Hackers Use Stolen Credentials from Data Breaches to "Hack" a Nest Thermostat

[cageymaru]

Jonathan Schisler thought his Amazon Alexa or kids had changed the temperature to 90 degrees on his Nest thermostat. But while scrolling through the device to clear a message about changing the air filter, he noticed that the email address on the device wasn't his wife's. Even his phone app was logged in under another person's name as the owner of the account. Nest says the Schisler family was affected by a data breach from another website where the credentials were initially exposed. Because the Schisler family used the same username and password for multiple websites, the hackers were able to commandeer the Nest thermostat. Taking stolen usernames and passwords from data breaches and inputting them into the login page of random websites is known as "credential stuffing."

Nest said it hasn't been breached. Instead, the company, which is owned by Google, said Schisler's password was breached on another website. For example, he was using the same password for his Nest thermostat that he used for another site. "In nearly all cases, two-factor verification eliminates this type of security risk," a Google spokesperson said. "We take security in the home extremely seriously, and we're actively introducing features that will reject compromised passwords, and allow customers to monitor access to their accounts and track external entities that abuse credentials."

 

[SvenBent]

used the same username and password for multiple websites

Well in todays age that is beeing an idiot. anyone reusing password despite it being advised not to for a decaded are just IT idiots in my humble opinion

 

[fightingfi]

another reason NOT use electronic thermstats if its electronic it can and will be hacked.

 

[Dead Parrot]

Wonder if Google mandates the use of email address as the account name? If so, poor security by design. And given the several postings about 2FA hacks, can't really trust that either.

Also interesting that the app on his phone appears to have been remotely compromised as well. Wonder it that could have been used to further invade the phone?

 

[Darunion]

Im at the point now where I just write them all in a notepad next to the computer. Cant remember them all when so many need to rotate regularly and have to be unique at least 10 passwords back as well as contain special characters.

Also wish accounts could stop being tied to an email account. I have an old ass yahoo i have to keep open for a couple things. Having accounts tied to something you dont actually own never was a good idea in my opinion. Using email is fine, but the address should never be the login or account username.

 

[Vader1975]

Nest has two-layer authentication available now. I suggest we all use it that have Nest.

 

[HeadRusch]

This shit just works. I own 4 of them.

 

[Twisted Kidney]

View attachment 143192
This shit just works. I own 4 of them.

Do those have wifi? Reaching all the way up to turn a dial is such a burden.

 

[Darunion]

Do those have wifi? Reaching all the way up to turn a dial is such a burden.

I myself have moved up to programmable!

I am probably going to migrate away from smart lights, when there is a glitch and it turns on and takes more work to find my phone to open the app (which now needs my password that I cant remember so I have to go get my list of passwords to type it in) and then turn off the light, it starts to lose the convenience it used to have lol

 

[Zarathustra[H]]

Yeah, that's not a hack.

That's just a fool dumb enough to use the same password in more than one place.

 

[Darunion]

Yeah, that's not a hack.

That's just a fool dumb enough to use the same password in more than one place.

It bothers me too when this word is thrown around like it is. Like hacking facebook when someone leaves their pc or phone with it logged in. Or lifehacks like putting a spoon through the hole in the handle of a cooking pot....

 

[sMiLeYz]

It bothers me too when this word is thrown around like it is. Like hacking facebook when someone leaves their pc or phone with it logged in. Or lifehacks like putting a spoon through the hole in the handle of a cooking pot....

The term hack lost all meaning a decade ago. What was hacking was really "cracking", but media and culture just completely misappropriated the word. Most of serious InfoSec professionals shun being called hackers, and we can tell poseurs who called themselves hackers from a mile away.

"Hacking" a facebook while someone carelessly leaves their phone around is a low level form of social engineering.

At this point we just all go along with it, whenever someone claims to be hacked or a big company got "hacked" I have to roll my eyes, and find out the real details.

 

[Zarathustra[H]]

The term hack lost all meaning a decade ago. What was hacking was really "cracking", but media and culture just completely misappropriated the word. Most of serious InfoSec professionals shun being called hackers, and we can tell poseurs who called themselves hackers from a mile away.

