Hacker Spoke To Baby and Hurled Obscenities At Couple Using Nest Camera, Dad Says

pgmrdlm shares a report from CBS News: An Illinois couple said a hacker spoke to their baby through one of their Nest security cameras and then later hurled obscenities at them, CBS station WBBM-TV reports. Arjun Sud told the station he was outside his 7-month-old son's room Sunday outside Chicago and he heard someone talking. "I was shocked to hear a deep, manly voice talking," Sud said. "My blood ran cold." Sud told WBBM-TV he thought the voice was coming over the baby monitor by accident. But it returned when he and his wife were downstairs. The voice was coming from another of the many Nest cameras throughout the couple's Lake Barrington house. "Asking me, you know, why I'm looking at him -- because he saw obviously that I was looking back -- and continuing to taunt me," Sud said. Later that night, Arjun Sud noticed the Nest thermostat they have upstairs had been raised to 90 degrees. He suspected the hacker was behind that too. Nest's parent company, Google, said in a statement that Nest's system was not breached. Google said the recent incidents stem from customers "using compromised passwords exposed through breaches on other websites."

I may be a luddite

[Major_Disorder]

But I am sure as hell not letting anyone adjust my thermostat over the internet, or watch me (WHATEVER) either.

Re:I may be a luddite

[110010001000]

Luddite!

Re:

[TigerPlish]

But I am sure as hell not letting anyone adjust my thermostat over the internet, or watch me (WHATEVER) either.
--
First law of people: People are generally stupid.

(emphasis on your sig added by me.)

You may not, and I do not, and I suspect many others here won't either.. ..but as your sig so fortuitously put it... well, people are stupid.

I can't wait until this ends up like Maximum Overdrive... only it won't be Comet Magical Bullshit, it'll be script kiddies and worse.

Re:

[lazarus]

Hacking stories are about to get MUCH more interesting!

Re:I may be a luddite

[stephanruby]

..but as your sig so fortuitously put it... well, people are stupid.

Yes, it could be that.

But let's remember, Uber gave the exact same excuse.

We haven't been hacked. It's our users who have been re-using the same passwords.

And two years later, it turns out that Uber did have a massive breach that they knew about, but that they didn't want to admit to anybody.

Re:I may be a luddite

[TigerPlish]

But let's remember, Uber gave the exact same excuse.

We haven't been hacked. It's our users who have been re-using the same passwords.

Oh, the stupid I was thinking of wasn't the reuse of passwords, it was the mere act of inviting these insecure iot contraptions into the home.

Re:

[Narcocide]

That's more along the lines of how I feel. But there's still plenty of blame to go around. Google/Nest owes at the very least an apology to the public for misrepresenting their ability to enforce any security for these devices they sell.

Re:

[Howitzer86]

If you reuse passwords - and even if you don't - https://haveibeenpwned.com/ [haveibeenpwned.com] can be pretty useful. It alerts you if your passwords are found in that never ending stream of hacker data dumps. A new feature was added recently where you can enter the it directly to determine if it's been compromised. Whether or not you trust that is another matter. But for the attentive, it's a good service overall for knowing when to retire a password.

Re:I may be a luddite

[Askmum]

If you reuse passwords - and even if you don't - https://haveibeenpwned.com/ [haveibeenpwned.com] can be pretty useful.

It's only marginaly usefull. Yes, I have been pwned, my email address is listed in the "Anti Public Combo List".
So? With what password? I have to use my email address at many sites to log on and of course I do not reuse my passwords, so one of them is compromised. It doesn't tell me which. So I don't know which password to change.

Re:

[ArsenneLupin]

Mine too was listed, but it didn't even say which list. How do you find out? Can these lists be downloaded from anywhere?

Re:

[Ihlosi]

So I don't know which password to change

All of them. At least twice. And then nuke the entire site from orbit. It's the only way to be sure.

Re:

[barc0001]

I might one day get a smart thermostat, but I'm definitely drawing the line at cameras. It sounds like the people in the article have *multiple* cameras inside their house. WHY? The baby monitor one, OK. The rest? WTF? Cameras go OUTSIDE if you're wanting security.

Re:

[Xenx]

As someone that does dispatch for security, rich(or even decently well off) people like to keep an eye on their stuff and can afford to do so. Also, the police will also often charge for repeated false dispatches. A lot of the ones I deal with will check the cameras when we call on an alarm. The newer ones get the notification when we do and are checking them before we even get them on the phone.

Re:

[stealth_finger]

Yeah, but you have these people with cams inside their home??

