Hacker News new | past | comments | ask | show | jobs | submit login
The voice from our Nest camera threatened to steal our baby (siliconvalley.com)
194 points by Balgair 29 days ago | hide | past | web | favorite | 163 comments

A lot of comments here are blaming the user for using the same username/password on multiple sites, allowing their account to be compromised. This is missing the point.

Nest cameras are a security product aimed at non-technical users, so of course this happens frequently, and of course this was foreseeable at the very earliest design stages. The designers needed to come up with a solution to this problem, and blaming the user is not an acceptable excuse.

The solution is actually pretty easy: require a pairing procedure that can't be done remotely. For example, the Nest app on a phone could display a QR code with is public key fingerprint, which you show to a camera, and the camera will only send video to phones it's been paired with. That would pretty much completely eliminate this failure mode.

Former co-founder & CEO of Dropcam (Nest cam) here.

There's no way to say this humbly, but imo stuff like this is the reason that companies lose their way when they lose an empowered "buck stops here" product-oriented CEO with enough engineering chops to modulate product decisions.

I had an endless to-do list of improvements, including security enhancements like the one you suggest (but done in a way that would not impair usability, like anything with QR codes :-)).

The problem is, a string of well-meaning but amazingly risk-averse managers came in and killed the soul of the company by introducing enough bureaucracy that the team and I no longer cared to bang our heads against brick walls anymore.

If the leadership doesn't a) understand product, b) understand business, c) know/respect good engineering, or d) have "fuck you, we're doing this" authority ... it will fail in spectacular ways through a series of seemingly good short-term decisions, it's just a matter of time.

Combine product, business, engineering, and authority to lead, sprinkle in some ethics and respect for your customers/employees, and baby you've got a stew going.

This whole privacy mess in home & so-called "IoT" is a result of people who don't even know what would be required to operate ethically with such powerful technology in the first place. I believe they are mostly good people, they just don't have the mindset or philosophy to know what to do. It kinda makes me misty-eyed. They know where to find me if it sounds like some of this could help... I'd be happy to try and get the band back together again.

Oh man this sounds like my experience at google. The unlimited stream of money on our project meant avoiding risk was too easy. I feel like I could have done a lot of good for way less money but nobody was interested in new ideas from folks in the trenches.

I know what you mean. Product engineering gets weird when you remove all constraints, and you actually end up hobbled instead of empowered by the "resources".

I think if they made projects require independent profitability (after a startup period), a lot of that weirdness would go away and customers would be happier too.

I don't understand. If I were running a project with unlimited money, I'd engineer it so that it would never send data to me (it would work over LAN, VPN, and a cloud service used only to establish a direct link between the camera and the viewing device) and wouldn't be subscription based. That's ethical design. It seems to me the projects were indeed constrained, and most of the weirdness in IoT can be attributed to the core constraint: since the business model of selling crappy hardware as a loss leader to hook people on an Internet service is allowed to exist, it's very hard to compete without doing it.

Every rung you climb between client-server towards fully distributed increases software difficulty non-linearly.

It seems simple at the outset, but once you actually try to build a complex business/product like this one you realize you have to start with something simple just to get the money to fund something more complex/better.

RE: internet service loss leader model, I think it can be beat with a better product and a better model. But someone is still always going to need to pay to maintain and update software, and it seems fair to profit off of that as long as you allow for competition (& that's where I believe the law should e better protect consumers).

> Every rung you climb between client-server towards fully distributed increases software difficulty non-linearly.

That's true. In my mind, fully distributed doesn't have to be the goal. I believe the number one problem for getting people to talk to their smart devices are NATs. I imagine a cloud service responsible only for NAT punching, and all the actual communication between user's smartphone and smart device happening directly (or rather, between the smartphone and home hub). It's probably more complex in practice than I think it is, but I can't think of an obvious show stopper.

> But someone is still always going to need to pay to maintain and update software

I think this is mostly a self-inflicted problem (or rather, a problem created and then used as an additional justification for subscription models). E.g. for a lightbulb, there's only few bytes of data that needs to be transmitted over the control channel. On/off state, color, intensity - setting them in one direction, reporting in another. That + overhead of whatever communication protocol is used. Such a device doesn't need an update. There's nothing to update there. The hub might, but arguably, hubs are designed overcomplicated too. But vendors seem to like to put a whole software stack on the devices, which now creates an attack surface that doesn't need to exist in the first place - and suddenly, security updates are required.

I think I understand where you are coming from, and I've thought similarly before.

But billion-dollar companies have been made almost purely on "NAT punching". I've written the code, and it's more complex than it seems.

And RE: your lightbulb example, I love it, because it I will now use it to illustrate how even seemingly simple devices require ongoing software maintenance. Is it using a wireless protocol compatible with other devices? Does it use encryption/authentication (e.g. to keep the neighborhood hacker kid from controlling my lights)? Does the setup process require interoperation with a changing set of personal devices (phones, etc)? All of these things could require software updates, see e.g. heartbleed. And if you have a software update system, it now needs maintenance as well...

Not to mention if consumers want their hardware investment to continue paying dividends through new software features. That part should definitely be opt-in and open to competition.

But those engineers you hire to maintain your software aren't commodities. They have shifting interests, bills to pay, and boot-up time to re-remember all of the old code. Costs will be lower to keep them employed and making continuous improvements once a product reaches sufficient scale.

Competition would prove out which model is best, though, so no need to think too hard about it, we just need to improve antitrust/competition law.

Thanks for the clarification on both points.

You've changed my mind a bit about the update capability - I suppose any wireless protocol necessitates a software update capability because it's exploitable remotely (e.g. from outside the house), and you'll never get it bug or vulnerability free the first time.

But this then calls into question the utility of consumer-level IoT as a whole. It's nice to be able to operate devices remotely from wherever you are, but this immediately creates a very large category of problems.

> Competition would prove out which model is best, though, so no need to think too hard about it.

Unfortunately, I'm not convinced of that, for several reasons. Information asymmetry - non-tech consumers can't evaluate these products, so vendors designing bad products have competitive advantage. Thanks to recurring revenue, service-backed devices can be at much lower price points than their service-independent counterparts, and most customers are very price-sensitive. Add in surveillance and data mining, and the price can be lowered even further. User-hostile business models have a distinct competitive advantage, because they offer immediate benefits but the costs are deferred. Therefore, I don't think competition alone is going to solve it.

