Almost 2,000 owners of Google Nest smart home security cameras have been targeted by cyber criminals as part of a sextortion campaign.
Although no actual hacking of any Nest cameras has taken place, and the criminals do not have access to any sensitive footage, the incident shows how criminals are increasingly playing on users' fears of smart home security.
- Millions of Facebook user names and phone numbers exposed by server with no password
- Data Breach Weekly Security Report
- The 12 biggest data breaches and cyber attacks of 2019
The campaign was discovered by Mimecast, an email cyber security company, and first reported by Computer Weekly. It was found that almost 1,700 Nest security camera owners, mostly based in the U.S., were targeted by the campaign in early January.
These users were emailed by the criminals, who claimed they had access to intimate video recordings stolen from their Nest cameras. Victims are then told the footage will be published online unless the blackmailer is paid €500 (around $555) in bitcoin, or via gift cards for Amazon, iTunes, Best Buy or Target.
Amazon eGift Card
However, unlike most bogus sextortion campaigns, where the first email to a victim links to a bitcoin wallet awaiting payment, this case is slightly different. Instead, the first email a victim receives contains a password for logging into a web email account.
Buyers are encouraged to put the internet-connected cameras all over their homeNest
In this new inbox they will find a link to a website showing genuine Nest camera footage, but crucially this footage has not been stolen from the target. It is just Nest-branded footage which the criminals hope will bolster their claims that they have indeed hacked into cameras. Instead, such footage could have been created by the criminals themselves with a Nest cam, or lifted from YouTube.
From there, targets are linked to a second email inbox, where they are told the compromising footage from their allegedly hacked Nest camera will be published online in a week, unless the payment is made or gift card is sent.
Speaking to Computer Weekly, Mimecast's head of data science overwatch Kiri Addison said: "The campaign is exploiting the fact people know these devices can be hacked very easily and preying on fears of that...It is now widely known that many IoT devices lack basic security and are vulnerable to hacking, meaning that victims are more likely to believe the fraudsters' claims, since the possibility of their device having really been hacked is highly plausible."
Google, which owns Nest, is encouraging Nest users to actually not respond to anyone who tries to exploit them in this manner, and instead reach out directly to Nest support. The company believes that attacks like this are more likely occurring from what the company calls "bad actors," who use email addresses culled from databases of stolen details — and not a directed, personal attack on that user.
"We offer several key protections to prevent the likelihood of hacks and keep our products secure," Google told GearBrain by email. "Two-factor authentication has already been enabled by millions of people. We also offer the option to migrate to a new Google Account. Privacy and security continue to be a focus for us, and we'll continue to introduce features that prevent these incidents from happening."
Addison also agreed that it is unlikely that those 1,700 Nest owners were specifically targeted. Instead, it looks like their email address has been discovered by blackmailers crawling through a data and picking their potential targets at random. That, however, does not likely ease the concerns of Nest users who have been approached by the hackers, which Google admits is a concern.
"Any incident where someone is made to feel unsafe in their home is deeply unfortunate and something Nest works hard to prevent," Google said. "That's why privacy and security are the foundation of our mission."
8:40 pm ET — This story has been updated with a response from Google to GearBrain.Check out The GearBrain, our smart home compatibility checker to see the other compatible products that works with Nest.
Arlo - Add-on Camera | Night vision, Indoor/Outdoor, HD Video, Wall Mount | Cloud Storage Included | Works with Arlo Base Station (VMC3030-100NAR) - (Renewed)