A couple of high-profile incidents — including one where a Nest security camera was used to issue a fake missile warning — has forced Google-owned Nest to remind users about simple online security.
Time and again, we are told that our passwords are not good enough, and that they should always be unique, and that our devices are just waiting to be attacked, by organized hackers and mischievous pranksters alike.
- Nest security camera prankster told family missiles were on the way
- 12 Internet of Things hacks, and how to protect your smart home in 2019
And now Rishi Chandra, vice president of product at Nest, which is owned by Google, has emailed all Nest owners, and those in Family Accounts, reminding them to up their security efforts — a somewhat ironic move, given Nest sells security systems and surveillance cameras designed to keep homes safe.
Chandra doesn't actually mention why Nest customers should improve their passwords — the recent stories, including that missile hoax, are not mentioned at all. Instead, Chandra says vaguely: "We've heard from people experiencing issues with their Nest devices. People with access to our credentials can cause the kind of issues we've seen recently."
Despite being somewhat unwilling to address the problems directly - that weak passwords caused strangers to log into Nest security cameras belonging to other people — Chandra provides some useful tips for anyone who isn't familiar with cybersecurity best practices.
Enable two-factor authentication, which is a system where, even if a stranger logs into your account with your email address and password, they must enter a code text-messaged to your phone to gain access to the account. Unless they have access to your email address, password, and phone (which is then unlocked, of course), they cannot log into the account.
Choose a strong password — and preferably one which is not just a word which appears in the dictionary, your name, or any of the most commonly-used bad passwords, like '123456'.
Set up a family account - that way, you don't actually share your email address and password with other users, and can log them out whenever you want if you fear the account could be compromised.
Be alert, and understand what a phishing email looks like — as in, an email which looks like it has come from Nest and asks you to log in, but is in fact an attempt to hack into your account.
Protect your home network. This is an increasingly important aspect of the smart home, because as we invite more and more connected devices into our home, the likelihood that one is insecure, thus exposing the entire network and all devices connected to it, increases. Nest advises users to keep their router software up to date, to only share the Wi-Fi password with trusted people, and set up a guest account for visitors to log into, which is separate to the network your own devices are connected to.
Emmanuel Schalit, CEO of password management company Dashlane, told GearBrain: "We've seen that the app behind Nest can be compromised due to the re-use of passwords across multiple accounts, and whilst Google are right to advise against password re-use, this advice should have been given a long time ago."
Schalit adds that, once employing better security — and understanding why doing so is crucial - consumers "will realize that 'set and forget' is not the best way to use their devices – and that continuous security best practice is crucial to having a safer home."
Recognizing how customers are putting sensitive devices like connected cameras in their homes, Chandra adds: "It's a great responsibility to be welcomed into your home, and we're committed to keeping you and your Nest devices safe."
Chandra was also keen to point out that, despite reports describing the incidents as "hacks", Nest's system was not compromised by a hacking attempt; there was no breach via a vulnerability in the system. Instead, the vulnerability was users relying on passwords which were not secure enough, or were simply known by the attacker.
While these are all good steps to take, we would like to see Google, Nest and other smart home companies be more proactive. They should demand stronger passwords from users, and make it compulsory that they use two-factor authentication. That way, someone who knows their password cannot login unless they also have access to the target's phone. Such a simple change massively increases a device's security, yet doesn't negatively affect how it works.
Readers might also want to consider using a password manager, which suggests very strong passwords every time you need t create a new one, then stores all passwords in one place, which can only be accessed by a master password, or via biometric security like a finger pint or facial scan.