"Hacking" a facebook while someone carelessly leaves their phone around is a low level form of social engineering.

At this point we just all go along with it, whenever someone claims to be hacked or a big company got "hacked" I have to roll my eyes, and find out the real details.

At the same time it is not surprising.

Calling it "Hacking" is a way to take the responsibility for being careless away from yourself and putting it on someone else.

Shunning responsibility is something of a national passtime at this point.

You don't leave your wallet visible on the passenger seat of your car when you park it in a city. Don't use the same password on more than one site.

This should be fundamental basics at this point.

 

[Hooksalot]

At the same time it is not surprising.

Calling it "Hacking" is a way to take the responsibility for being careless away from yourself and putting it on someone else.

Shunning responsibility is something of a national passtime at this point.

You don't leave your wallet visible on the passenger seat of your car when you park it in a city. Don't use the same password on more than one site.

This should be fundamental basics at this point.

Fundamental to who? You and I on this tech site. Absolutely. Average Joe who can't even seem to figure out they have no audio because the mute was checked in windows. I don't think so. Someone above said they write theirs down in a notebook and leave by PC. That's nice, but most of these folks don't have PCs any more. They have tablets and phones and are not going to want to look up a password every time they need to do something. I myself find it ridiculous the amount of passwords I need to remember and how many times I need to change them. On top of that the stupid practice of tying an account into an email instead of a username has to stop. Guess what password average Joe will use. Yep the one attached to email. It's easier. So fundamental to us is true, but I know waaaaay too many people who should not have a tablet, phone, or PC and do. My wife is one of them. I love her to death, but she should never be allowed around a PC. LOL

 

[Zarathustra[H]]

Fundamental to who? You and I on this tech site. Absolutely. Average Joe who can't even seem to figure out they have no audio because the mute was checked in windows. I don't think so. Someone above said they write theirs down in a notebook and leave by PC. That's nice, but most of these folks don't have PCs any more. They have tablets and phones and are not going to want to look up a password every time they need to do something. I myself find it ridiculous the amount of passwords I need to remember and how many times I need to change them. On top of that the stupid practice of tying an account into an email instead of a username has to stop. Guess what password average Joe will use. Yep the one attached to email. It's easier. So fundamental to us is true, but I know waaaaay too many people who should not have a tablet, phone, or PC and do. My wife is one of them. I love her to death, but she should never be allowed around a PC. LOL

Keepass. Or Lastpass if you are into the cloud thing.

I - too - struggled with the amount of passwords I had to remember until I started using a password manager. It was life changing.

Because I don't trust cloud services, I use Keepass and keep a local password database on my NAS server. The whole server gets snappshotted and backed up to a remote server every night at 3am.

I access my password database via my shared folders at home on my desktop with the desktop keepass client, or via SSH (accessed via RSA keys) anywhere on the internet, using the keepass desktop client on my laptop, or the Android app on my phone.

 

[Biznatch]

Keepass. Or Lastpass if you are into the cloud thing.

I - too - struggled with the amount of passwords I had to remember until I started using a password manager. It was life changing.

Because I don't trust cloud services, I use Keepass and keep a local password database on my NAS server. The whole server gets snappshotted and backed up to a remote server every night at 3am.

I access my password database via my shared folders at home on my desktop with the desktop keepass client, or via SSH (accessed via RSA keys) anywhere on the internet, using the keepass desktop client on my laptop, or the Android app on my phone.

Add a nextcloud install and use that to sync your keepass DB accross all devices. Then you don't have to worry about not having access at a site that disables SSH. Plus any device sync'd will have a local copy of the DB, so if your main server goes down you still have your passwords available.

Also, try KeepassXC. It's much much better and in active development still, with much better browser plugins. I moved months ago and never looked back.

 

[Biznatch]

another reason NOT use electronic thermstats if its electronic it can and will be hacked.

No, it's a reason not to use devices like this that call home and you access through an app that conects to their servers. As long as you can lock the device to your internal network only, and block all traffic to the internet, you don't have to be concerned about 'hacking'. I do the same with my foscam cameras, and they are constantly trying to call home and getting blocked.