Being capable of changing one's mind is a great thing. Thanks for the honest conversation – that's what's great about HN these days!

We competed head-on every single day with companies that lied like it was a national pastime, and we beat them handily. I think it is because good people tend to make the best products. There's an efficiency increase from passion, and all it takes is one good leader to unlock a team of hundreds or thousands of good people. I believe it is enough to take to the bank against shady practices.

That said, I do support better antitrust laws, we need to update them for the 21st century tech oligopolies + IP-stealing/currency-manipulating nation-states.

But all it takes is one good motivated person like you or me to Make The World A Better Place (™ HBO Silicon Valley). So let's get to it...!

> In my mind, fully distributed doesn't have to be the goal. I believe the number one problem for getting people to talk to their smart devices are NATs.

Ubiquiti does a good job with this - they provide the interface to get into my equipment remotely with little setup, but don't send the data to their equipment.

I went from a stream of permanently money-scarce small businesses that had to work within tight means, to one that was small but with almost unlimited cash, where bugger all got done because there was no pressure from deadlines - why worry about making money if you're never going to run out?

My takeaway: abundant money can be poison.

I remain miffed by their recent decision to force the blue lights to on with my dropcams. I actually was able to gather critical evidence when cleaners (who were swapped out for my regular people without warning by the cleaning service) decided to search my home and commit identity theft instead of their jobs. They actually picked the dropcam up off the shelf and looked at it - getting a great, clear shot of their faces for the police - then decided it was broken and put it back down instead of destroying or unplugging it. Now, that wouldn't happen. They'd just unplug them or point them elsewhere. They even blink if I decide to look and see what's going on - a clear warning to any well-informed thief.

I miss the old Dropcam. You created something great. Sorry to see the buyers screw things up so badly.

Thanks, I appreciate that!

I feel you about the lights. Ultimately, I have grown to think that users should have ultimate control over the software running on their devices. If I want a light you can't disable, it should be by designing the hardware that way ... and you're still free to use a sharpie/tape/drill to modify your own hardware.

It's a fine line balancing making things difficult for creeps vs fully empowering a homeowner/caretaker to protect their castle/family how they see fit. But freedom for users to find their balance and law to punish truly bad uses are the only stable solutions... otherwise, creeps can always just use crappy products with no protections instead and you, the regular person, get stuck with crappy restricted products.

Some poignant examples of this are the many art installations that contain Dropcams. Suddenly a bunch of them have ugly blue dots that weren't intended by the artists. Does the artist now have to visit their installations with a sharpie? It's a stupid and limiting rule change that further pushes what was once a generally useful tool into a one-trick home security pony.

I hope you'll forgive me if I suggest that one might have hoped that security wouldn't be an item on your "endless to-do list of improvements" after you've released the product. I mean, what with that whole "good engineering" thing.

That's not a very generous interpretation of what I wrote, and honestly hints at an immature understanding of good engineering and security.

Dropcam v1 was one of the most secure internet products in existence at its inception, by design, full stop.

Making things more secure is a never-ending charge, and we never stopped. Google/Nest continue to try to improve things as well, but they've been slower and more inefficient at doing so than we were in our heyday. That's why these stories never seem to stop coming. The attackers are outpacing the defenders.

>Dropcam v1 was one of the most secure internet products in existence at its inception, by design, full stop.

Well, with all due respect, that doesn't exclude that the security may not have been "good enough" (then) as much as it is not "good enough" (now):


Erasmus also said “What is life but a play in which everyone acts a part until the curtain comes down?”

“With all due respect”, which part are you playing right now?

My comments were not meant as logical proofs. But, I am content to say that Dropcam, as designed at launch, could likely be proven “net good” based on several popular moral axiomatic systems. That’s the best I’ve got, chum! The alternative is to convert oneself to a motionless blob, attempting to exert the least possible influence on reality unless intense logical calculation and polling of prevailing subjective moral bases has occurred first.

I choose instead to just try to do the right thing, and build cool/good stuff too. And always try to make things better, as long as you have breath. I highly recommend it over the blob strategy.

Have to admit though, I had forgotten how much fun it is to comment on the Internet!

My non technical parents set up their wyze cams by showing the qr code on their smartphone to it. I think it is just for communicating the wifi password to the camera, but it didn't really seem like a big deal for them.

My quip about QR codes was kind of tongue-in-cheek, but any step that can be eliminated should be and there are just better ways to do it. QR codes can also fail in interesting ways, e.g. bright sunlight or cracked screens.

Most QR code based setups were just transmitting wifi credentials in plain text. That's insecure, and it doesn't solve the pairing problem, only the wifi connection. There's actually a fair bit of 2-way data that needs to be exchanged to provide the best experience. And sure, you could start streaming encrypted setup information through animated QR codes, but there's better ways to do it.

Not to mention that we're talking about Wyze cam, which has been filled with hilarious(ly scary) security flaws since day one. Be careful with those things...

Probably the best UX I've seen in this area is Hue, where to add a device or confirm access to a hub you physically push a clicky button on the hub within a certain time limit.

A close second would be Apple TV, where to add a remote you hold it next to the device (presumably some kind of short-range Bluetooth thing).

Right - just to be clear my point wasn't about the security of wyze cam(security? lol), but about the ux for setup involving a qr code, which could be seamlessly extended to pairing specific devices. I'm sure you could use other means to transmit the relatively small number of bits to pair the device as well which could overcome most device limitations, for example by having a black and white flashing screen held in front of the camera (I had a watch in the 90s that could do this), or encoding messages through an audio channel.

I've got a table of a zillion different methods with myriad categories of benefits and drawbacks. And a weighted scoring system. And ... I may be slightly obsessive about this topic! :)

Would you mind writing them down and sharing somewhere? This would be beneficial to any ethical IoT maker.

I'll try when I get a moment. I think it might actually be better and easier to open-source SW and HW modules that do the right things.

I think it might be a good way. OS designs are a boon for the free market too, as they separate out concerns and allow independently competitive submarkets to exist.

