Smart devices are at risk of security exploitation
Others could also exploit security vulnerabilities
A Phoenix resident said a hacker spoke to him through his Nest Cam IQ security camera. Experts have long warned that wireless internet-connected devices like Nest cameras, Amazon Alexa and smart appliances have glaring security vulnerabilities.
Andy Gregg was in his back yard a few weeks ago when he heard a voice he didn’t recognize inside his house.
It was dark, and Gregg, who lives in the north Phoenix, said his first thought was somebody had broken into his home.
The source of the voice surprised him: It was coming from a Nest Cam IQ security camera in his front window.
The man speaking to him through the camera said he was a “white hat” hacker in Canada with the group Anonymous. He told Gregg his private information had been compromised.
The hacker couldn’t see images through the camera and didn’t know where Gregg lived, he said. But he told Gregg such information wouldn’t be hard to find.
The man then recited a password Gregg had used for multiple websites.
“I’m really sorry if I startled you or anything. I realize this is super unprofessional, and I’m sorry that it’s a little late in the day to do this,” the hacker can be heard telling Gregg on a recording of the interaction provided to The Arizona Republic/azcentral. “We don’t have any malicious intent.” The hacker said he had accessed Gregg’s camera to warn him about its security vulnerabilities. Other hackers, he said, might exploit the same gaps for nefarious ends.
Gregg said he changed his passwords and unplugged the camera.
“You basically feel very vulnerable,” Gregg said. “It feels like you’ve been robbed essentially and somebody’s in your house. They know when you’re there. They know when you’re leaving.”
Experts have long warned that wireless internet-connected devices similar to Gregg’s Nest — the Amazon Alexa, Google Home, smartphones and smart appliances — have glaring security vulnerabilities.
These devices, popular holiday gifts and part of what’s known as the “internet of things,” have become more com-
mon even as the industry has struggled to address security concerns.
Georgia Weidman, founder of IT security company Shevirah, said consumers are often unaware of these vulnerabilities or lack the technological knowhow to keep their devices safe from attacks.
“We buy things — they’re cool or make our lives easier — and we don’t think about the security implications,” she said. “In order for an end-user consumer to secure their devices, they basically have to be a security expert.”
Gregg, who is a real-estate agent, said people don’t fully appreciate the risk associated with bringing such devices into their homes. Before the incident, he had given Nest cameras as gifts to his clients to celebrate the closing of a deal.
“I have a ton of clients in real estate that use these things to watch their kids. They’ll watch their living rooms, they’ll keep them all over the house for their protection,” he said. “But these hackers can go in there, and if they can watch your kids while they’re sleeping or changing, just think of what they can do with that.”
Gregg isn’t the first Nest customer to claim an outsider accessed his or her camera. Earlier this year, a New York family said someone used their indoor camera to talk to their 5-year-old son, according to TV station WPIX.
Last year, a security researcher exposed a flaw in the company’s security cameras that allowed them to be disabled by a hacker. The company said that vulnerability has been addressed.
Nest, which is owned by Google parent company Alphabet, said in a statement it is aware that passwords stolen in hacks of other companies have been used to access its cameras. The cameras can’t be wirelessly controlled without a customer-created username and password and don’t come with default logins.
The company, which also sells smart thermostats and door locks, recommends setting two-factor authentication for such devices to add an additional layer of security.
Nest’s website says the devices automatically update, although users may not receive them immediately because the company sends them to only a portion of its cameras at a time.
Weidman said people who buy internet-connected devices should make sure they read the documentation that comes with it to ensure they know how to keep the software up to date.
She also said people must change default passwords that come with the device and use a different password for each account and device.
“I recognize that this is a hard problem that we haven’t solved,” she said.
Even after taking those steps, Weidman warns no device is completely secure.
“You’ll be ahead of most people at that point,” she said. “Will it be 100 percent secure? No, the devices just aren’t built to be 100 percent secure. But you’ll be out of the low-hanging-fruit range.”