 

[DocNo]

Add a nextcloud install and use that to sync your keepass DB accross all devices. Then you don't have to worry about not having access at a site that disables SSH. Plus any device sync'd will have a local copy of the DB, so if your main server goes down you still have your passwords available.

Or just use one of the commercial password managers like 1Password that has integrated sync out of the box. For non-technical people or for technical people who have enough science projects and don't want to start/maintain another.

Either way the real point stands: use a password manager and use unique passwords on every login!

 

[SvenBent]

another reason NOT use electronic thermstats if its electronic it can and will be hacked.

The unit didn't technically get hacked
The user left the key under the matt

You can protect people against stupidty when they are the owner of the devices.

 

[Biznatch]

Or just use one of the commercial password managers like 1Password that has integrated sync out of the box. For non-technical people or for technical people who have enough science projects and don't want to start/maintain another.

Either way the real point stands: use a password manager and use unique passwords on every login!

I don't trust regular SaaS products, I definitely don't trust storing my entire password list on some companies servers. For non-tech people, yes, it's better than nothing. But my reply was to someone that is technically competent.

 

[Master_shake_]

why can't all this smart crap be Bluetooth?

wifi enabled anything is already a security risk.

 

[fightingfi]

No, it's a reason not to use devices like this that call home and you access through an app that conects to their servers. As long as you can lock the device to your internal network only, and block all traffic to the internet, you don't have to be concerned about 'hacking'. I do the same with my foscam cameras, and they are constantly trying to call home and getting blocked.

Hackers Use Stolen Credentials from Data Breaches to "Hack" a Nest Thermostat

 

[Biznatch]

Hackers Use Stolen Credentials from Data Breaches to "Hack" a Nest Thermostat

And if you don't use IOT devices that require calling home and connecting to their servers, which you also connect to to manage your device, this would not be an issue. If you can only access the device from your local network (or on VPN to your network), and it has no access to the internet, this is not longer a risk.

And just because that's how the credentials were stolen THIS time, does not mean there aren't other security vulnerabilities that have not been discovered / released. The only security I trust is my own, since companies have proven repeatedly they do not give a shit about the security of their customers. Plus there are no repercussions for companies that are breached.

 

[DocNo]

I don't trust regular SaaS products, I definitely don't trust storing my entire password list on some companies servers.

If it's encrypted (which my passwords in 1Password are) then it doesn't matter where they are stored. All you get if you get my vault is a bunch of noise unless you figure out my nice long randomly created password (diceware FTW).

 

[Methadras]

Well in todays age that is beeing an idiot. anyone reusing password despite it being advised not to for a decaded are just IT idiots in my humble opinion

You're talking about the average person using these kinds of devices. Your protestations aren't even making it to their ears.

 

[SvenBent]

I don't trust regular SaaS products, I definitely don't trust storing my entire password list on some companies servers. For non-tech people, yes, it's better than nothing. But my reply was to someone that is technically competent.

Then use keepass its opensource and not relying on anyone else service.
Password managers work great for your security.

 

[SvenBent]

And if you don't use IOT devices that require calling home and connecting to their servers, which you also connect to to manage your device, this would not be an issue. If you can only access the device from your local network (or on VPN to your network), and it has no access to the internet, this is not longer a risk.

And just because that's how the credentials were stolen THIS time, does not mean there aren't other security vulnerabilities that have not been discovered / released. The only security I trust is my own, since companies have proven repeatedly they do not give a shit about the security of their customers. Plus there are no repercussions for companies that are breached.

None of what you say has anything to due with the hack
IoT devies... it can happen for a computer to if you reuse passwords( shoudl we stop using passwords ?
it can happens if you drop your keys on the road then ppl can get int your house and car too. should we stop using cars and houses?
Calling home. agian irrelevant ( even thoug highly annoying)

This hack did not prove any kind of of vulnerable in the devices. that the end of the story.
That you might call it insecure because you think there is, without any evidence is fine. But I donk think that people with agree with your theories with not supporting evidence


The bottom line is this "hack" was 100% preventable if the user had a bit of common sense for the digital age. but to tell joe blow is an under-educated fuck up does not sell as well as to make up scare scenarioes..
Dont fall for the media hype.

 

[M76]

View attachment 143192
This shit just works. I own 4 of them.

