That’s right, I was hacked…. well kinda, but it sure as hell felt like it!
I woke up at 3:20AM to someones voice..
That title of this section is the truth; I woke up a little after 3:00AM to someone elses voice in my house. I was alarmed, freaked out, but had a pretty good idea as to what it was. First off, a little backstory to help you explain.
When my kids were born, I needed to get baby cameras for their bedrooms. I didn’t want to be limited by just sound, crappy video, or limited by the range of a lot of the cameras on the market at the time. Instead of a conventional baby cam, I opted for a NEST camera. For the last three and a half years leading up to this point, everything has been fine! That was until last night when I woke up to voices, talking and the dings the NEST makes when you speak into the camera. I woke up and stopped just outside of my daughters bedroom door and just listened in disbelief as the NEST in my three year old daughters bedroom was taken over by a group of people somewhere else in the world. I distinctly remember hearing, “We’ve got a live feed”. This was just before I walked in, stood in front of the camera with my arms up followed by them freaking out and laughing over the camera. I unplugged the camera to restart it and then went on my way back into my bedroom to start mediating the situation.
We got the warnings.
Working in enterprise IT, I knew better. I’ve been going through all of my accounts, hardening them by using stronger passwords and two factor authentication. Unfortunately, I missed this one, and even though I would receive an annoying message telling me to enable two factor every time I would log in, I would just swipe it away and go on with my day.
It's my fault, honestly.
There is a reason the NIST standards specify a maximum password age and minimum password complexity. There is also a reason two factor authentication is a thing. Remembering back to the basics, something you know and something you have… ie, two factor authentication. All I had to do was pay attention to any number of the notifications I’d swipe out of the way and all of this would have been null and void, but alas, I was lazy and kept putting it aside.
So what actually happened?
Ok, back to the story. I woke up around 3:00 to voices in my daughters room and the dings the Nest cameras make when you speak into them. I waited outside of her room to try and gather “Evidence” as to who this was and what their motive was. To my dismay, I have no clue who they are, and no clue what their reasoning was, but that’s not because I didn’t try. Moving on…
After a minute or two I went into the room and stood in front of the camera with my arms up. I immediately heard them start laughing. I subsequently unplugged the camera to restart it and disconnect them, if not just for a few seconds. I did the same in my sons bedroom before grabbing my laptop to see the damage.
I immediately logged into my email and my nest account, first changing my password of the account. Once again, to my disbelief, they had changed the email address on the account during my active session. Because of this, after I changed the password they immediately changed it and locked me out completely from my own cameras. One note on this – Nest, this is great security if an active cookie can keep the session live even after all of the credentials are changed…. Sure they were my credentials that were changed,but I still had full access even after being locked out… lol. On another note, I never received an email at any point when the associated email account was changed, or the password was altered. Once again, great security.
Once I was locked out of the account I knew it was game over and disconnected my homes internet at the source(Read modem). I then hopped on my hotspot and contacted NEST support who have since started an investigation and have deleted my original account, granting me access to my cameras again.
What did I learn?
Well, I didn’t really learn anything other than NEST has terrible security. Sure, I could have configured two factor authentication and prevented all of this(I absolutely learned not to be lazy next time), but the fact that I received no notification of a password change, let alone an email change, is unheard of in today’s day in age, but I digress. Next time I won’t just swipe away the notification to enable a security feature, I’ll actually do it.
To the idiots that thought it was funny to play “Baby Shark” in the bedroom of a 3 year old while she sleeps, I hope you get what’s coming to you.
Know I have a very special set of skills that I’ve acquired over the last 15 years working in IT for various organizations. These are skills that grant me very specific ways of dealing with individuals that think they can bully and harass innocent people (Let along children) online.