I work for a CCTV manufactuerr. I have access to the code. I control the access to them, it's not "cloud" based but they can be remoted.

I have cams all over the outside of my house and property. But no way in hell am I putting them inside.

Just don't put the feed on the internet. Easy peasy.

Re:

[jythie]

Earlier this month I was paying my power bill and discovered I could control my heat/AC right the power company's website. I... think I'm gonna have another thermostat installed.

Re:I may be a luddite

[GrumpySteen]

You'll never make a living as a cam whore with that attitude.

Re:

[93 Escort Wagon]

But I am sure as hell not letting anyone adjust my thermostat over the internet, or watch me (WHATEVER) either.

That's quite some slog from the couch all the way to the control unit on the wall, though. Who wants to walk 10-15 feet just to adjust the temperature? What is this, the Middle Ages? You might miss out on a funny cat video that's gone viral!

Re:

[ArsenneLupin]

That's quite some slog from the couch all the way to the control unit on the wall, though.

Smart thermostats have other uses:

• Timers. Set it up so that it turns off when you're off to work, and back on just before you come home
• Controlling it from somewhat further away than from the couch. For instance, if you unexpectedly finish work early, you can remotely turn on your thermostat at home just before leaving the office, so that it's warm and cosy by the time you arrive

Re:

[Anonymous Coward]

you can remotely turn on your thermostat at home just before leaving the office, so that it's warm and cosy by the time you arrive

God forbid you might be "uncomfortable" at home for 20-30 minutes. What's going to happen are your testicles going to fall off?

Is that trade off really worth your house getting pwned and controlled by strangers? I think not.

Re:

[Altus]

Alerts that the temp has fallen more than X degrees below the current settings allowing you to know if your heater has crapped out on you. I came home from a vacation last winter and it was 30 degrees F in my house. My cat had nearly frozen to death. If I had known when it dropped 5 degrees below what was expected I could have called my neighbor to have him check on it, maybe even let a technician into the house to fix it if necessary well before it got to the point where my pipes had frozen (making it v

Re:

[jm007]

"What is this, the Middle Ages?"
-- Bender

Re:

[grep -v '.*' *]

But I am sure as hell not letting anyone adjust my thermostat over the internet, or watch me (WHATEVER) either.

Agree completely. OTOH, if you DO access my home cams, then my revenge is that there are some things you can never unsee.

My Eyes! The Goggles Do Nothing! [youtube.com]

Re:MOD UP

[wolfheart111]

for this baby :P

Re:

[nospam007]

"But I am sure as hell not letting anyone adjust my thermostat over the internet, or watch me (WHATEVER) either."

Then don't use 1234 as password.

Re:

[UncleTogie]

I can't wait for internet connected anal probes!

I have good news for you: Teledildonics is a thing now!

https://www.glamour.com/story/... [glamour.com]

Re:

[Scarletdown]

Who else but Anonymous Coward!?

o/~ It's A-C, A-C. There's no knowing what he'll say next... o/~

Re:This is funny as hell

[Tablizer]

He blew an opportunity:

1. Make the baby "cry" when it's not really crying to mess with the parents.

2. Make the baby say phrases that borderline actual English and random baby gibberish. "I make doody shaped like Daddy's head" and the like. The parents will look at each other and go, "Did I hear what I think I heard?"

3. Have the baby fart loudly when guests are over.

Password Reuse

[GavrielPlotke]

https://xkcd.com/792/ [xkcd.com]

Why do we still send passwords to web sites?

[aberglas]

It is the number one hack. And largely address by browsers 20 years ago.

We only need to send a proof of possession of the password. The website only needs enough info to verify that we have it. A little crypto magic makes that very possible.

Secure Remote Password.

Re:

[swillden]

We only need to send a proof of possession of the password. The website only needs enough info to verify that we have it. A little crypto magic makes that very possible.

This is false. I wish it were true, and I'd love it if you could explain what crypto can achieve this magic, but it can't be done.

There are lots of ways to verify a password without sending a copy, but only when the server has a copy of the password, or something deterministically derived from, it to verify against. I can think of several ways to diversify passwords so as to automatically create a unique password per site, derived from the "real" password and information about the site (e.g. host or doma

Re:

[swillden]

Google it. Secure Remote Password. (SRP)

Sigh. You didn't read the post you responded to. That still requires the server to have a copy of the password.

Public keys can do it easily, the client just signs a proof of possession request. Server only needs public key.