Honeywell never just works. It breaks more often than it works.

 

[TheMadHatterXxX]

I don't trust regular SaaS products, I definitely don't trust storing my entire password list on some companies servers. For non-tech people, yes, it's better than nothing. But my reply was to someone that is technically competent.

I don't either, which is why I use passwordsafe, (pwsafe.org) ...instead of things like lastpass. That shit is just begging to be hacked into.

Keepass seems to have more reviews than passwordsafe...I may look into switching over to it...

 

[Biznatch]

Then use keepass its opensource and not relying on anyone else service.
Password managers work great for your security.

I don't either, which is why I use passwordsafe, (pwsafe.org) ...instead of things like lastpass. That shit is just begging to be hacked into.

Keepass seems to have more reviews than passwordsafe...I may look into switching over to it...

I've been using KeepassXC for a while now, sync'd to all my devices with Nextcloud. Works fantastic and keeps everything under my control.

None of what you say has anything to due with the hack
IoT devies... it can happen for a computer to if you reuse passwords( shoudl we stop using passwords ?
it can happens if you drop your keys on the road then ppl can get int your house and car too. should we stop using cars and houses?
Calling home. agian irrelevant ( even thoug highly annoying)

This hack did not prove any kind of of vulnerable in the devices. that the end of the story.
That you might call it insecure because you think there is, without any evidence is fine. But I donk think that people with agree with your theories with not supporting evidence


The bottom line is this "hack" was 100% preventable if the user had a bit of common sense for the digital age. but to tell joe blow is an under-educated fuck up does not sell as well as to make up scare scenarioes..
Dont fall for the media hype.

My point ------------>
You're head....

Like I said, just because THIS instance was due to poor credential management, does not mean there are not other vulnerabilities in these devices. I'm a devops engineer, previously a sys admin that has focused heavily on security. There are PLENTY of articles out showing how little these companies focus on security and get hacked/breached. Go looks it up for the 'proof' of my 'theories'..... There are plenty of facts, I'm not going to spoon feed them to you.

Any device that requires a constant outbound connection to an external companies servers is a HUGE vulnerability. If that account is compromised in anyway, anyone on the internet can access your device..... Again, most companies don't focus on security until they are breached, then suddenly decide it's worth spending money on. The ones pushing these shitty inexpensive IoT devices are notoriously bad. It sure makes it easy for non-tech people to setup, but they are also unaware of the risk. If you want to trust some other company with your security, go right ahead. But if/when they get breached and it turns out they were storing your password in clear text, while also waiting 3 months to notify you of the breach, it will be your own fault.

I'll continue buying only devices that can be locked down to my internal network, and will never purchase devices that have to call home. If I somehow get breached, it will be my own fault. But with my setup at home, that would be quite impressive.

 

[lcpiper]

Well in todays age that is beeing an idiot. anyone reusing password despite it being advised not to for a decaded are just IT idiots in my humble opinion

What's idiotic is that we are still using passwords at all.

Google's solution, to actively track and blacklist compromised passwords is just as stupid.

A password is only half of the solution, the other half is the username, if they don't match up, then one without the other is useless. But by blacklisting passwords, with hundreds of millions of customers creating accounts, and breaches exposing those passwords over time, we'll run out of passwords. This is only compounded by the practice of frequent and unique password creation/change.

 

[Darunion]

What's idiotic is that we are still using passwords at all.

Google's solution, to actively track and blacklist compromised passwords is just as stupid.

A password is only half of the solution, the other half is the username, if they don't match up, then one without the other is useless. But by blacklisting passwords, with hundreds of millions of customers creating accounts, and breaches exposing those passwords over time, we'll run out of passwords. This is only compounded by the practice of frequent and unique password creation/change.

"Please use password that is not similar to your last 75 passwords and is not one of the 300million black listed passwords. Also must contain 3 letters from different character sets and 2 wing dings and you have to be able to type it twice without seeing the first one"

 

[SvenBent]

What's idiotic is that we are still using passwords at all.

Google's solution, to actively track and blacklist compromised passwords is just as stupid.

