No, Nest Cams is not hacked to issue fake nuclear bomb threats

The fear could have been real. The hack? Not really. But the fact that a family spent five minutes fearing that North Korea will launch intercontinental ballistic missiles in the United States is undoubtedly a good time for the rest of us to teach.

The Mercury News tells the story of Laura Lyons, a mother in Orinda, California, whose Nest security camera pbaded on to her family what she called "five minutes of sheer terror" – when she Suddenly heard an urgent warning that seemed legitimate: Los Angeles, Chicago and Ohio hours to evacuate before they could be struck by nuclear weapons.

It turned out that the warning came from their Nest Cam – and a Nest customer service supervisor would have suggested that they might have been victims of hacking. As the Mercury News and others point out that it's not even the first time.

But unlike the headlines you may read on the web, the camera itself was not hacked. Nest's security has not been violated. This is not the story of a sneaky thief who broke into a poorly protected device.

A spokesman for Google confirmed The edge than what the Mercury News suggested is correct: in these cases, the user's identity information was already compromised:

These recent reports are based on customers using compromised pbadwords (exposed through infringements on other websites). In almost all cases, two-factor verification eliminates this type of security risk.

It's the story of someone who used the same pbadword more than once, for both Nest and another unrelated website that has been violated. From now on, there is no need to hack the camera – until Lyons changes his pbadword, anyone can use the compromised identity information to connect to the plain ol 'application Nest. No hacking tools needed.

It's not even as if the supposed "hackers" had to do anything special to send an audio alert: like most of these cameras, there is an integrated feature (in this case, "Talk and Listen") which allows you to talk to someone who is sitting in front of the camera.

And there's a fairly simple way to start protecting yourself from pbadword violations, something Nest has been offering since March 2017: two-factor authentication.

Two-factor authentication (2FA) is not perfect. In particular the genre that relies on text messages. I would recommend an authentication application and maybe even a security key, depending on what you do. But 2FA is remarkably easy to set up and use, offered by virtually every major Internet service, and is generally quite simple, given the number of pbadword violations observed today and the number of people who tend to reuse weak pbadwords.

You can also try a pbadword manager.

Google says it's also considering additional protections for Nest. "We are actively introducing features that will reject compound pbadwords, allow customers to control access to their accounts, and track external entities that misuse identity information," reads a statement.

One of the places where Google could be held responsible might be to not tell Nest users that this type of fuel is a nightmare: they could also find a stranger shouting threats on the Internet, now that's arrived several times.

However, the company took action last month, proactively redefining pbadwords that appeared to have been violated, preventing the re-use of compromised pbadwords, and encouraging customers to adopt 2FA as well, according to a December 19 statement.

Should Nest have done its best to announce that its cameras could be used to trigger a nuclear alert, when nothing makes them particularly vulnerable to competing brands? This seems to me exaggerated.