Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Security Privacy

Hacker Spoke To Baby and Hurled Obscenities At Couple Using Nest Camera, Dad Says (cbsnews.com) 106

pgmrdlm shares a report from CBS News: An Illinois couple said a hacker spoke to their baby through one of their Nest security cameras and then later hurled obscenities at them, CBS station WBBM-TV reports. Arjun Sud told the station he was outside his 7-month-old son's room Sunday outside Chicago and he heard someone talking. "I was shocked to hear a deep, manly voice talking," Sud said. "My blood ran cold." Sud told WBBM-TV he thought the voice was coming over the baby monitor by accident. But it returned when he and his wife were downstairs. The voice was coming from another of the many Nest cameras throughout the couple's Lake Barrington house. "Asking me, you know, why I'm looking at him -- because he saw obviously that I was looking back -- and continuing to taunt me," Sud said. Later that night, Arjun Sud noticed the Nest thermostat they have upstairs had been raised to 90 degrees. He suspected the hacker was behind that too. Nest's parent company, Google, said in a statement that Nest's system was not breached. Google said the recent incidents stem from customers "using compromised passwords exposed through breaches on other websites."
This discussion has been archived. No new comments can be posted.

Hacker Spoke To Baby and Hurled Obscenities At Couple Using Nest Camera, Dad Says

Comments Filter:
  • I may be a luddite (Score:5, Interesting)

    by Major_Disorder ( 5019363 ) on Thursday January 31, 2019 @06:53PM (#58052826)
    But I am sure as hell not letting anyone adjust my thermostat over the internet, or watch me (WHATEVER) either.
    • by 110010001000 ( 697113 ) on Thursday January 31, 2019 @06:55PM (#58052842) Homepage Journal
      Luddite!
    • But I am sure as hell not letting anyone adjust my thermostat over the internet, or watch me (WHATEVER) either.
      --
      First law of people: People are generally stupid.

      (emphasis on your sig added by me.)

      You may not, and I do not, and I suspect many others here won't either.. ..but as your sig so fortuitously put it... well, people are stupid.

      I can't wait until this ends up like Maximum Overdrive... only it won't be Comet Magical Bullshit, it'll be script kiddies and worse.

      • by lazarus ( 2879 )

        Hacking stories are about to get MUCH more interesting!

      • by stephanruby ( 542433 ) on Thursday January 31, 2019 @07:21PM (#58052932)

        ..but as your sig so fortuitously put it... well, people are stupid.

        Yes, it could be that.

        But let's remember, Uber gave the exact same excuse.

        We haven't been hacked. It's our users who have been re-using the same passwords.

        And two years later, it turns out that Uber did have a massive breach that they knew about, but that they didn't want to admit to anybody.

        • by TigerPlish ( 174064 ) on Thursday January 31, 2019 @07:28PM (#58052956)

          But let's remember, Uber gave the exact same excuse.

          We haven't been hacked. It's our users who have been re-using the same passwords.

          Oh, the stupid I was thinking of wasn't the reuse of passwords, it was the mere act of inviting these insecure iot contraptions into the home.

          • That's more along the lines of how I feel. But there's still plenty of blame to go around. Google/Nest owes at the very least an apology to the public for misrepresenting their ability to enforce any security for these devices they sell.

        • If you reuse passwords - and even if you don't - https://haveibeenpwned.com/ [haveibeenpwned.com] can be pretty useful. It alerts you if your passwords are found in that never ending stream of hacker data dumps. A new feature was added recently where you can enter the it directly to determine if it's been compromised. Whether or not you trust that is another matter. But for the attentive, it's a good service overall for knowing when to retire a password.
          • by Askmum ( 1038780 ) on Friday February 01, 2019 @03:22AM (#58054146)

            If you reuse passwords - and even if you don't - https://haveibeenpwned.com/ [haveibeenpwned.com] can be pretty useful.

            It's only marginaly usefull. Yes, I have been pwned, my email address is listed in the "Anti Public Combo List".
            So? With what password? I have to use my email address at many sites to log on and of course I do not reuse my passwords, so one of them is compromised. It doesn't tell me which. So I don't know which password to change.

            • Mine too was listed, but it didn't even say which list. How do you find out? Can these lists be downloaded from anywhere?
            • by Ihlosi ( 895663 )
              So I don't know which password to change

              All of them. At least twice. And then nuke the entire site from orbit. It's the only way to be sure.

    • I might one day get a smart thermostat, but I'm definitely drawing the line at cameras. It sounds like the people in the article have *multiple* cameras inside their house. WHY? The baby monitor one, OK. The rest? WTF? Cameras go OUTSIDE if you're wanting security.

      • by Xenx ( 2211586 )
        As someone that does dispatch for security, rich(or even decently well off) people like to keep an eye on their stuff and can afford to do so. Also, the police will also often charge for repeated false dispatches. A lot of the ones I deal with will check the cameras when we call on an alarm. The newer ones get the notification when we do and are checking them before we even get them on the phone.
    • by jythie ( 914043 )
      Earlier this month I was paying my power bill and discovered I could control my heat/AC right the power company's website. I... think I'm gonna have another thermostat installed.
    • by GrumpySteen ( 1250194 ) on Thursday January 31, 2019 @07:51PM (#58053054)

      You'll never make a living as a cam whore with that attitude.