One potential challenge I faced myself with my DIY attempts at IoT hardware was dealing with power. I'm not an electrical engineer, and I don't trust myself enough to plug anything to mains power - and I don't trust random OH stuff you can order soldered from China either.

I think the risk adverse managers messing everything up and the angry responses in this thread are coming from the same place.

It's a result of the authoritarian lean of our current times.

The concept of freedom IMPLYING responsibility has been completely done away with. The operating concept is: adult consumers are like children, and need to be protected.

The pathology of this can really be felt when it's a CEO of creators.com complaining that he can't be bothered to use different passwords. In other words, he wants to have all the rights and privileges that come with having the highest levels of social power, but none of the responsibility. It seems he doesn't feel it's fair to be given the responsibility I've seen school children master (keeping different passwords)

That seems true. I'm a fan of empowering users, with safeguards in place that they can disable if they opt-out and know what they are doing.

For a product like this, though, you need to make sure everyone who is ever in eye or ear-shot (or will purchase it used) are considered/informed as well.

In my book, once information is equalized, be adults, go nuts.

Is it authoritarian though, in the paternalistic/patronizing sense? I view it more as abusive. Customers are viewed as children in the sense that it's trivial to just steal a lollipop from a kid, or repeatedly exploit their trust to part them with their lunch money.

Can you please specifically say what you want? I mean, how did they fail, what should be done, and how that requirement isn't authoritarian?

To be clear, if they broke criminal laws they should go to jail. If they broke civil laws they should be sued. I'm not some crazy anti-gov person, just someone who believes in personal responsibility and that our blame/victim culture is perverse.

Your post is filled with innuendos and blame. I'd suggest that if you compare a company to 'stealing a lollipop from a kid' you can provide strong and concrete examples of theft. It's a pretty damning accusation.

Also, you are comparing adults making purchasing decisions to someone stealing candy from a kid. To me that sounds like the epitome of authoritarian patronizing. I'm guessing when you say that you don't see yourself as the child, only other adults right?

Well, sure: customers are treated like children in the sense that companies correctly notice that non-tech-savvy users have no clue how to evaluate anything about a tech product (nor should they), and exploit it. Regular people can't in advance tell that a device is insecure. Regular people haven't yet learned that a device tied to an Internet service will be a paperweight in a year or two. Regular people don't understand what a botnet is, why is it a bad thing, and that their service-based IoT device is likely to be one for most of its lifetime.

My point is simple observation: vendors exploit the extreme information and understanding asymmetry on the market to sell insecure, low quality and abusive offerings. If you haven't noticed it yourself yet and need more direct evidence, follow https://twitter.com/internetofshit.

You have a fact:

> vendors exploit the extreme information and understanding asymmetry on the market to sell insecure, low quality and abusive offerings

This is true.

Now, please tell me how this applies to the FA we are talking about? The FA is about a nest customer using an insecure and exposed password and then complaining about his nest being taken over by a hacker.

And this isn't some joe shmoe. This is a CEO. He is complaining. RTFA and you will see.

My point: he has not right to complain, his complaint is based on the authoritarian perspective that people need to be protected against themselves.

He has no giant information asymmetry which Nest exploited to hurt him. He messed up. Simple. If he can't understand how to keep passwords, he really shouldn't be a CEO, ESPECIALLY of a tech company. And here's a bigger idea, if you can't keep passwords, maybe don't use systems that need them. Just as if you can't drive drunk... maybe not drive or maybe not drink? Blaming beer companies for being abusive (which they can be) is in no way relevant to the RESPONSIBILITY people have to not drink and drive.

IF a company sells a defective and bad product, they should and will be sued. If they imply you can drink and drive. Sue. If they imply or say their product doesn't need safe passwords, sue. INAL, but this probably doesn't apply here. Which is why the guy who penned the FA is writing it. He wants to shame nest. And those who are authoritarian inclined seem to me to be backing him up. Instead of seeing the article for what I see it: A captain of industry wanting all the rights and rewards of being a captain of industry, but not having to keep the responsibility of maintaining proper passwords.

It is Apple style "we know what's best for you" authoritarianism. Multi-button mice are confusing. USB ports and headphone jacks are ugly. Nobody needs an Escape key. We'll take those away and restrict what you can do with the product to enhance your experience.

Maybe if they had asked Carl Weathers for advice, this wouldn't have become an issue.

> but done in a way that would not impair usability, like anything with QR codes :-)

LOL, there was a whole lot of head scratching when someone came up with the QR-for-pairing idea. Also, wink wink, nudge nudge, when are we grabbing a beer?


The fact that this was on your list of "improvements" rather than being a minimal requirement before being willing to launch, sell, etc, is pretty damning on it's own. No need to get misty-eyed.

Sorry, but that shows a fundamental misunderstanding of the problem space. We entered the "IP camera" market in 2010, when all the competitor products booted a 7-year old Linux kernel with busybox and UPnP'd a port to the public internet. Admin/admin, no string escaping, buffer overflows, inadvertently indexable by Google, rooted and/or turned into botnets.

Dropcam v1.0 eliminated all of those security problems.

The only gotcha is that we required cloud storage. However, my plan for v2.0 Dropcam was to go with open-source verified builds + kill the cloud-storage requirement (but offer it optionally with e2e crypto).

If I had required that at v1, the company wouldn't exist today, and worse stuff would have taken its place. Good product engineering requires prioritization and stepwise problem-solving, not ivory tower ethics.

> open-source verified builds [...], kill the cloud-storage requirement [...] optionally with e2e crypto

In your opinion, in the current space, do you think there's room for this kind of product now? I bet most of the readers here know why these are good features if you don't like adversarial software running sensors on your home network and uploading stuff, but I also bet we're in a tiny, tiny minority in the market.

No, for two reasons:

1) You get no credit with customers for security features, only blame if they get hacked. You must invest in good security engineering because you believe it is a good thing and a good long term investment, it will only cost you in the short term.

2) Unfair competition from large tech and China-based companies, in terms of pricing and incumbent advantage. (And yes, I helped create this situation by selling Dropcam to Google, and profited from it)

In order to win, you'd have to make something better in every other respect (or find some yet-unknown killer feature that average customers actually care about), sell it for the same price, beat them in price wars, and spend enough on marketing to undo the PR damage they've done to the space AND rise above the noise floor.

