The dangers of low security on the Internet of Things (IoT) devices once again surfaced last week. A family have suffered sleepless nights after a hacker gained access to their Nest account and remotely controlled their home cameras and thermostats. The only tools the hacker needed was an opportunity to use already leaked passwords.
Arjun Sud, from Lake Barrington, Illinois, put his 7month old baby to sleep. Shortly after, he heard some noises coming from the camera in the nursery, followed by a male voice. He further reported to CBS Chicago that the hacker turned up the thermostat, also a Nest smart device, to 90 degrees Fahrenheit. The hacker continued to torment the family as they moved around their house through the 16 installed cameras. The couple disconnected their Nest devices and called the police.
The hacker managed to gain access to leaked passwords from another website.
Upon further investigation, Sud did not get any answers from Nest as to how long the account was compromised for. Nest also told him he had a responsibility to put stronger passwords in place to stop unauthorised access. What worried Sud was not knowing how long the hacker watched the family for. The only indication someone was there was when someone spoke through it and the blue light turned on.
Nest have not commented on these events, other than the conversation relayed by Sud.
Responsibility of Security
The same incident happened with Nest cameras the week before. In Carolina, a family received threats from their camera of an impending nuclear strike from North Korea. The family’s account was using a password used for other website accounts. The hacker used the leaked password from another website where the family used the same password. Nest alerted some users in 2017 about the two-factor authentication adapted in the products but this measure alone may not have been enough. It brings forward the question of who is responsible for the security of technical devices. As cybersecurity awareness becomes paramount, there is a shift and expectation that consumers will play a part in security. This is additional to the developers and company selling the product. Although this is realistic, companies must communicate this fact and make consumers aware of this responsibility.