A password is only half of the solution, the other half is the username, if they don't match up, then one without the other is useless. But by blacklisting passwords, with hundreds of millions of customers creating accounts, and breaches exposing those passwords over time, we'll run out of passwords. This is only compounded by the practice of frequent and unique password creation/change.

Nothing really beats "passwords" evry other alternative is just a password in some other way

But maybe a 2way hand shake would be nice.

 

[lcpiper]

Nothing really beats "passwords" evry other alternative is just a password in some other way

But maybe a 2way hand shake would be nice.

Yes, something does beat passwords, personal recognition. Another human who knows you personally.

I'll call this person my vouchsafe avatar. And for argument's sake, my daughter is my designated vouchsafe.

Instead of logging into my computer with a password, I hit the log on button, my daughter sees my request to access my computer, and grants it.

The point isn't that the vouchsafe is specifically my daughter, but that it represents someone who "knows me". Now we will replace my daughter with an AI tailored to "know me" and you get the point.

My face, my voice, my way of talking. Until it's satisfied that it is actually me on the other end, it's going to keep conversing, querying me, until satisfied. The vouchsafe could be local or remote.

 

[kief of police]

Well in todays age that is beeing an idiot. anyone reusing password despite it being advised not to for a decaded are just IT idiots in my humble opinion

We like to call those type of people ID10T(s). Thank you Microsoft for giving us computer literate geniuses an insult that can be said among coworkers while the client is in the room, but need to know if the issue was something caused by stupidity from this client or from any other cause.

 

[SvenBent]

Yes, something does beat passwords, personal recognition. Another human who knows you personally.

I'll call this person my vouchsafe avatar. And for argument's sake, my daughter is my designated vouchsafe.

Instead of logging into my computer with a password, I hit the log on button, my daughter sees my request to access my computer, and grants it.

The point isn't that the vouchsafe is specifically my daughter, but that it represents someone who "knows me". Now we will replace my daughter with an AI tailored to "know me" and you get the point.

My face, my voice, my way of talking. Until it's satisfied that it is actually me on the other end, it's going to keep conversing, querying me, until satisfied. The vouchsafe could be local or remote.

you face your voice can all be "copy'ed" its nothign mroe than data going to someone who verifies it. which is again just a another form of "password"
and biometrics are soo hard to replace when somebody got a copy of it

its the som eraseon finger prints / eye scanner are a horrible security


im not sure how the vouch persone fit in. if she is external then you ar either just mvoing the identify/"password" isseu to another location

 

[lcpiper]

you face your voice can all be "copy'ed" its nothign mroe than data going to someone who verifies it. which is again just a another form of "password"
and biometrics are soo hard to replace when somebody got a copy of it

its the som eraseon finger prints / eye scanner are a horrible security


im not sure how the vouch persone fit in. if she is external then you ar either just mvoing the identify/"password" isseu to another location

This is not what I am talking about.

Again, imagine an AI on your machine and/or remotely that you must actively engage with and talk too, that is going to watch, listen, and measure to determine if this is you. not a photo or a video clip, a conversation just like if you were talking to someone you know. The more you talk to it, the better it gets to know you. Before you can even use your own device it has to be convinced that it's you using it. Before you can use your bank's online services again, you must convince it that it's you. This is not just a submission of data for a match check. This is a full on engagement with an AI until it has decided that you are in fact, you. If it asks for a finger print or iris scan as part of the process so be it, but that would be just a part of the process.

As for biometrics, good ones are fool-proof when employed properly. The problem is, don't have a third party system in the link and you must witness the data collection.

Yes there are shitty implementations, doesn't mean they are all shitty. But if you have someone standing in front of you putting their eye to the camera as you watch them do it, on your own equipment, you can't fake that shit unless your name is Ethan Hunt.

BTW, I did IT and field support for the BAT and HIDE biometrics system in Iraq in '06 and '07. If the people do a decent job collecting the data then it works damn good. There were very real issues that made it tough on soldiers doing field collection that greatly reduced the system's effectiveness. Any soldiers here that have used it will be quick to point to the problems they encountered, but these were largely operational and environmental.

As It turns out, collecting biometrics from people in the dead of night in a shitty country, while people are trying to kill you isn't the optimal time and place for quality collection of biometric data.