Doesn't Apple's HomeKit do this the best? It was designed to be secure (so much that they had to backtrack on requiring hardware encryption chips) and it works locally.

With all respect, just because the state of the market was terrible doesn’t make a more secure insecure product good for the end user. And more than take market share away from less secure cameras, nest created a great ux helping expand use to unsophisticated consumers.

We'll have to let god balance that out on the scales of morality when I reach the pearly gates someday.

There's a lot of good and bad that came out of Dropcam but I think it's been mostly good. Lives saved, murderers in jail, happy moments captured that would otherwise have been lost.

Plus, we had every intention of improving this aspect, and I'm even commenting unpaid on the internet to put as much pressure as I can on Google to follow through on that!

  nest created a great ux helping expand use to unsophisticated consumers
Thanks for the compliment though. Maybe god will pardon those who create good UX. :)

> With all respect, just because the state of the market was terrible doesn’t make a more secure insecure product good for the end user.

With all respect, let us know when you (or anyone else) releases a perfect version of a product. Nobody has unlimited money and time in which to polish a product to perfection.

I'm in the throes of this right now, trying to beat a once-miserable codebase into something that that improves our customers' lives, is stable, is secure, etc. on a shoestring budget. It's a hard, wretched slog but we're doing it, one point release at a time.

This is exactly right, and way better than my reply.

Your polish can improve as you scale and get more resources. That doesn't mean there isn't a min-bar of basic security practices and ethics, but if min-bar is perfection on all counts, get ready for a long and fruitless existence...!

Nobody's asking for perfection, just something that doesn't get hacked and play pornography for 3 year olds. Nest had polish. Security took a backseat to UX, and here we are.

It's silly to call that a minimal requirement. There's nothing simple about local pairing especially when you need to be concerned about your entire market, what phones they're using, what devices they're using, and how much funding your call center has. Yours seems like a very naive, hindsight is 20/20, comment.

take your holier than thou attitude out the door. it's so easy to play an arm chair quarter back and not know the struggles people in the tranches have to go through to get features and improvements through management.

> A lot of comments here are blaming the user for using the same username/password on multiple sites, allowing their account to be compromised. This is missing the point.

I disagree. This is the equivalent of blaming car manufacturers in the 70s for stolen cars when people left the keys in the cars. This is 2019. We've had PINs and passwords for decades. At some point people have to take responsibility for their own lives, their own property, and their own safety and take some things seriously. Nest and other companies can only do so much when the users keep doing stupid things like "password" for their password.

If you leave your front door unlocked when you go on vacation, yes, the crook should be jailed, but you should lock the darn door.

I don't disagree fully. I'm all for personal responsibility. But it's largely a failure of the technology of passwords. You want me to remember 30 different passwords. That's a non start.

So put all my eggs into a password manager basket. But I've been scared off those because I read that some are crap or Chinese or other scary things. And it fundamentally feels insane to give everything to one app on my phone. You haven't convinced this old bag of coal that's a good idea to do.

So now I'm backed into what I perceive as a "smug young tech people corner" where I feel damned no matter what I do because clearly I need to be tech savvy but you insist I don't need to be, that this is just a baseline intelligence kind of problem.

That whole story is a complete failure of technology, not the user.

Great, you want one password, use one password and two-factor authentication.


Use keepass. It's an encrypted db with great mobile and desktop clients. Problem solved.

That sounds great. So I need someone smart to tell me which manager to use. And also to have confidence in them.

That's truly not awful. But it's not as easy as car keys.

Use the official desktop client for windows. The Linux version has to be run using wine, but there's a snap that makes the install a one-clicker. Use keepass2android for mobile.

Use a keyfile and password just in case your password is compromised, the attacker would still need access to your machine to open the dB.

I have a lot of junk sites I log into that have a REALLY shitty password - it's not tied to my credit cards or any personal info, but it was just to get something working/going. It's not the same as leaving your keys in the personal car and more equivalent to the leaving the keys in the golf cart I rented at the golf resort. Sure there's still some negative consequences of that, but if the golf staff just tell everyone to leave their keys out in the open when they're done renting, then that's what people do.

All of the "2000 era china cams" (foscam or whatever) I bought had a username password that only mattered if you were on a local network. I can imagine Nest users would probably assume that's what they were doing.

1. Your examples aren't on the same level as Nest, and I do the same thing. If you happen to hack my account at some random forum so I could see someone's attachment, have at it.

2. If anyone was so dumb as to think a camera they can view on their phone while at work or on a cruise ship was "only on their local LAN" then, again, it's 2019 and there's no excuse for that. If you can't figure out that you're seeing your house from 2,000 miles away because it's connected to the internet, I don't feel bad for you.

I agree. Manufacturers want people to believe that their products are as safe as possible, we tech users know what it takes. The fact that "normal" users are unaware of the risks and not guided into securing their system is onto the manufacturer.

How about us tech users, that "know what it takes" do actually communicate that it takes something like 2FA to properly secure an account?

Instead, we are here looking for ways how Google could fix people's tendency to opt-out of additional security.

Because contrary to your claim, most bigger online services these days absolutely do guide and nudge their users into setting up 2FA, because adding a legit phone number to an account makes that account data that much more valuable for selling ads [0].

[0] https://techcrunch.com/2019/10/08/twitter-admits-it-used-two...

Most manufacturers don't care, because they know that a) users aren't able to tell what's secure, and b) they face zero consequences. As a tech user, I know that if an IoT device routes data through vendor's cloud, it's unsafe, period. As evidenced by breach after breach after breach after breach.

Sort of like the HomeKit pairing requirements...

I wouldn't say their response "misses the point", I'd say it's a lazy response and they don't care (or have enough financial motivation) to dive deeper into the underlying cause of the problem.

I really like your idea of a physical pairing procedure. It's not a large price to pay for dramatically increased privacy. Some other possible partial-solutions I initially thought of:

1.) Don't allow users to create their own password. Generate a strong password for them, and only show it to them once upon password creation/change. (like how API secret keys are often only displayed once upon creation) --- this would eliminate the "same password on multiple sites" issue

2.) Require a device whitelist where some type of fingerprinting/calibrating is done upon initial login by each device added to the list.

