
Family traumatized after Nest system hacked by stranger - danso
https://fox4kc.com/2018/10/31/family-traumatized-after-home-monitoring-system-hacked-by-stranger/
======
bluetidepro
Why is this low quality fear mongering Fox news post on the top page of HN?
There is no evidence of "hacking" here, and Nest's official response was that
the person had a poor or breached password. I get that this would be a
nightmare situation, but it has nothing to do with Nest (at least with the
current info)?

~~~
jancsika
How is two-factor authentication not a prerequisite for using Nest in the
first place?

I know we've moved as a society fairly quickly from expecting users to
generate entropy to something that is actually secure. So it's understandable
that some companies lag behind.

But Google is attempting to connect everything they can to the internet. If
the bar for them isn't to at least prevent the easiest, most obvious hack from
causing catastrophes then we're living in an idiocracy.

A user reusing passwords is bad. But in a civilized technological society the
consequences for doing that cannot be a disembodied voice appearing
communicating with one's child to give them nightmares.

Google's security teams surely know you can't "educate the user" to stop
reusing passwords. If their official response is, "We did the right thing by
suggesting two-factor authentication," then it doesn't matter how many
engineers they throw at the problem.

Evil is afoot.

~~~
zenexer
Nobody else forces 2FA, so it’s not really fair to blame Google here. Even
Apple, while strongly encouraging it, doesn’t actually force you to enable it.

------
warent
The big takeaway here is that grown humans are mindlessly putting technology
they don't understand in front of their children, and then they're blaming the
technology for their own ignorance.

Alright, maybe I'm being a little extreme or cynical, and my goal here isn't
victim blaming, clearly this sort of thing should not have to be a concern for
people, but still... Don't they have a duty to understand what they're
exposing their children to? Then again I've been tech savvy since I was like
11 years old (23 now) so maybe it's just easy for me to say. I just can't
comprehend simultaneously having children and not understanding technology.

~~~
smacktoward
I must have missed the part in the Nest manual where they told you to expect
complete strangers to be able to watch you and speak to you through it.

~~~
bluetidepro
Actually, that is in the manual. That's a feature of the product. You can
watch and speak through it. Just because a stranger got your password from an
unrelated security breach to Nest, doesn't make it Nest's fault. They have the
tools available, and even encourage you in the setup process to setup 2-factor
(I just recently set one up). Outside of that, this is user error, in my
opinion. Nothing was "hacked" on Nest's end.

------
Cynddl
> Sorry, this content is not available in your region.

I guess Fox 4 KC didn't want to implement the GDPR… But what happens with the
GDPR if I, a European citizen in Europe, access this website (blocking EU IP
addresses) using a VPN?

The heuristic they use (IP address = country on which the user lives) is not a
perfect method to assess whether they need to apply the GDPR regulation.

~~~
adventured
> But what happens with the GDPR if I, a European citizen in Europe, access
> this website (blocking EU IP addresses) using a VPN?

WDAF Kansas City, is a Fox affiliate located out of Missouri state.

GDPR is an EU regulation, not a global regulation, nor a US regulation. The EU
and GDPR has no legal standing over most media companies in the US and very
few US Web sites, because they do no business in the EU and are not bound by
EU laws. It does not matter if you're an European citizen in Europe or not, if
GDPR does not apply to the owner of the server you're accessing.

If I - an American citizen - access a server in China, US laws are not what
govern what they can do with my information. That is governed by Chinese law.

~~~
mh8h
_If I - an American citizen - access a server in China, US laws are not what
govern what they can do with my information. That is governed by Chinese law._

The US government apparently has a different interpretation. For example, they
asked Microsoft for the information of a user from the servers in Ireland.

------
chadash
This story is pretty creepy, but at this point, people need to own up to the
idea that weak passwords and passwords that are re-used across sites are going
to be compromised at some point [1]. There's nothing Nest can really do about
this, other than to mandate two-factor auth, which most people don't seem to
like [2].

