Nest Users Are Getting Hacked Again


Staff member
Mar 3, 2018
AFP reports that Nest, a smart camera manufacturer founded by former Apple engineers and owned by Alphabet, is urging customers to use two factor authentication for their home systems. The plea comes after local media near San Francisco reported on a couple's trouble with a Nest camera mounted on top of their TV. Apparently, a hacker breached the device with a credential stuffing attack and broadcast a "realistic-sounding warning of missiles heading to the United States from North Korea." Meanwhile, that same day, Motherboard posted an independent report of white hat hacker SydeFX breaching the Nest cameras of young women to promote PewDiePie.

Motherboard uploaded a censored version of one such breach, which you can see here

In a statement following the incidents, Google said "Nest was not breached," and that "these recent reports are based on customers using compromised passwords - exposed through breaches on other websites." Technically, they're correct, as these hackers seemingly found re-used Nest passwords through unrelated breaches. The first report claims that Nest also sifts though known breaches to see if any of their users are compromised, but apparently, that wasn't enough to prevent these incidents. Thanks to Schtask for the tip.
Made by former Apple engineer? How could it not have grade A top notch security just like desktop iOS that largely relies on nobody wanting to hack it because it's so small of an install base vs the potential victims of other platforms.
Nest and RING have been hacked the most. Not sure why people would even trust either of their security at this point and yeah obviously 2FA helps but that shouldn't be the only security to thwart an attack...
Cameras will always be a target with all the peeping toms out there.

I have a couple NEST smoke alarms, and even if someone hacked them, all they would see is a report of the downstairs one occasionally being set off due to cooking or using the popcorn popper :p
I doubt anyone is that bored. (and I really need to move that one further away from the kitchen)
Until end-users are properly informed, and actual follow advice, to use widely different passwords (not just changing one character from a previous password) then these type of incidents will continue to occur. People put too much trust in IoT manufacturers/devices and not using common sense in this day and age.
all the more reason to use an isolated 7 day programmable t-stat that is not internet connected....ditto for cams with speakers
I think we need to see the uncensored versions to properly determine our level of outrage

Google said "Nest was not breached,". Dear Google, if the money is missing from the vault, the bank has been robbed. It doesn't really matter how the money was made to disappear. The customers still want it back.

So now Google wants Nest users to request a 2FA code, receive said code and enter it in order to adjust the room temp? Gee, I can walk over to my old non connected thermostat, mash an up or down button the desired number of times and return to my chair faster then I can request a code be sent.
The only thing I don’t understand about this article is the Pewdiepie part. I get that you’re “white hat” and not doing anything supposedly nefarious, but why harass girls about some YouTube has-been?
If the option of 2FA is offered, and the user turns it down, idk man, it's sort of on the user at that point.
Lol, people sosti think smart home systems are secure in 2019. Bless their hearts...
People reusing passwords ... I feel sorry for you but any intrusions after you're made aware of being hacked in the past and you don't remedy that / change all your passwords = not a hack of Nest.
Like I would trust google answer "These recent reports are based on customers using compromised passwords - exposed through breaches on other websites." Yeah sure, why is 2FA required then ? A simple changing for a new password should be sufficient ?
My PSN account has been hacked in the past (Mind you, single PW with special char and over 20 long) and they said it was my fault that I shared it blablabla... had to resort to BBB claim.

They ALWAYS blame the end user and will ALWAYS try to cover when they're hacked unless they have no choice of admitting it. Admitting such if not forced would go against shareholders so yeah I don't trust anything they say.