3.) Geofence logins to a pre-specified radius surrounding the camera location. E.g. if the parents work < 10 miles from home, they can set up a radius of 10 miles and understand that if they travel further than 10 miles away from home they won't be allowed access. --- this would be hackable, but would at least add another layer of protection.

> The solution is actually pretty easy: require a pairing procedure that can't be done remotely. For example, the Nest app on a phone could display a QR code with is public key fingerprint, which you show to a camera, and the camera will only send video to phones it's been paired with. That would pretty much completely eliminate this failure mode.

This is how Tesla pairs a new phone to work as a key -- you need to have one of the two RFID key cards that come with the car present, and be inside the car with the new phone. You pair _that particular device_ and then authorize it with the RFID card. Simply having the login to the app/account is not enough, and from the car itself you can always remove a paired phone.

A key for a car frames the problem in much clearer terms and Tesla engineered a secure solution. It is unfortunate this isn't done for other things where security is equally important.

> A lot of comments here are blaming the user for using the same username/password on multiple sites, allowing their account to be compromised. This is missing the point.

Omitting the lack of 2FA is missing an even more important point because it's cases like this why 2FA is pretty much mandatory today.

But instead of using already available solutions, you want to reinvent the wheel with "a pairing procedure". Gee, that sounds awfully familiar to what 2FA does, which also would have completely eliminated this failure mode, if the user would have bothered to actually use it.

In that context, I really don't see what Google could do differently with Nest. If users don't use additional security, then you can add all the additional security you want.

It never ceased to amaze me that the Blizzard game I used to play had better security than my brokerage.

We just aren't trying that hard.

So every time you add a camera, everyone in the family/workplace has to go find it and physically pair every one of their devices with it? That doesn’t sound workable.

Sounds perfectly sensible to me. If I'm setting up security cameras in my own home then requiring physical interaction with the device to pair sounds like a great idea

One reason to have a camera would be to provide access to a parent or family member who is far away, perhaps even in another country.

And now that far-away person will have to ask someone with actual physical access to the device send a screenshot of a QR code. This is fine.


Doesn't it? Compared to the nightmare described in the article?

I see this idea being proposed in an early design meeting. Then I see a product manager seriously consider it and then veto it. Why? Because their product's goal is to be the easiest to use camera system, and this makes using it much harder.

But let's say the PM and the rest of management was convinced. So they make it require pairing and send it out for field testing. Field tests come back: "it's really annoying that I have to pair all of my phones individually with each camera." Management tells engineering to fix that.

But let's say that the engineers once again convince management that this is a good idea. The product is launched. The review from CNET or Wirecutter or something comes back: "it's crazy in this day in age that I need to get a ladder and go around to all of my cameras to introduce them all to my new phones every time I do my yearly iPhone upgrade." CEO now has a crisis and demands this be fixed. Engineer pushes back again and is probably fired this time. Feature is removed.

A few years later, this article comes out and it causes much, much less damage to the brand than the bad usability reviews. Everyone learns the wrong lesson.

But why individually? Can't all the cameras in the local network share a single pairing code?

Or they pair with a "controller" device and any user pairs direct with that?

Could be a dongle with a button that plugs in to a router usb port.

FWIW, this is what Ikea's system does, and all that lets you do is turn the lights on and off.

Also: pair the cameras with the hub before installation, so you don't need a ladder later on.

I don't think the answer is to throw up our hands and say, "oh well, I guess security is fundamentally incompatible with usability in consumer electronics; caveat emptor is the best we can do." I concede there's a tension between security and usability (and that compromising on usability to achieve security makes your product less appealing), but we should demand that companies find better ways to design around that tension, instead of making the bare minimum concessions to security and adopting a "blame the user" mentality.

Or you do something sensible like have a hub. Every client device pairs with the hub. Every sensor device pairs with the hub. The hub brokers rendezvous and authentication. And to pair anything with the hub you have to be sitting there next to it with physical access.

I would expect it being even simpler, once you are paired to the network of connected devices you are connected to any future devices added to the same.

next time your app connects it simply indicates a new device has been added and asks if you accept it.

Those are equivalent, in the sense that the hub is a router to the IoT network. This functionality could be implemented on an Internet router itself, but it isn't, and honestly I wouldn't trust any consumer-grade router with it.

You only really need 1 person to physically pair, and then they can authenticate other people wanting to share it.

I mean, how often are you adding cameras?

I have to push a physical button to control my Hue lights, and we can't require physical access to a /camera/ ?

Perhaps something like Keybase's solution is workable? Where you generally need to access one of your existing Keybase clients to authorize a new Keybase client. Presumably you'd add cameras and the like the same way.


Pair them with a hub. Cameras should talk to the hub on LAN, not the Internet. You can everyone's devices with the hub once. As explained in parallel, QR codes and distance are not mutually exclusive.

I had the same response from Google when my mom got hacked and she paid off hackers $6000 in Google Play cards. Why does Google allow people to be scammed via their gift cards when they could easily fix this by putting in basic checks? Crickets.

Its easy to say 'my mom should know better', but like most users in the world she is not technical. She grew up on a farm, how is she supposed to understand this stuff. It should be on these companies that make enormous profits to protect all users. This includes users who are not technical.

> She grew up on a farm, how is she supposed to understand this stuff.

I'm sure it wasn't your intention but that's quite insulting. Just because someone didn't grow up with technology doesn't mean they can't learn and understand it. Farmers especially since they're very DIY and resourceful.

I think it's perfectly reasonable to use "she didn't grew up with complicated electronics" as an argument for why it's hard to learn using it.

You cannot expect people who aren't used to certain things, to pick up those skills as easily as people who do have prior experience.

It's part of the authoritarian bend.

"She needs to be protected. She's not a real adult like I am. I, as a real adult, will decide for those who I consider aren't real adults."

It's dripping with patronizing authoritarianism. And they just don't see it.

I will say, people who have IQs below 80-70 are in a terrible place. Our modern world assumes the ability to understand concepts at a certain level. Some people at some IQ levels just will never be able to do so. How to classify such people and what to do about it is something we need to recon with as a society.

