-1.png?width=350&height=117&name=iuvo_logo_blue_Transparent%20(1)-1.png){kind=logo}
With over eleven million Nest cameras sold, I’m clearly not alone in my quest to ensure my home is readily accessible and safe. But on the night of May 7, 2019 my family felt anything but safe when our four Nest cameras were infiltrated by hackers.
Why A Home Video Security System?
Truth be told, my security system purchase was really provoked a few years ago by my children’s requests to come home after school instead of going to after school programs. Ever the paranoid and cell-phone-restrictive parent, I needed a way to ensure they were home safely and to be able to communicate with them. What about a house phone you ask? Does anyone still have those? I mean, yes, we do, but that put the ownership on my children to call me when they got home and quite frankly, I just couldn’t rely on that without panicking daily at 2:20pm when I hadn’t heard from them five minutes after they should have been home. So here we were with a shiny new camera and a plan with the kids to come home after school.
Set up out of the box was extremely easy and with a few taps on my phone, my husband and I were set up to receive a text message as soon as the kids came home and triggered the camera. It worked extremely well. 2:15pm each day I would get said text message with a little picture of my kitchen and children alerting me they were home. I’d use my phone to microphone in to say “hello” and they would talk to me and sometimes do an interpretive dance for me.
Pretty soon we had invested in three more cameras for around the house and considered the entire system a security measure with an added entertainment bonus; specifically, when I used them to spy on and talk to my cats and dogs while away.
Life with Nest Cameras
Things were fine for years. Other than the annoyance of paying for the footage in order for the clips to last more than a few hours, the only real issue we had with the system was when one of the microphones stopped working. We called Nest support and pretty quickly into their troubleshooting they determined we needed a new camera and sent us one within a week.
It took some playing with the notifications, so I wasn’t inundated with them, but the mobile app is extremely easy to use, and the notifications were set to our liking with ease.
The Night Our Nest Cameras Were Hacked
I came home from work around 7pm that night. My husband was cooking dinner (a perk of him being 100% remote!) and I settled into the couch to go through my personal emails from the day. We have an open floor plan so he was visible and audible when he sat at the dining room table to watch the news as dinner cooked (the TV in the dining room above my beautiful fireplace instead of a lovely painting or mirror is a topic for another blog).
Within a few minutes I heard the “beep” of the Nest camera speaking function and a loud manly sounding noise coming from our second living room. Nothing out of the ordinary registered in my head at that moment. Truth be told, I wasn’t really paying attention, but then my youngest daughter, who was in her room located by the second living room, yelled something asking my husband what he said on the camera. My husband, knowing he hadn’t said anything on the camera, asked me if it was me and I slightly froze. My full-on panicked freeze came the next second when I looked at the camera in the room I was in and the light was beaconing – a signal someone is in the account watching on the cameras.
A few weeks prior to this night I had read an article about a family who had their Nest cameras hacked and the hackers spoke to their infant. I pretty quickly registered we had been hacked as well and tried to stay calm. But let me tell you, it is pretty freaking hard to stay calm when you are creepily being watched.
I still hadn’t answered my husband about whether it was me speaking on the camera, even though again, we have an open floor plan and he hadn’t heard me do it, so no - it wasn’t me. But he asked again. I texted him to be quiet, that we had been hacked and they’re watching us so quietly go unplug all the cameras. Ever the bull in a China shop, he stood up and started yelling “what do you mean they’re watching us? Cristina? That isn’t you?! Who is it?!” and set off a lightning fast panic with my youngest who instantly started crying and screaming she was scared.
Still being watched, I calmly said “John, please do what I asked you to do in the text message” and he obliged. As he neared the cameras the hackers, obviously knowing we were on to them, started getting rowdy. “Sit the @$!& down.” “Don’t touch that $%@#$ camera!” “Back the $%@# up!” Their intimidation didn’t work. We unplugged all of the cameras and tried to calm the house down.