    • But I am sure as hell not letting anyone adjust my thermostat over the internet, or watch me (WHATEVER) either.

      That's quite some slog from the couch all the way to the control unit on the wall, though. Who wants to walk 10-15 feet just to adjust the temperature? What is this, the Middle Ages? You might miss out on a funny cat video that's gone viral!

      • That's quite some slog from the couch all the way to the control unit on the wall, though.

        Smart thermostats have other uses:

        • Timers. Set it up so that it turns off when you're off to work, and back on just before you come home
        • Controlling it from somewhat further away than from the couch. For instance, if you unexpectedly finish work early, you can remotely turn on your thermostat at home just before leaving the office, so that it's warm and cosy by the time you arrive
        • by Anonymous Coward

          you can remotely turn on your thermostat at home just before leaving the office, so that it's warm and cosy by the time you arrive

          God forbid you might be "uncomfortable" at home for 20-30 minutes. What's going to happen are your testicles going to fall off?

          Is that trade off really worth your house getting pwned and controlled by strangers? I think not.

        • by Altus ( 1034 )

          Alerts that the temp has fallen more than X degrees below the current settings allowing you to know if your heater has crapped out on you. I came home from a vacation last winter and it was 30 degrees F in my house. My cat had nearly frozen to death. If I had known when it dropped 5 degrees below what was expected I could have called my neighbor to have him check on it, maybe even let a technician into the house to fix it if necessary well before it got to the point where my pipes had frozen (making it v

      • by jm007 ( 746228 )
        "What is this, the Middle Ages?"
        -- Bender
    • But I am sure as hell not letting anyone adjust my thermostat over the internet, or watch me (WHATEVER) either.

      Agree completely. OTOH, if you DO access my home cams, then my revenge is that there are some things you can never unsee.

      My Eyes! The Goggles Do Nothing! [youtube.com]

    • for this baby :P
    • "But I am sure as hell not letting anyone adjust my thermostat over the internet, or watch me (WHATEVER) either."

      Then don't use 1234 as password.

  • by GavrielPlotke ( 743137 ) on Thursday January 31, 2019 @07:02PM (#58052876)
    • It is the number one hack. And largely address by browsers 20 years ago.

      We only need to send a proof of possession of the password. The website only needs enough info to verify that we have it. A little crypto magic makes that very possible.

      Secure Remote Password.

      • We only need to send a proof of possession of the password. The website only needs enough info to verify that we have it. A little crypto magic makes that very possible.

        This is false. I wish it were true, and I'd love it if you could explain what crypto can achieve this magic, but it can't be done.

        There are lots of ways to verify a password without sending a copy, but only when the server has a copy of the password, or something deterministically derived from, it to verify against. I can think of several ways to diversify passwords so as to automatically create a unique password per site, derived from the "real" password and information about the site (e.g. host or doma

        • Comment removed based on user account deletion
  • by PhrostyMcByte ( 589271 ) <phrosty@gmail.com> on Thursday January 31, 2019 @07:34PM (#58052984) Homepage

    Yea, this is a bit of the owner's fault, but it seems like Nest could be a doing better job helping their customers secure their systems. Something like this happening wasn't an if, but a when.

    Considering how sensitive this kind of system is, I would expect Nest to have some really simple security features like basic access logs, notifying you of (and maybe blocking) unknown IPs, required 2FA, etc.

    This is why I'd never opt for some 3rd party managed system in my own home.

    • Honestly they should get a copy of every info breach and just not allow them to be used. Its google, its not like they cant get that shit already.

      • Honestly they should get a copy of every info breach

        Why? They offer and encourage the use of 2FA. If users won't go to basic lengths to protect themselves why should Nest go out of their way to do it?

        My login and password were reused and are in the Collection #1 leak. I'm not worried about my Nest.

        • Because 2FA has been thwarted in the past, so might as well take all of the chance out. As I said its not like they cant afford it. I would almost bet Project Zero has most of them already...

          • Because 2FA has been thwarted in the past

            Every security system in the world has been thwarted in the past. Just because locks can be picked doesn't mean I don't have a lock on my front door.

            My point still stands, the users affected here did not put even put in basic precautions into their own protection. Why should Nest be responsible for improving their security when the users don't even use the tools at hand?

            • I'm not disagreeing with you. I'm just saying eliminate the possibility of passwords from breachs should be eliminated. And possibly force 2FA for something like that. But those passwords should never be used because they are going to be in every current password list that is used by hackers. I don't think you realize how quick shit like that makes it around the underworld of the internet. So I personally think they should take multiple avenues for protection, but at the same time I couldn't care less becau

              • I'm just saying eliminate the possibility of passwords from breachs should be eliminated

                I guess for redundancy, oops. Too early, not enough rockstar yet.