Yep. From the post you replied to:

To achieve security, it's necessary to have a unique, high-entropy secret per account, with no relationship between the secrets. Ideally, each secret should be an asymmetric private key, but since keeping track of a bunch of non-memorizable private keys requires a database, that's really not much better than just having a database of unique passwords. It's a lit

Re:

[jbmartin6]

I understand SRP is "resistant" to attacks against the information held on the server. But I don't know more about what that means. I suspect it just forces the server to use a decent hash/salt approach rather than leave the window open to using a weak or no hash

Re:

[swillden]

I understand SRP is "resistant" to attacks against the information held on the server. But I don't know more about what that means. I suspect it just forces the server to use a decent hash/salt approach rather than leave the window open to using a weak or no hash

In SRP, the server stores a value computed from the password. The computation involves a salted hash and then a modular exponentiation, but it's not particularly slow/expensive. Good SRP implementations should use a proper password-based key derivation function in place of the hash, to increase the computation required to recover the password via brute force search... but "increase the difficulty" is all that can be done, and if you put your password into Black Hat's server, none of that even matters.

Ev

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[swillden]

You didn't read the post you replied to.

So the guy had a weak password

[PhrostyMcByte]

Yea, this is a bit of the owner's fault, but it seems like Nest could be a doing better job helping their customers secure their systems. Something like this happening wasn't an if, but a when.

Considering how sensitive this kind of system is, I would expect Nest to have some really simple security features like basic access logs, notifying you of (and maybe blocking) unknown IPs, required 2FA, etc.

This is why I'd never opt for some 3rd party managed system in my own home.

Re:

[Highdude702]

Honestly they should get a copy of every info breach and just not allow them to be used. Its google, its not like they cant get that shit already.

Re:

[ArsenneLupin]

Or they could just integrate their system with Pwned Passwords [haveibeenpwned.com], which is a service set up for this very purpose already.

Honestly, how would this work? Send every single one of their passwords to haveibeenpwned.com to have it verified? Then what if haveibeenpwned.com abuses this to build a nice database of passwords to attempt on each participating domain?

Re:

[thegarbz]

Honestly they should get a copy of every info breach

Why? They offer and encourage the use of 2FA. If users won't go to basic lengths to protect themselves why should Nest go out of their way to do it?

My login and password were reused and are in the Collection #1 leak. I'm not worried about my Nest.

Re:

[Highdude702]

Because 2FA has been thwarted in the past, so might as well take all of the chance out. As I said its not like they cant afford it. I would almost bet Project Zero has most of them already...

Re:

[thegarbz]

Because 2FA has been thwarted in the past

Every security system in the world has been thwarted in the past. Just because locks can be picked doesn't mean I don't have a lock on my front door.

My point still stands, the users affected here did not put even put in basic precautions into their own protection. Why should Nest be responsible for improving their security when the users don't even use the tools at hand?

Re:

[Highdude702]

I'm not disagreeing with you. I'm just saying eliminate the possibility of passwords from breachs should be eliminated. And possibly force 2FA for something like that. But those passwords should never be used because they are going to be in every current password list that is used by hackers. I don't think you realize how quick shit like that makes it around the underworld of the internet. So I personally think they should take multiple avenues for protection, but at the same time I couldn't care less becau

Re:

[Highdude702]

I'm just saying eliminate the possibility of passwords from breachs should be eliminated

I guess for redundancy, oops. Too early, not enough rockstar yet.

Re:

[Moridineas]

Nest doesn’t offer 2FA. Not mandatory. I don’t know of any access logs.

Re:

[thegarbz]

but it seems like Nest could be a doing better job helping their customers secure their systems

I'm wondering just what you think would be "better"? I mean Nest already offers 2FA, sends emails to customers encouraging the use of 2FA, and warns you about suspicious access (found this one out while on holiday in another country when I remembered we turned the heating off despite having a housesitter).

This is why I'd never opt for some 3rd party managed system in my own home.

All your criteria are already offered by Nest, so no this is not the reason you refuse to use it. There must be something else as well.

Never

[AndyKron]

My X10 system never did that.

Re:

[Highdude702]

That's comparing apples to motorcycles. Also X10 fucking sucks ass.

--Electrician with experience dealing with X10

Re:

[drinkypoo]

That's comparing apples to motorcycles. Also X10 fucking sucks ass.

If X10 had an ass-sucking peripheral, not only would it not turn on when you wanted to, but it would also turn itself on in the middle of the night and suck every ass in town.

