun Sud told CBS.
Now, Nest is trying to set the record straight. Rishi Chandra, VP and General Manager of Home and Nest products, has sent out a mass email to people with registered Nest accounts, putting forward the company’s side of things. That includes dismissing reports that Nest’s system was hacked into.
“In recent weeks, we’ve heard from people experiencing issues with their Nest devices,” Chandra writes. “We’re reaching out to assure you that Nest security has not been breached or compromised.”
In fact, Chandra says, it’s a case of reused passwords that is to blame here. “For context, even though Nest was not breached, customers may be vulnerable because their email addresses and passwords are freely available on the internet,” he writes. “If a website is compromised, it’s possible for someone to gain access to user email addresses and passwords, and from there, gain access to any accounts that use the same login credentials.”
Although he doesn’t refer to the Sud case specifically, the implication from Chandra is that the family reused a password from another service for their Nest account. That password was then compromised by another hack, unrelated to Nest. However the hacker was able to access the Nest system because the credentials were the same.
Nest, Chandra points out, does monitor credential leaks, and proactively disables access to accounts where it’s possible the security has been compromised. When users set up passwords, meanwhile, it also checks them against a list of those known to be exposed. Nest’s 2-step verification, meanwhile, also gets flagged in the email: that way, even if a hacker has your Nest account details, they’d also need access to your authenticator app or SMS to perform the second step of the login process. Nest added 2-factor security in a 2017 update.
While the explanation is unlike to leave the Sud family any more relieved, it does underscore the potential ramifications of password leaks when services are compromised. That’s all the more concerning when it comes to things like Nest or other security systems, where unauthorized access to cameras could give hackers a secret glimpse into the home without the occupants ever knowing it was happening. As ever, the advice is to use a separate, unique, and strong password every time, and take advantage of all the security features like 2-step authentication when offered.