Griefer terrorizes baby by taking over their Nest babycam...again

Originally published at: https://boingboing.net/2019/10/21/ok-google.html

1 Like

I always have to ask the same question on these…why hack a babycam and terrorize a baby and their parents? Why not use your powers for good?! Hack the RNC? Hack the Trump Foundation? Get the real dirt on what vile secrets Mitch McConnell is hiding?

22 Likes

Having a robust password would be, yeah, a good thing… But dual authentication, folks… Come on, just do it!

10 Likes

worldburn

15 Likes

I saw an article about this the other day titled something like “Time to trash your Nest Cams,” implying this was an issue with Nest’s security, which just isn’t the case. Nest offers all the tools necessary to secure their stuff, people just don’t do it.

Now that they’re moving everything over to a Google account, I think this will get better, but honestly, I think the onus is on the user, not on Google. These “hackers” aren’t breaking Nest’s security, they’re just logging in to the account. If users don’t use the tools given to them to be secure, you can’t really blame Nest when their accounts get hacked.

5 Likes

I’m sure that this has been discussed ad nauseam on a previous thread. Launching a product that is touted as plug-and-play into the market, to be purchased by a population who suddenly are expected to be sysadmins, is pretty irresponsible. I had no clue that my darn television needed antivirus updates, for example.

Networked devices should be configured out of the box such that they force the user to be aware of the security needs, should walk the user through the security setup, and should be simple to routinely reset.

People have had their secure passwords breached. The equipment is not resistant to brute force attacks. That’s hardly the fault of the users.

ETA: this is a general response, not specific to NEST.

23 Likes

Let the griefer into the babycam, and then deliver them a horror fake video feed. Let them be scarred for life.

14 Likes

This is a huge problem and it’s Nest’s problem. They can’t just blame their users for not doing it right. If they wanted to stress the importance of proper security to their users they could put a big insert you see when you open the box that says:

If you don’t want strangers watching you or screaming obscenities at you, make sure you follow these steps

The reason they didn’t do that is because they know it would make people wary of using their products. Cars have warning stickers saying, “there is a serious risk of injury and death” about using your seatbelt correctly, but risk of serious injury and death is something everyone has already priced into car rides. The risk of strangers screaming obscenities at your baby in the middle of the night is not one people think they are taking when they buy a baby camera.

Nest didn’t want to have that conversation with the public because it would sink their product. They didn’t have that conversation and now the public is finding out because the bad outcomes are happening to people.

“Hey, it’s not our fault if people are getting electrocuted by the high voltage circuit on the outside of our product, they ought to wear insulated gloves when they use it,” is a pretty flimsy excuse.

18 Likes

The RNC (allegedly) got hacked too. The (alleged) hackers are using it for kompromat, for all the bad reasons.

6 Likes

Just FYI @doctorow, possible link confusion?
The “hacker screaming obscenities…” (third link in your article) points to the same BB post as “strangers staring at them…” link (second).

That may have been your intent - please disregard if so :slight_smile: - but I suspect not.

Internet of shit and shitty people.

Just dump it all.

2 Likes

I really don’t think you need to be a “sysadmin” to understand how to make a password secure and set up two factor authentication.

Look, I’m not saying Nest is completely blameless here – they definitely should’ve provided more guidance for their users to begin with, but Nest has definitely been doing this more recently, and in fact it seems that if you don’t set up 2FA, they nag you about it every time you open the app.

And now, all new users must use Google accounts, and existing users are being migrated. That effectively solves all the issues of Nest’s security, as Google does a ton of things to keep users secure. Nest has been prompting people to migrate their accounts in-app for a while now, if users ignore that it’s not exactly Nest’s fault.

The point I’m trying to make is that Nest has done a lot of stuff to try to stop these problems, but users just ignore it because they don’t like the added complexity. The tools are there, the messaging is there, people just don’t care about it. Short of forcing their users to do these things (which people would also complain about), there’s not a ton more that Nest can do.

2 Likes

Which was sort of my point above. If they actually forced people to do these things people would complain about that too. If they explained to people why it was so important for them to do these things people would be scared and avoid their products. They’ve got multiple choices and all of them look bad but they’ve still chosen their path and the outcome is predictable.

8 Likes
1 Like

I understand that you think this tech is easy, Jacob the Dev, but this is a product marketed to everyone.

3 Likes

Yet another reason never to install HAL or Skynet into anything in my home.

My phone is the only ‘smart device’ I own, and even that’s a little too much for my tastes.

7 Likes

I can’t do much about the microphone, but my phone has one of those wallet-style cases with the removable magnetic insert and my wife has started using the same kind of case. By facing the cutout in the back for the camera down and keeping the front of the case over the front camera, I minimize the opportunities for the phone to record or relay what it sees to when I’m actually using the screen.

4 Likes

Fair enough, communicating why this stuff should be set up may indeed help push people to actually do so. I’m not sure what the exact wording of the in-app pop-up is, but they did issue an email earlier this year that did try to explain some of this stuff.

It’s a fine line to walk – they don’t want to give the impression that their stuff is insecure, but they do need to be clear as to why these features are necessary to use.

The frustrating thing is because it really shouldn’t sink their product. As much as Mark and others really love to espouse how terrible these things are, there’s certainly a use for convenience and there’s a use for simplicity.

They should be up front with their customers about the risks and customers should take those risks seriously and handle it appropriately.

Open up the phone, remove the microphone capsule. Then, when you need to make calls plug in or pair a headset with a working mic.

(Edit to add, or see if you can get a friend with phone repair chops to help)

2 Likes