Nest, a Google-owned company that manufactures internet-connected home devices, cautioned users Wednesday against joining the growing list of customers to have their “smart” products hacked due to exercising poor security practices.
Owners of Nest products including the company’s popular home security cameras received the warning in an email sent by the company, following a rash of recent incidents in which customers complained of being harassed and tormented as a result of compromised devices.
“We’re reaching out to assure you that Nest security has not been breached or compromised,” wrote Rishi Chandra, Nest’s general manager. “For context, even though Nest was not breached, customers may be vulnerable because their email addresses and passwords are freely available on the internet.
“If a website is compromised, it’s possible for someone to gain access to user email addresses and passwords, and from there, gain access to any accounts that use the same login credentials,” Mr. Chandra said. “For example, if you use your Nest password for a shopping site account and the site is breached, your login information could end up in the wrong hands. From there, people with access to your credentials can cause the kind of issues we’ve seen recently.”
Nest users can prevent being hacked by practicing security measures such as using strong, unique passwords to secure their accounts, enabling two-step verification and ensuring their routers are running updated software, Mr. Chandra wrote.
“We take protecting our users’ security very seriously. For added password security, the team looks across the internet to identify breaches and when compromised accounts are found, we alert you and temporarily disable access. We also prevent the use of passwords that appear on known compromised lists,” he added.
“While we can’t stop password breaches across the internet, we’re committed to limiting the impact of compromised credentials on Nest Accounts.”
Nest’s warning came on the heels of several reports involving customers who recalled having their homes digitally invaded by hackers who managed to commandeer their internet-connected cameras by leveraging previously compromised log-in credentials — a tactic colloquially known as “credential stuffing.”
In Chicago, local news outlets reported last month about a family that said their Nest cameras and thermostat were hacked by someone who used them to broadcast racial slurs and remotely adjust the home’s temperature, respectively.
“I couldn’t believe that these devices that I had put up in my home to watch over it, my family, were now being used against me,” Arjun Sud told the local NBC affiliate.
San Jose’s Mercury News similarly reported days earlier about a California woman who said she was subjected to “five minutes of sheer terror” as a result of a similar prank in which a hacker used her home Nest camera to remotely broadcast a bogus message about a purposed intercontinental ballistic missile attack coming from North Korea.
“It warned that the United States had retaliated against Pyongyang and that people in the affected areas had three hours to evacuate,” said Laura Lyons. “It sounded completely legit, and it was loud and got our attention right off the bat.”
Launched in 2010 by a former Apple engineer, Nest was acquired by Google in 2014 for $3.2 billion. It was subsequently operated as a subsidiary of Alphabet Inc., Google’s parent company, prior to merging with Google’s home devices team in 2018.
Nest products, including cameras, thermostats, doorbells and smoke and carbon monoxide alarms, among other devices, were sold in 21 products as of 2018, according to the company.