But a discussion of a CEO who is lazy and can't be bothered to engage in minimum cyber security (the FA) that even clerks are required to do and thus got hacked... is probably not the place.

> "She needs to be protected. She's not a real adult like I am. I, as a real adult, will decide for those who I consider aren't real adults."

I don't see the similarity between that, and what was actually say. It seems you are making assumptions and taking it way out of context.

I grew up on a farm. We lived in a barn at first. I know this stuff.

I hope you helped your mom set up 2FA after that.

Would basic checks would you recommend that Google on top of offering a robust 2FA solution?

Here are few things they could do:

* ensure that where they sell gift cards there are store limits on how many gift cards can be bought.

* track the usage of the card to make it more difficult for criminals to use them.

* put a day delay on the card or make the user register to make it more difficult for the user to immediately sell the card off to criminals

Google is very aware that their gift cards are used in massive fraud schemes of millions of dollars that target the most vulnerable (the elderly). It is similar how there is a huge fraud scheme build on Nest products. That they allow it to happen (as it is of no cost to them) is incredibly irresponsible and in opinion even criminal.

When I called Google, their response was that on the back on the cards there is warning in small print that if you give the scratch off key, the money is unrecoverable. As if someone being told that their entire life will come down crashing around them if they don't send the money is going to read the small print on a gift card!

Google is probably the company in the world that is the best at tracking users and cyber security. There is no reason why they couldn't prevent these use cases if they put effort in.

> It is not evil to bring a product to market before the privacy has been completely figured out, but it is evil to let someone threaten to kidnap an 18-month-old and have no real response.

I have to disagree with the first part here. Privacy is a pretty central (and I would say _obvious_) concern, especially given the function of this particular product. I get that some people care less about privacy than others but the fact that this tech is being misused like this doesn't seem surprising to me at all.

True. Otherwise the "Internet of Things" becomes the "Botnet of Things" as time has already shown. However, once a botnet is used for sex trafficking, it's sure to be taken much more seriously.

Why are so many people here trying to reinvent the wheel? We already invented the wheel that fixes this particular problem, it's called 2FA.

If users decide not to use it, then there's nobody to blame but them.

Thinking up ever more complex schemes, to offload all the responsibility on the services, won't solve any of this.

At the end of the day user error overrides it all and massive database breaches even affect those that should know how to properly secure their stuff [0].

2FA is not perfect, it's not convenient but it's one of the last remaining effective defenses when massive breaches have become so normalized that known pwned accounts outnumber people alive on the planet [1].

[0] https://krebsonsecurity.com/2019/10/briansclub-hack-rescues-...

[1] https://haveibeenpwned.com/

Or just that current users get a confirmation prompt to allow a new device ? (like on Authy)

Likely safer than SMS 2FA as well.

or how about just don't re-use passwords accross accounts. If they had used a unique password they would've been fine right? I don't understand what users want google to do: it's the house equivalent of taking your key and leaving it at the grocery store.

It's not so sure, in some cases, passwords can be compromised by other ways directly from the source, or accesses can be derived from misimplemented APIs.

No matter how big the company is, this is really realistic.

Facebook, Google and others all used to leave some passwords in clear-text during very long time for anyone to check in the logs.

Google even got their central password system compromised and source-code stolen (Gaia).

It can also be a password recovery process that can have glitches (Steam), or just not checking password properly due to deployment errors (Dropbox) or just compromised servers (my unique EA Origin password was compromised like this, my LinkedIn password as well, my Twitter password...) etc

many possibilities

Well, in that case, as a long term solution, we need to start teaching basic tech security in k-12, kinda like we teach kids drivers ed, home economics, shop class, etc. It doesn't have to be a whole class. Maybe just 1 or 2 hours per year, go through all the basics of security like how to 2FA, and how to pick unique passwords.

Or use some kind of hashing strategy that's based on remembering a single password. It would use your psssword plus the login website name to generate a unique password.

At this point, I just assume that any password I have somewhere is public in some way, if something doesn't have 2FA, it might as well be compromised.

Case in point: I just checked an e-mail account I haven't used in close to 20 years, even that thing has now a somewhat lengthy haveibeenpwned profile.

Let's not blame the victim. The general consumer does not buy a device assuming it's ripe for hacking and that they have to take extra steps to configure it more securely.

It's the manufacturer's fault to allow the weak configuration in the first place.

> The general consumer does not buy a device assuming it's ripe for hacking

No devices were hacked here, just like nothing about this had anything to do with the device's security configuration.

This was user error of first reusing passwords, and then not bothering to secure their Google account, the actual attack vector, with 2FA.

> Essentially, an email and a password are compromised somewhere across the internet. They join millions of other email addresses and passwords, which are then cross-referenced with other websites, including Nest.

This doesn't sound like a Nest vulnerability? Does Nest offer MFA?

People reusing passwords and email adresses is a known problem and not rare at all. So deal with it, i.e. you need to make sure that your service can not be affected by a simple leak. Not doing so means putting the security of your users and their experience with your product into the hands of other people (everyone who knows the email and password combination of your user).

Ideally, being susceptible to a leaked password-email-combination should be considered gross negligence.

> you need to make sure that your service can not be affected by a simple leak

How can you use any service then if in your mind any service should be be able to not be affected by a leak?

My username/password combo is everything I need to use my account fully. Should there be another factor to use my account? I should be forced to get set another factor to post on HN?

This is just absurd. We just can't keep increasing road block to let people not learn how to use something. There will always be an idiot to outsmart you.

Yeah, I clicked this assuming (with a bit of surprise) that Google's IoT device security is as paper-thin as all the rest, but this was 100% user error. I don't know what he expects Google to do about it.

Yeah, this has absolutely nothing to do with Nest and everything to do with people using the same passwords for different sites.

Yes, but that is a pedantic technicality that misses the point. Google markets Nest's ease-of-use and plug-and-play simplicity to non-tech users. That's a critical piece of the product's value proposition: that it just works and you don't have to think too much about it. For user security not to be a major design consideration from the onset seems extremely shortsighted... especially since this is an internet-connected camera that you're placing all over your home. Not thinking about security and privacy implications was Google's first failing. The second failing is its broken culture when it comes to customer support.