We took a minute to reflect on what happened while calming my daughter. I just kept thinking about being watched. How long had they been watching before they spoke to us? As it turns out, they had been watching for a while. My husband asked if I had tried to contact him through the camera earlier in the day and I said no. He said, “well the camera beeped earlier today and said something, but I couldn’t understand it so I figured you would call me if you needed to talk.” But it wasn’t me. And when I didn’t call, he forgot about it until the creepy stuff happened.
I really started to freak out when I realized that in order to watch and speak to us, they needed to be in my Nest account. To be in there meant they had a decent amount of my personal information, including my address. Both my husband and I immediately changed our passwords, hoping that would kick the hackers out of the account.
Calling Nest Customer Support
After taking a minute to ourselves, I called Nest customer support to ask for help. I informed them I had just been hacked and people were watching and speaking to me through my cameras. It took a few times of me repeating that statement for the customer support representative to understand. She seemed to be in as much disbelief as I was! “Ma’am this issue needs to be escalated to our next level of support. I will transfer you now.”
I waited on hold…for over 35 minutes and no one came to help. I hung up and went through the first-tier support process again, only to do the same wait (actually it was closer to 45 minutes the second time) before I hung up. Now I was livid. So, I did what any pissed off American does. I complained on social media.
A lightbulb went off when I remembered I worked for an IT Consulting company, full people with way more technical knowledge than myself. I sent an IM on our Slack channel begging for help and within seconds (even after hours) I had some great advice on what to do. I had already changed passwords but was told to set up multi-factor authentication. The reality was, I should have already had multi-factor authentication set up, but when I signed up for my Nest account all those years ago, it wasn’t an option and I never went back to check if it had become available. Shame on me. My co-workers walked me through it (thanks Marc and Jeff!) and my husband and I were fully set up within minutes.
Two days, yes, TWO DAYS (that SLA would never fly at iuvo Technologies, by the way) later Nest’s higher level of support emailed me and told me to do the same things my co-workers had already told me to do. The representative also called me personally to inform me that my Nest Cameras had not been “hacked” in the sense I was assuming. In fact, she said there had not been a data breach at Nest at all.
Her version of what happened was as follows:
- Either my husband or I’s email and password combinations on ANOTHER site had been compromised
- That information was sold on the dark web
- The bad guys who purchased our information had likely been targeting other sites, one of which was Nest, to see if they could log into other accounts using the username and password they just bought (this is because many people use the same username and password combinations across many sites and hackers know it)
- They were able to log into Nest because one of us used the same log in information on another site that was hacked at some point, as we did to log into our Nest account
My husband quickly spoke up and said his Gmail account had been compromised in December of 2018. He did, in fact, use the same log in information for Nest as his previous Gmail login. When he got the Gmail notification, he promptly changed his information for Gmail but did not do the same for other sites.
Lessons Learned
I am not going to lie. This situation was extremely creepy and a bit scary. These people had access to so much of my personal information from gaining access to my Nest account – my address, email, house layout, schedule, names of family members – the list goes on. Utilizing cybersecurity best practices could have prevented this.
Cybersecurity Best Practices
- Use different usernames and passwords for each site you have an account with
- If one site gets hacked, you will not open yourself up to having other accounts hacked
- A password manager like LastPass can help you keep track of all of your login details
- Use password phrases or sentences
- The longer and more random your password is, the harder it is to crack
- Set up multi-factor authentication
- If your username and password is stolen, added checks upon sign in (which is the point of multi-factor authentication) will make that information meaningless if the hacker cannot also access your phone or email to get the multi-factor authentication codes
- GO BACK AND CHECK! Apps and accounts that might not have had multi-factor authentication as an option in the past may have it as an option now
- Frequently check the site haveibeenpwned.com
- This site, created by a “good guy”, houses data from security breaches so you can see if your data has been stolen. If you find your information on this site, go to those accounts and update them using the best practices above
If you have questions about how to stay safe online, please contact us and we will help you.