Blog

You are currently viewing Explaining The “Nest System Hacked” Click-bait Headlines

Explaining The “Nest System Hacked” Click-bait Headlines

UPDATE: Since writing this, I have moved from using KeePass to manage my passwords to 1Password and I cannot recommend it enough. While KeePass is still a great free option, 1Password offers app integration across platforms and allows super easy access for logging in to both apps and sites, especially on mobile. On my Pixel 2, with just a couple of taps and a fingerprint scan, I can login quickly and securely to most apps and websites. It also offers the ability to store secure notes and will let you know where you have reused passwords and where you can enable 2 factor authentication.

As you’ve probably seen, a couple of days ago many articles around the web cited that Nest cameras had been “hacked” and sites portrayed this as a massive issue. The truth is there was not a breach of the Nest system, there was not a major or significant hack. The “hack” was simply an exploitation of what would be considered poor security practices on the part of the user. No, I’m not trying to blame the user, the hacker is still the guilty party, I’m just wanting to give an accurate explanation of the exploit.

The “hack” that occurred is referred to as a recycled password or recycled credentials exploit. This method in no way breached the Nest environment, it only impacted the users that had compromised credentials. How were their credentials compromised? Well, the way a recycled password exploit works is when a user’s credentials (username/email and password) are exposed from one site or service and then used to access another, separate site or service due to the fact that the user reused (or “recycled”) those same credentials the other site. For example, say a bank has a data breach and the hackers access the credentials of some of the bank’s users. Afterwards, there’s a good chance those hackers behind that breach will sell or post those exposed credentials online. Another person can then take those posted credentials and attempt to use them on other sites and services. A script can be setup to automatically run through the credentials and attempt them all on a site and see if any work. This process subverts most security because it isn’t an attempt to access a single account with multiple password tries (like a brute force password attack) where security restrictions would most likely lock the account. This method is a one-shot attempt on every account in the list. If the username/password combo doesn’t work the script will move to the next, so each account only has one attempt and doesn’t always look suspicious. This is the extent of what happened to some Nest users, they recycled credentials from another service that had apparently been compromised at some point.

What Can You Do?

First, enable two-factor authentication on ALL THE THINGS.

But seriously, enable two-factor on any service you use that supports it. Nest supports two-factor and it’s super simple to enable. Just do the following:

  1. From your browser login to https://home.nest.com/
  2. Click your profile picture in the top right and then click settings.
  3. In the settings window that pops up, scroll to 2-step verification and toggle the switch to On.
  4. You will be prompted to input your cell phone number, enter it and you will be texted a 6-digit code.
  5. Enter the 6-digit code you received and you are finished.

Two-Factor is available on many services with more and more services continuing to implement it. PC Mag has a great article that covers setting up two-factor on 34 different services, you can check it out here. The article is from almost a year ago, so some of the instructions may not be 100% accurate, but it’s a great place to start.

What About Services Without Two-Factor?

The best case for services without two-factor is to use a variety of long passwords and ensure you are using a different username/password combo for each service. Most of us won’t be able to remember all of those credentials, which is why it is highly recommended to use a password manager. Personally, I use KeePass but managers such as LastPass and 1Password are well-reviewed and widely recommended. They also offer password syncing to all your devices while KeePass is stored locally and not synced.

As far as what standards should you use for you passwords, there is a general rule: Length > Complexity. You’ve probably seen the requirements on most sites that read something similar to “8 characters in length including at least one capital letter and one number” it might even include a list of symbols required. The problem is a password with those standards can be cracked in less than a day. There is great web comic at xkcd.com that illustrates the issue:

Granted the comic was giving an example password that would be susceptible to a dictionary attack, given that it is a combination of common words, but the point was to illustrate that just because you’d consider a password “complex” doesn’t mean it is secure. Length adds more to the difficulty of cracking a password and adding some slight complexity will improve it even more. For example, take the password given in the comic “correcthorsebatterystaple” and make a few tweaks to meet the typical password policy, and you could have something like “Correct1horsebatterystaple?” Now you’ve got the length to complicate a brute force hack and enough complexity to complicate a dictionary-based hack.

How Do I Know If I’m Compromised?

First, if you read or hear about a company you have account with being breached, go ahead and change your password with that site. If you are using different passwords for each site, then you’ll only need to change that one, otherwise you’ll need to change your password wherever that password is used. As for seeing if your information is already out there, haveibeenpwned.com is a great resource. Simply enter the email or username you want to check and it will search its database of breach information. If your information has been exposed, you’ll see something like this:

The listed breach or breaches tell you basic information about the breach and when it occurred, and also tells you what data was compromised (i.e usernames, email addresses, passwords, home addresses, etc). The service also allows you to sign up to be notified if your information appears in any future breaches. If you find out your information was exposed, obviously the first thing you want to do is change your password on the site that was breached. Next, you want to make sure you are not using that username and password combination on any other sites, and I would recommend making sure the compromised password was not being used anywhere at all. Remember, these breaches usually reveal more information than just the username and password and there could be an additional email address or personal information exposed that could lead to a match on another site.

Take Aways

  • Enable two-factor wherever possible.
  • Never reuse username/passwords on different services.
  • Use long, slightly complex passwords. (Length > Complexity)
  • Use a password manager to keep track of all your different credentials.

Also, don’t fall prey to the over-reaction from sensational headlines regarding hacks. Many of the headlines are there to generate clicks and when you slow down and read the articles most of the time you’ll find the issue is highly overblown. That being said, don’t be lax in your own security.

Tags: , , , ,

Leave a Reply