The common misnomer about recent Nest hack reports
Recently, Nest has made attention-grabbing headlines for security incidents. One Nest owner heard strangers talking to her children via her Nest cameras. Another reported her Nest’s broadcasting of a false alert that there was an imminent nuclear attack. Often times, news coverage calls out IoT security and notes that we’ll have 20 billion connected devices by 2020 — a reason for growing concern. Here, however, the connections are misleading and distract us from the remedy.
Let’s take, for example, a real IoT vulnerability exploit: Mirai, the webcam takeover en masse that led to the giant distributed denial-of-service attack in October 2016. (Some media have even made this connection to the Nest incidents; I won’t call them out.) Even though the Nest attacks manifest on cameras and other devices controlled by a Nest account, the attack is quite different and perpetrated for very different reasons from botnet attacks. The Nest attacks are simply attacks on accounts. They could have been on email accounts, bank accounts, social media accounts or any of the hundreds of online accounts people create. It just so happened in this case, they were on Nest accounts. In contrast, the Mirai attack was an attack against IoT devices themselves.
The irony is that in the case of Mirai, camera owners never knew their cameras were attacked and controlled by Mirai — a stark contrast to the Nest attacks. While it is possible for someone just to lurk in a Nest account and watch people silently, in the case of Mirai, the purpose of attacking hundreds of thousands of web cameras was to build an army of devices that could be used against another entity, domain name system service provider Dyn. So, the attackers stealthily built their army to prevent anyone from detecting and shutting down one of their soldier bots.
In the case of the Nest attacks, it is not possible to use the hacked accounts to attack another entity because the Nest account does not even make that possible for a legitimate account owner. The attackers are not gaining access to IoT devices themselves, but to the account that controls them. So, while hackers can talk to you via the camera, see what you’re doing, change your thermostat, disable your home security system and set off your smoke detector, they can’t use your account to attack someone else.
Perhaps the only large-scale attack that could be perpetrated by Nest account hackers is if they got control of enough accounts in a particular area that they could cause stress on the electric grid by changing everyone’s thermostats. But that would require controlling a high concentration of homes in a particular area, wherein a large percentage of the homes have a Nest with sufficiently insecure credentials. The odds are very slim, which leads us to the next point: What can we do about these kinds of attacks? These attacks were successful because end users tend to reuse credentials — usernames and passwords — as they create accounts all over the internet. As we have seen in the news, some of those accounts and services get compromised, and then those credentials leak out onto the dark web, where attackers can try those same credentials against other sites, like Nest accounts. Many of them fail, but some of them will succeed and will lead to hacked accounts.
So what can users do to prevent this from happening to their accounts? One simple answer is to never reuse usernames and passwords from one account to another. That way, if an account gets compromised, it won’t lead to the compromise of other accounts. It can be hard to track and manage all those credentials and that is why people use a password keeper, like LastPass or 1Password.
Another great tool to prevent this kind of vulnerability, and one that Nest has been asking its customers to adopt, is two-factor authentication. A two-factor authentication method typically sends you a text message with a one-time six-digit code, or sets up an app on the user’s phone, such as Google Authenticator, to generate those one-time codes. This is powerful at protecting sensitive accounts because even if someone gets access to an account’s username and password, he won’t be able to log in without that code.
Finally, there are also steps account services like Nest can do on their side. One thing we are doing for Minim accounts is making sure that our users’ credentials are not on any of those lists on the dark web. Another mitigation strategy we have is using machine learning and AI to analyze logins, comparing the current login details, including IP address, time of day and so forth, to the account’s prior login details to determine if the present login attempt is suspicious; if so, we potentially block the login and notify the account owner. Furthermore, some services are providing an audit trail of logins and other activity on the account to their customers, helping identify suspicious activity and mitigate hacks to accounts.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.