    • Nest doesn’t offer 2FA. Not mandatory. I don’t know of any access logs.

    • but it seems like Nest could be a doing better job helping their customers secure their systems

      I'm wondering just what you think would be "better"? I mean Nest already offers 2FA, sends emails to customers encouraging the use of 2FA, and warns you about suspicious access (found this one out while on holiday in another country when I remembered we turned the heating off despite having a housesitter).

      This is why I'd never opt for some 3rd party managed system in my own home.

      All your criteria are already offered by Nest, so no this is not the reason you refuse to use it. There must be something else as well.

  • My X10 system never did that.
    • That's comparing apples to motorcycles. Also X10 fucking sucks ass.

      --Electrician with experience dealing with X10

      • That's comparing apples to motorcycles. Also X10 fucking sucks ass.

        If X10 had an ass-sucking peripheral, not only would it not turn on when you wanted to, but it would also turn itself on in the middle of the night and suck every ass in town.

        • Actually some of the most common service calls I had with them back in the day was "it wont turn on" or "it just turns on randomly" Hence my comment about it sucking ass. And they were even made here in wonderful Las Vegas.. Well really in scummy North Las Vegas(like all of vegas isnt ghetto lol)

      • by q4Fry ( 1322209 )

        I have it on good authority that motorcycles are much better than apples.

        • I was gonna try to say something funny back. But I was too stoned to think of anything but "If you like motorcycles". Some peoples children...

  • Negligence or bad parenting for not securing the network... Child Services is on the way.

  • Sites could implement a simple password rule: You may not use the same password and email address at other sites. To enforce this, you agree to allow the site to attempt to log in to other sites using the same information, and if successful, your account will be disabled.

    I would prefer it if that weren't necessary, but it looks like that's where we're heading.

    • You think site B is going to say 'yes, we don't mind if site A sends it's bot over here to try to log onto our user's accounts'.

      Is it a race for Site A and Site B to determine which one disables the account first? One or the other would be first, obviously.

      • by Anonymous Coward
        It's a stupid idea in general. What if one of the sites decided to keep a history of failed login attempts with the passwords in clear text. Now another site - perhaps one I don't have an account on could potentially have harvested my login & password for the site I was signing up to. Does that sound like a security improvement? This is why security should be left the the experts and not some Slashdot armchair experts.
  • We have 3 Nest cameras as well. Chosen mainly because they seem to work very well without network hassles. Plus htey have a wide angle lens, no need for a cam that needs to swivel around. Use case is remote checking on or twin toddlers and their day caretaker. Also handy is that if she calls us about an issue then we can immediately see it. Finally it is cool that it has support for many devices. Like, giving a tap warning on the apple watch when movement occurs - handy to be alerted when they come back hom
    • I just moved into a new apartment, and I will be placing cameras outside on my side. The inside camera will be watching my basement(storage).

      I do know one guy at work that has an attention deficit son who he has to constantly monitor. So, he has one on his front door in case the kid takes off without telling people.

      In the house/apartment in rooms other then a babies. Only storage.
    • what a depressing hellscape society has become when turning video cameras on your family for the purposes of monitoring is considered normal.

      • Context, dude. We are talking about babys-toddlers that we leave alone during the day with a daycare lady. We have the cameras since they were born and they are now exactly 2 years old. In a few years we won't need the cameras anymore.
  • Most of these users provide anyone with their password via stupid social tricks and then they think the software was hacked!
  • Look, its stupid ok, giving people internet connected things, with one of the main selling points being how easy it is to use, and then not expecting normal simple folk to use them.

    People are in so many databases. Databases will all be leaked eventually. People do not give a fuck about passwords, except that they are annoying. All these stories are an opportunity for engineers to solve the password problem. Its real, its multiplying, and you cant really blame the users that much for reusing the odd password

  • Cloud services (Score:4, Informative)

    by Bert64 ( 520050 ) <.moc.eeznerif.todhsals. .ta. .treb.> on Friday February 01, 2019 @05:01AM (#58054300) Homepage

    Devices like this should be standalone, not tied into an external cloud service...
    You the owner of the device should decide exactly who has access, and be ultimately responsible if you choose weak passwords or fail to further protect the system with an additional layer such as a VPN.

    I have CCTV at home, it requires that i first connect to a VPN in order to access it from outside. The cameras themselves are probably horrendously insecure, but they don't connect directly to the internet and are only accessed through a VPN which is actively maintained and gives me a reasonable level of confidence that noone other than myself has access.

    • You the owner of the device should decide exactly who has access, and be ultimately responsible if you choose weak passwords or fail to further protect the system with an additional layer such as a VPN.

      You're talking about a device which offers 2FA which users don't bother using, where users are also clearly reused passwords.

      What makes you think giving the user more control would in any way make the system safer? I'll wager you the result would be the exact opposite.

  • You're welcome.

  • Why is he looking back at me?

You know you've landed gear-up when it takes full power to taxi.

Working...