Does Google/Nest partner with haveibeenpwned to invalidate leaked creds and force a reset by the user? Forcing MFA would also not be unreasonable considering the sensitivity of the data collected (ie video in your home), although I get this is up for vigorous debate between product, security, and engineering.

Google defends Gmail users from malicious nation state actors [1]. Isn't Nest part of the Google identity ecosystem now?

[1] https://security.googleblog.com/2012/06/security-warnings-fo...

Google has their own system for detecting compromised passwords: https://www.blog.google/technology/safety-security/password-...

I have no idea if it's integrated with their primary login flow though. It's certainly integrated with the password manager in Chrome.

I didn't think HIBP did password hash sharing?

They sure do and in fact offer an API for sites to validate sha-1 hashes against their cracked password DB[0]. The hashes are shared.

Thank you to Troy Hunt

[0] https://haveibeenpwned.com/API/v3#PwnedPasswords

That's not really what I was getting at. I've implemented the password lookup before. That protects users from setting passwords that have already been compromised.

The scenario I was looking at was..

User signs up with Site A with Password 1.

User signs up with Nest with Password 1.

Site A gets compromised.

Nest couldn't know if you'd used the same password on each site. The only way they could know is if they used the same hashing algo with the same salt or SHA-1 with no salt. Highly unlikely.

I suppose Nest could check the Pwned Passwords API every time they logged in, but I haven't seen anyone deploy that yet, IIRC all solutions I've seen check Pwned Passwords API when the set the password. Setting a password and checking a password are often different systems.

you can also download the passwords


One easy fix. Send a verification email to users when a different device is detected before allowing log in.

I mean, even Steam does this.

They offer MFA, only via SMS.

Not perfect, but, its decent.

I still use it and will continue to do so until someone releases a better ecosystem.

Right now I get an alert on my phone if someone rings the bell, or leaves/removes a package. Plus with facial recognition I get alerts which include the person's name for common visitors (via facial recognition) and will announce visitors via a set of google home minis. Nest will alert my phone if the smoke detector sees smoke or CO. I'm obviously quite "all in" on their ecosystem.

I also will note I have an elderly relative at home as well as 3 dogs and we are not there most days so the ability to see what's going on at home and potentially take action like calling the police/fire/EMS is extremely valuable to me.

Yes, Nest offers MFA. You should enable it now:


> Does Nest offer MFA?

I don't remember what Nest used before being bought by Google (I believe SMS MFA was available), but they're transitioning accounts to sign in with your Google account.

But, if you transition, you lose some significant existing functionality and integration.

I've gone "all in" on turning on MFA, preferring TOTP when possible, over the last ~6 months.

A surprising number of sites that really should do not offer any MFA. Like bank accounts, credit cards, investing accounts, payroll, cars...

My money may not be safe, but at least my github commits are!

Yes, Nest has offered MFA for years. The blame for this incident falls squarely on the user, who reused the same (weak?) password across multiple websites without enabling MFA.

One the one hand I agree the specific issue is the user fault. On the other hand, you're selling internet controlled audio and video recorders to the general public. What did you expect?

Every single day people crash cars, cut themselves on kitchen knives, and choose weak methods of single-factor authentication. There’s only so much the seller can do. We’ve seen how much users love (and subvert) “strong password requirements.”

IMO, the device should require MFA to be configured before working, using it without one should be left at most as an “advanced setting”.

Well, this is a case of stolen credentials...but the behavior behind this is just a sample of how fucked is this world. Who in their right mind enjoys distressing others in that way? I try to convince myself that there's hope for the world but when I hear about this type of things I lose that hope. There are legit evil people in this world.

> There are legit evil people in this world.

There's 8 billions people in the world. There's every kinds of them.

The commons one aren't interesting, they are commons, they aren't the one that we want to talk about. Thus what you see are only the best or the worst.

Please don't lose hope because of that.

If you leave your front door unlocked and someone robs your house, is it the door manufacturer’s fault? Genuine question, it is interesting that one product has certain expectations while another doesn’t.

People generally have an intuitive understanding of the security properties of doors. On the other hand, my mid-70s in-laws still have not internalized the idea that the threat model for bad / reused passwords is not "some guy sitting at a computer randomly trying passwords". A better example for the door analogy would be that you leave it unlocked so you can grab something out of the car in your driveway, and by the time you get back someone from Russia has taken all your stuff.

Exactly my thought. All this anger is so weird to me.

I think the super angry response we are seeing is a result of the authoritarian lean of our current times.

It's like the concept of freedom IMPLYING responsibility has been completely done away with. The operating concept is: adult consumers are children, and need to be protected.

A better analogy would be buying a door that might unlock at a random time during the night, if you didn't use the right motion when you locked it.

How could Google have prevented this except by requiring MFA? Even that isn't guaranteed to prevent 100%.

I'm no Google apologist, just a pragmatist.

A couple things just off the top of my head ...

* Detect that a login occurred from an unrecognized IP and email the account holder to tip them off.

* More stringent password requirements and a check against public leaked database registries to alert the user that the password they're using has been leaked.

But it seems like the bigger frustration is not that they did not prevent it, but that when it occurred it was difficult to raise the issue, and the response was tremendously inadequate.

The issue with your first suggestion is the whole idea of signing into your Nest account is that you are away from home, therefore your IP would be different. Not saying they can't do it, but accessing your device from a different IP is kind of the point.

Sure, but then you just log into your email and click a link and then you are in. Lots of sites do this and it would prevent this kind of attack in most cases. (assuming the leaked password was not also reused in email, but then you are in for an entirely different level of hurt anyways)

It's not about the incident happening, it's about the response. If you know there are criminals on your network you should work to remove them.

Who would ever in their wildest dreams have devices from a huge data collections company, watching and listening in your home?

It's beyond uintelligent, i you really think about it.

Sure, to the average HN user, if even that. As a thought experiment, you know the inner-workings of G. Take one step back, and consider if your parents have that same understanding. Sure, you may have talked about it with them at dinner once/twice/often, but do they really understand it? Now, multiply that by the greater majority of people that have no-tech understanding nor friends/family to enlighten them. To them tech might as well be magic. Everything is "push a button, get a prize" mentality for end-user tech now.