[1] I'm happy to see in my personal experience that even my non-technical
friends are starting to use password managers. [2] According to
[https://hackernoon.com/why-do-most-people-ignore-two-
factor-...](https://hackernoon.com/why-do-most-people-ignore-two-factor-
authentication-1bbc49671b8e), "less than 10 percent of active Google accounts
use two-factor authentication. Furthermore, as per findings of the Pew
Research Center, password managers are only used by approximately 12 percent
of Americans." If people aren't using 2FA for their gmail account, which is
arguably the most important account to protect, then they probably aren't
using it anywhere else.

~~~
benwad
They could check the user's password against the HIBP database - many users
aren't aware of these data breaches and this would prevent them using one of
those passwords as well as making them aware of the problem.

------
honkycat
If they think this is scary, wait till they find out what these "hackers" can
do with their weak email passwords.

------
rashomon
How is poor password security "hacking"? If you choose to use the same
password on all of your devices then that is solely on you.

~~~
smt88
Legally, it is hacking.

I remember a story about someone getting an absurdly long prison sentence for
guessing a simple password to a secure system.

Hacking only specifies the knowing and intentional circumvention of an
authorization system. It doesn't place a value on how easy it was to do it.

~~~
stupidbird
Years ago a teenager was arrested for "hacking" because he just Google'd the
answers to Sarah Palin's security questions to gain access to her Yahoo
account.

------
mellow-lake-day
> A Nest spokesperson responded to our request for comment and issued this
> statement:

> "We have seen instances where a small number of Nest customers have re-used
> passwords that were previously exposed through breaches on other websites,
> and made public. None of these breaches involved Nest.

It's surprising how many people reuse their password or use unsafe passwords.
Including my own family.

~~~
cgriswald
It's frustrating, isn't it? "We" spend a lot of time warning people about the
dangers of phishing and to not give away their credentials. Then they give
those same credentials away to random site operators who through malice or
incompetence may end up giving those credentials to bad actors. I think most
people don't grok the problem. They think 'this will never happen to me' and
when it happens to them, they blame someone else. Reading the article, I don't
get the sense that the family in the article learned anything. They seem to
still be blaming the devices.

------
heavymark
Doesn’t appear to have been hacked like all the hacks we hear about rather,
the user probably reused their password on another service that was hacked and
they didn’t change their passwords as hopefully instructed when that occurred.
Enabling 2 factor would resolve this in most alll cases easily for the user.
Versus the user having to use a password management app and constantly monitor
their security and update accordingly. 1Password helps a lot but the average
person won’t use that so it’s on companies like Apple to continue to improve
their keychain software to help automate this for users and on companies like
nest to push 2 factor more. But until Apple and other natively support 2
factor seamlessly it won’t gain massive traction for non tech users. So while
this was the users fault technically it’s ultimately tech companies fault for
not making security for users more fool proof. Though if everyone uses 2
factor hackers will probably find another way.

~~~
zamazingo
> Enabling 2 factor

Unfortunately, they do not provide "true" 2fa, only through text message.

------
wkdown
Is there a sensible way to log IoT traffic? I'm paranoid not just of who may
be trying to access IP cameras, but what they may be sending back to their
manufacturer.

------
JoshGlazebrook
Unfortunately the only additional authentication Nest offers is SMS base
2-step auth. You would think being owned by Google they would allow for 2FA.

------
SmooL
So it seems that the nest itself was secured with a repeated password, and
there was no 2FA on their account (which they could, and were encouraged, to
add).

On one hand, it's easy to dismiss this as the nest owners being naive with
internet security. This is incident was easily avoidable if the owners had put
in the tiniest more effort. I think it's _fair_ to expect people who own these
devices to know the basics about how to not get exploited from it.

On the flip side, although I think that knowing the basics is a _fair_
expectation, I don't think it's _pragmatic_. These devices are only going to
get more powerful in their abilities, only going to get more ubiquitous in
their distribution, and only going to get more opaque as to their inner
workings. I don't think it's unreasonable that manufactures _force_ a higher
level of security on such devices.