Re:

[Highdude702]

Actually some of the most common service calls I had with them back in the day was "it wont turn on" or "it just turns on randomly" Hence my comment about it sucking ass. And they were even made here in wonderful Las Vegas.. Well really in scummy North Las Vegas(like all of vegas isnt ghetto lol)

Re:

[q4Fry]

I have it on good authority that motorcycles are much better than apples.

Re:

[Highdude702]

I was gonna try to say something funny back. But I was too stoned to think of anything but "If you like motorcycles". Some peoples children...

Negligence

[zlives]

Negligence or bad parenting for not securing the network... Child Services is on the way.

Simple Password Rule

[crow]

Sites could implement a simple password rule: You may not use the same password and email address at other sites. To enforce this, you agree to allow the site to attempt to log in to other sites using the same information, and if successful, your account will be disabled.

I would prefer it if that weren't necessary, but it looks like that's where we're heading.

Re:

[Cmdln Daco]

You think site B is going to say 'yes, we don't mind if site A sends it's bot over here to try to log onto our user's accounts'.

Is it a race for Site A and Site B to determine which one disables the account first? One or the other would be first, obviously.

Re:

[Anonymous Coward]

It's a stupid idea in general. What if one of the sites decided to keep a history of failed login attempts with the passwords in clear text. Now another site - perhaps one I don't have an account on could potentially have harvested my login & password for the site I was signing up to. Does that sound like a security improvement? This is why security should be left the the experts and not some Slashdot armchair experts.

Experience with 3 Nest cameras

[Camembert]

We have 3 Nest cameras as well. Chosen mainly because they seem to work very well without network hassles. Plus htey have a wide angle lens, no need for a cam that needs to swivel around. Use case is remote checking on or twin toddlers and their day caretaker. Also handy is that if she calls us about an issue then we can immediately see it. Finally it is cool that it has support for many devices. Like, giving a tap warning on the apple watch when movement occurs - handy to be alerted when they come back hom

Re:

[pgmrdlm]

I just moved into a new apartment, and I will be placing cameras outside on my side. The inside camera will be watching my basement(storage).

I do know one guy at work that has an attention deficit son who he has to constantly monitor. So, he has one on his front door in case the kid takes off without telling people.

In the house/apartment in rooms other then a babies. Only storage.

Re:

[pgmrdlm]

Has your mother let you out of the basement recently coward? Afraid someone will rid the world of pussies like you? Beat you up, take your toys? I enjoy watching pussies like you die.

Re:

[n3r0.m4dski11z]

what a depressing hellscape society has become when turning video cameras on your family for the purposes of monitoring is considered normal.

Re:

[Camembert]

Context, dude. We are talking about babys-toddlers that we leave alone during the day with a daycare lady. We have the cameras since they were born and they are now exactly 2 years old. In a few years we won't need the cameras anymore.

Re:

[Camembert]

Well, why use the internet at all then? For us the cameras are very useful, not a gadget. What other solution would there be? One of us not working and staying home? It looks to me that Nest’s security implementation is good, we use an an absolutely cryptic password that is not used anywhere else.

Hacking or Social engineering ?

[OppMan29]

Most of these users provide anyone with their password via stupid social tricks and then they think the software was hacked!

internet passwords and people

[n3r0.m4dski11z]

Look, its stupid ok, giving people internet connected things, with one of the main selling points being how easy it is to use, and then not expecting normal simple folk to use them.

People are in so many databases. Databases will all be leaked eventually. People do not give a fuck about passwords, except that they are annoying. All these stories are an opportunity for engineers to solve the password problem. Its real, its multiplying, and you cant really blame the users that much for reusing the odd password

Cloud services

[Bert64]

Devices like this should be standalone, not tied into an external cloud service...
You the owner of the device should decide exactly who has access, and be ultimately responsible if you choose weak passwords or fail to further protect the system with an additional layer such as a VPN.

I have CCTV at home, it requires that i first connect to a VPN in order to access it from outside. The cameras themselves are probably horrendously insecure, but they don't connect directly to the internet and are only accessed through a VPN which is actively maintained and gives me a reasonable level of confidence that noone other than myself has access.

Re:

[thegarbz]

You the owner of the device should decide exactly who has access, and be ultimately responsible if you choose weak passwords or fail to further protect the system with an additional layer such as a VPN.

You're talking about a device which offers 2FA which users don't bother using, where users are also clearly reused passwords.

What makes you think giving the user more control would in any way make the system safer? I'll wager you the result would be the exact opposite.

That's IoT for you.

[Qbertino]

You're welcome.

Goatse.cx

[Arthur Vandelay]

Why is he looking back at me?