Arthur C Clarke's Third Law: "Any sufficiently advanced technology is indistinguishable from magic."

My in-laws are firmly in the "computers are magic" camp. Say what you like about they should learn etc, but they're in their 80s, have already lived through multiple technological revolutions, and at this point don't have the energy or interest to work through another one.

Would your in-laws would let a kid play with power tool too?

They are aware that someone not able to understands the danger of power tools and how to use them safely shouldn't use them. That's nothing new. Yet they still do...

You read HN. So you're one of the few people on this planet who have even heard of the term "huge data collections company" much less have an opinion about it.

In the mind of the populace, I think Google might stay in the same brain spot reserved for father christmas. I would have suggested a massive privacy awareness campaign but I doubt it'll work - especially when it comes at the cost of convenience.

CanadaPost is resetting all user passwords now due to a similar breach [1].

"The cause appears to be that login and password credentials stolen in external privacy breaches unrelated to Canada Post were used to access individual Canada Post accounts. This is possible when users reuse their credentials on several websites to avoid having to remember different passwords."

I'm not sure how they plan to prevent users from just reusing another password, however perhaps this education will help.

1. https://www.canadapost.ca/cpc/en/our-company/news-and-media/...

Canada Post doesn't sanitize user input very well.

Username/password is reflected unchanged in JS. Got a console error because my password has a single quote in it.

> In every email, they remind me of two-step authentication. They act as if I am going to continue to use Nest cameras.

Well, isn't that's exactly what the customer support team is suppose to do? They'd be a terrible customer support representative if they didn't encourage good security practices and didn't try to maintain customer relationships.

Not having 2FA is unacceptable in 2019. The best form of security is a combination of these 3 things:

- "Something you know — Password, security questions, personal information, etc.

- "Something you have" — Security key (Yubikey, Smartcard, Ledger Nano, etc.), software key (HOTP/TOTP), ̶S̶M̶S̶, email, etc.

- "Something you are" — Biometrics (Touch ID, Face ID, etc.)

> it was the user’s fault for using a compromised password and not implementing two-step authentication

Very low technical skill for someone writing for a website called siliconvalley.com.

Its in google / Nest's best interest to put in common place security measures like MFA or notifications like detecting an unknown device accessing the camera. If I'm paying this much $ for a product, i don't want to have to deal with having to understand the 100 different ways it could be compromised and having to deal with that.

Many services send you an email when someone logs in from a new device. Does Nest not do that?

Perhaps I'm silly but wasn't it obvious that things like that would happen with Nest, Alexa and the like when devices like these first came out?

Reminds me of this:


Putting it on the company to stop you from not doing things that make you prone to the most common and low-barrier password stuffing attacks?

People reusing passwords is risky and frankly stupid behavior.

The same way you are responsible for your financial identity and can be taken to court over these disputes, you are also responsible for your cyber identity.

The longer you avoid being held responsible, the worse the pain will be.

User used same credentials for multiple sites. User did not use multi-factor authentication. Another site was hacked and the credentials exposed. Someone used those credentials to log into user's Nest account and access the speaker. User is upset at Google for some reason.

Blaming the user alone is crazy.

If I login to my gmail account using a different PC, google won't let me in without sending a text to my phone or a code to my email. Sometimes, even using a different browser on the same PC I typically use triggers this security check. Even after letting me in, Gmail will send a notice of the strange login to my backup email - the mail will contain the time and ip of the event.

Same with telegram. Loging to a new app/device and Telegram will sends the notification to the two apps I use on my main PC, my secondary pc, and my phones. Deleting the notification on one client app won't remove it from the rest. This way, an intruder can't erase the evidence.

Also, almost almost every other email service I own badgers me to set up 2factor - either another email, a phone, back up codes or 2-factor authenticator apps.

If Google/Nest isn't doing this - then, part of the blame lies with them. These basic, obvious, common sense security/password practices you know is breaking news to "NORMAL" people.

Well, maybe given that this is a security product Google should require rather than just encourage MFA.

In that sense Google could make the security stronger for their customers but chooses to make it easier to install and use for the majority.

Getting downvoted for this, but consider this: they require a password for security purposes, why don’t they require MFA? Why is this not a requirement for this product or all their products? It’s a barrier to entry, and an eases of use thing, which means it’s a product decision to not require stronger authentication on this or all their products.

Google needs to do incident response on this. And get law enforcement involved.

Would it be possible to do something like this:

1. user Initially creates login and password for Nest device

2. Before Nest accepts your password, it checks HaveIBeenPwned.com to see if that password has already been used before for this email address. If so, the password is rejected.

It's not only possible to do this, but should be expected for any security product. Nest is equally at fault here for allowing a user to use a known-breached password.

The whole reason (most) users buy security products is because they don't think like criminals in the first place.

I wonder if Google execs are regretting the original "don't be evil" slogan yet.

I wouldn't drop a slogan that forces attacks of convulsive laughter (like “don't be evil” does coming from Google). There is no such thing as bad publicity.

I don't think so. When I joined Google a long time ago I really believed that they are honest.

They were actually very different from other companies at that point in time.

It's just harder to be not evil when margins are shrinking.

Why? It's not like it has guided them for a long time, but still provides a useful distraction for the naive.

They dropped it long time ago.

I realize they dropped it but it's not stopping everyone from referencing it every time there's negative publicity.

On top of having to fail password/2FA security basics for your kid to be subjected to this you have to:

- Have both parents decide the child is not a high enough priority for one of them to stay home

- Decide it's too much hassle to take the kid to a professional style day care where there are multiple adults watching each other to make sure none of the adults are badly behaved with the kids

- Also too much of a hassle to go to a home day care where less professional adults could watch the kid, but at least there are more than one of them working there in case one of them starts to mistreat the kids

- Hire a nanny, but not trust the nanny, cause sometimes nannies are badly behaved too

- Decide you trust the IoT company more than the nanny or any of the above

First world 1%er problem for sure.

I hate to break it to you, but nannies and nest cams do not automatically place anyone in the 1%, or 10%, or 50%.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact