A lot of comments here are blaming the user for using the same username/password on multiple sites, allowing their account to be compromised. This is missing the point.
Nest cameras are a security product aimed at non-technical users, so of course this happens frequently, and of course this was foreseeable at the very earliest design stages. The designers needed to come up with a solution to this problem, and blaming the user is not an acceptable excuse.
The solution is actually pretty easy: require a pairing procedure that can't be done remotely. For example, the Nest app on a phone could display a QR code with is public key fingerprint, which you show to a camera, and the camera will only send video to phones it's been paired with. That would pretty much completely eliminate this failure mode.
Former co-founder & CEO of Dropcam (Nest cam) here.
There's no way to say this humbly, but imo stuff like this is the reason that companies lose their way when they lose an empowered "buck stops here" product-oriented CEO with enough engineering chops to modulate product decisions.
I had an endless to-do list of improvements, including security enhancements like the one you suggest (but done in a way that would not impair usability, like anything with QR codes :-)).
The problem is, a string of well-meaning but amazingly risk-averse managers came in and killed the soul of the company by introducing enough bureaucracy that the team and I no longer cared to bang our heads against brick walls anymore.
If the leadership doesn't a) understand product, b) understand business, c) know/respect good engineering, or d) have "fuck you, we're doing this" authority ... it will fail in spectacular ways through a series of seemingly good short-term decisions, it's just a matter of time.
Combine product, business, engineering, and authority to lead, sprinkle in some ethics and respect for your customers/employees, and baby you've got a stew going.
This whole privacy mess in home & so-called "IoT" is a result of people who don't even know what would be required to operate ethically with such powerful technology in the first place. I believe they are mostly good people, they just don't have the mindset or philosophy to know what to do. It kinda makes me misty-eyed. They know where to find me if it sounds like some of this could help... I'd be happy to try and get the band back together again.
> A lot of comments here are blaming the user for using the same username/password on multiple sites, allowing their account to be compromised. This is missing the point.
I disagree. This is the equivalent of blaming car manufacturers in the 70s for stolen cars when people left the keys in the cars. This is 2019. We've had PINs and passwords for decades. At some point people have to take responsibility for their own lives, their own property, and their own safety and take some things seriously. Nest and other companies can only do so much when the users keep doing stupid things like "password" for their password.
If you leave your front door unlocked when you go on vacation, yes, the crook should be jailed, but you should lock the darn door.
I agree. Manufacturers want people to believe that their products are as safe as possible, we tech users know what it takes. The fact that "normal" users are unaware of the risks and not guided into securing their system is onto the manufacturer.
I wouldn't say their response "misses the point", I'd say it's a lazy response and they don't care (or have enough financial motivation) to dive deeper into the underlying cause of the problem.
I really like your idea of a physical pairing procedure. It's not a large price to pay for dramatically increased privacy. Some other possible partial-solutions I initially thought of:
1.) Don't allow users to create their own password. Generate a strong password for them, and only show it to them once upon password creation/change. (like how API secret keys are often only displayed once upon creation) --- this would eliminate the "same password on multiple sites" issue
2.) Require a device whitelist where some type of fingerprinting/calibrating is done upon initial login by each device added to the list.
3.) Geofence logins to a pre-specified radius surrounding the camera location. E.g. if the parents work < 10 miles from home, they can set up a radius of 10 miles and understand that if they travel further than 10 miles away from home they won't be allowed access. --- this would be hackable, but would at least add another layer of protection.
> The solution is actually pretty easy: require a pairing procedure that can't be done remotely. For example, the Nest app on a phone could display a QR code with is public key fingerprint, which you show to a camera, and the camera will only send video to phones it's been paired with. That would pretty much completely eliminate this failure mode.
This is how Tesla pairs a new phone to work as a key -- you need to have one of the two RFID key cards that come with the car present, and be inside the car with the new phone. You pair _that particular device_ and then authorize it with the RFID card. Simply having the login to the app/account is not enough, and from the car itself you can always remove a paired phone.
A key for a car frames the problem in much clearer terms and Tesla engineered a secure solution. It is unfortunate this isn't done for other things where security is equally important.
> A lot of comments here are blaming the user for using the same username/password on multiple sites, allowing their account to be compromised. This is missing the point.
Omitting the lack of 2FA is missing an even more important point because it's cases like this why 2FA is pretty much mandatory today.
But instead of using already available solutions, you want to reinvent the wheel with "a pairing procedure". Gee, that sounds awfully familiar to what 2FA does, which also would have completely eliminated this failure mode, if the user would have bothered to actually use it.
In that context, I really don't see what Google could do differently with Nest. If users don't use additional security, then you can add all the additional security you want.
So every time you add a camera, everyone in the family/workplace has to go find it and physically pair every one of their devices with it? That doesn’t sound workable.
I had the same response from Google when my mom got hacked and she paid off hackers $6000 in Google Play cards. Why does Google allow people to be scammed via their gift cards when they could easily fix this by putting in basic checks? Crickets.
Its easy to say 'my mom should know better', but like most users in the world she is not technical. She grew up on a farm, how is she supposed to understand this stuff. It should be on these companies that make enormous profits to protect all users. This includes users who are not technical.
> She grew up on a farm, how is she supposed to understand this stuff.
I'm sure it wasn't your intention but that's quite insulting. Just because someone didn't grow up with technology doesn't mean they can't learn and understand it. Farmers especially since they're very DIY and resourceful.
> It is not evil to bring a product to market before the privacy has been completely figured out, but it is evil to let someone threaten to kidnap an 18-month-old and have no real response.
I have to disagree with the first part here. Privacy is a pretty central (and I would say _obvious_) concern, especially given the function of this particular product. I get that some people care less about privacy than others but the fact that this tech is being misused like this doesn't seem surprising to me at all.
True. Otherwise the "Internet of Things" becomes the "Botnet of Things" as time has already shown. However, once a botnet is used for sex trafficking, it's sure to be taken much more seriously.
Why are so many people here trying to reinvent the wheel? We already invented the wheel that fixes this particular problem, it's called 2FA.
If users decide not to use it, then there's nobody to blame but them.
Thinking up ever more complex schemes, to offload all the responsibility on the services, won't solve any of this.
At the end of the day user error overrides it all and massive database breaches even affect those that should know how to properly secure their stuff [0].
2FA is not perfect, it's not convenient but it's one of the last remaining effective defenses when massive breaches have become so normalized that known pwned accounts outnumber people alive on the planet [1].
or how about just don't re-use passwords accross accounts. If they had used a unique password they would've been fine right? I don't understand what users want google to do: it's the house equivalent of taking your key and leaving it at the grocery store.
Let's not blame the victim. The general consumer does not buy a device assuming it's ripe for hacking and that they have to take extra steps to configure it more securely.
It's the manufacturer's fault to allow the weak configuration in the first place.
> Essentially, an email and a password are compromised somewhere across the internet. They join millions of other email addresses and passwords, which are then cross-referenced with other websites, including Nest.
This doesn't sound like a Nest vulnerability? Does Nest offer MFA?
People reusing passwords and email adresses is a known problem and not rare at all. So deal with it, i.e. you need to make sure that your service can not be affected by a simple leak. Not doing so means putting the security of your users and their experience with your product into the hands of other people (everyone who knows the email and password combination of your user).
Ideally, being susceptible to a leaked password-email-combination should be considered gross negligence.
Yeah, I clicked this assuming (with a bit of surprise) that Google's IoT device security is as paper-thin as all the rest, but this was 100% user error. I don't know what he expects Google to do about it.
I still use it and will continue to do so until someone releases a better ecosystem.
Right now I get an alert on my phone if someone rings the bell, or leaves/removes a package. Plus with facial recognition I get alerts which include the person's name for common visitors (via facial recognition) and will announce visitors via a set of google home minis. Nest will alert my phone if the smoke detector sees smoke or CO. I'm obviously quite "all in" on their ecosystem.
I also will note I have an elderly relative at home as well as 3 dogs and we are not there most days so the ability to see what's going on at home and potentially take action like calling the police/fire/EMS is extremely valuable to me.
I don't remember what Nest used before being bought by Google (I believe SMS MFA was available), but they're transitioning accounts to sign in with your Google account.
Yes, Nest has offered MFA for years. The blame for this incident falls squarely on the user, who reused the same (weak?) password across multiple websites without enabling MFA.
Well, this is a case of stolen credentials...but the behavior behind this is just a sample of how fucked is this world. Who in their right mind enjoys distressing others in that way? I try to convince myself that there's hope for the world but when I hear about this type of things I lose that hope. There are legit evil people in this world.
There's 8 billions people in the world. There's every kinds of them.
The commons one aren't interesting, they are commons, they aren't the one that we want to talk about. Thus what you see are only the best or the worst.
If you leave your front door unlocked and someone robs your house, is it the door manufacturer’s fault? Genuine question, it is interesting that one product has certain expectations while another doesn’t.
People generally have an intuitive understanding of the security properties of doors. On the other hand, my mid-70s in-laws still have not internalized the idea that the threat model for bad / reused passwords is not "some guy sitting at a computer randomly trying passwords". A better example for the door analogy would be that you leave it unlocked so you can grab something out of the car in your driveway, and by the time you get back someone from Russia has taken all your stuff.
Exactly my thought. All this anger is so weird to me.
I think the super angry response we are seeing is a result of the authoritarian lean of our current times.
It's like the concept of freedom IMPLYING responsibility has been completely done away with. The operating concept is: adult consumers are children, and need to be protected.
Sure, to the average HN user, if even that. As a thought experiment, you know the inner-workings of G. Take one step back, and consider if your parents have that same understanding. Sure, you may have talked about it with them at dinner once/twice/often, but do they really understand it? Now, multiply that by the greater majority of people that have no-tech understanding nor friends/family to enlighten them. To them tech might as well be magic. Everything is "push a button, get a prize" mentality for end-user tech now.
You read HN. So you're one of the few people on this planet who have even heard of the term "huge data collections company" much less have an opinion about it.
In the mind of the populace, I think Google might stay in the same brain spot reserved for father christmas. I would have suggested a massive privacy awareness campaign but I doubt it'll work - especially when it comes at the cost of convenience.
CanadaPost is resetting all user passwords now due to a similar breach [1].
"The cause appears to be that login and password credentials stolen in external privacy breaches unrelated to Canada Post were used to access individual Canada Post accounts. This is possible when users reuse their credentials on several websites to avoid having to remember different passwords."
I'm not sure how they plan to prevent users from just reusing another password, however perhaps this education will help.
> In every email, they remind me of two-step authentication. They act as if I am going to continue to use Nest cameras.
Well, isn't that's exactly what the customer support team is suppose to do? They'd be a terrible customer support representative if they didn't encourage good security practices and didn't try to maintain customer relationships.
Not having 2FA is unacceptable in 2019. The best form of security is a combination of these 3 things:
- "Something you know — Password, security questions, personal information, etc.
- "Something you have" — Security key (Yubikey, Smartcard, Ledger Nano, etc.), software key (HOTP/TOTP), ̶S̶M̶S̶, email, etc.
- "Something you are" — Biometrics (Touch ID, Face ID, etc.)
Its in google / Nest's best interest to put in common place security measures like MFA or notifications like detecting an unknown device accessing the camera. If I'm paying this much $ for a product, i don't want to have to deal with having to understand the 100 different ways it could be compromised and having to deal with that.
Putting it on the company to stop you from not doing things that make you prone to the most common and low-barrier password stuffing attacks?
People reusing passwords is risky and frankly stupid behavior.
The same way you are responsible for your financial identity and can be taken to court over these disputes, you are also responsible for your cyber identity.
The longer you avoid being held responsible, the worse the pain will be.
[+] [-] jimrandomh|6 years ago|reply
Nest cameras are a security product aimed at non-technical users, so of course this happens frequently, and of course this was foreseeable at the very earliest design stages. The designers needed to come up with a solution to this problem, and blaming the user is not an acceptable excuse.
The solution is actually pretty easy: require a pairing procedure that can't be done remotely. For example, the Nest app on a phone could display a QR code with is public key fingerprint, which you show to a camera, and the camera will only send video to phones it's been paired with. That would pretty much completely eliminate this failure mode.
[+] [-] gduffy|6 years ago|reply
There's no way to say this humbly, but imo stuff like this is the reason that companies lose their way when they lose an empowered "buck stops here" product-oriented CEO with enough engineering chops to modulate product decisions.
I had an endless to-do list of improvements, including security enhancements like the one you suggest (but done in a way that would not impair usability, like anything with QR codes :-)).
The problem is, a string of well-meaning but amazingly risk-averse managers came in and killed the soul of the company by introducing enough bureaucracy that the team and I no longer cared to bang our heads against brick walls anymore.
If the leadership doesn't a) understand product, b) understand business, c) know/respect good engineering, or d) have "fuck you, we're doing this" authority ... it will fail in spectacular ways through a series of seemingly good short-term decisions, it's just a matter of time.
Combine product, business, engineering, and authority to lead, sprinkle in some ethics and respect for your customers/employees, and baby you've got a stew going.
This whole privacy mess in home & so-called "IoT" is a result of people who don't even know what would be required to operate ethically with such powerful technology in the first place. I believe they are mostly good people, they just don't have the mindset or philosophy to know what to do. It kinda makes me misty-eyed. They know where to find me if it sounds like some of this could help... I'd be happy to try and get the band back together again.
[+] [-] burnte|6 years ago|reply
I disagree. This is the equivalent of blaming car manufacturers in the 70s for stolen cars when people left the keys in the cars. This is 2019. We've had PINs and passwords for decades. At some point people have to take responsibility for their own lives, their own property, and their own safety and take some things seriously. Nest and other companies can only do so much when the users keep doing stupid things like "password" for their password.
If you leave your front door unlocked when you go on vacation, yes, the crook should be jailed, but you should lock the darn door.
[+] [-] flr03|6 years ago|reply
[+] [-] pat2man|6 years ago|reply
[+] [-] jb775|6 years ago|reply
I really like your idea of a physical pairing procedure. It's not a large price to pay for dramatically increased privacy. Some other possible partial-solutions I initially thought of:
1.) Don't allow users to create their own password. Generate a strong password for them, and only show it to them once upon password creation/change. (like how API secret keys are often only displayed once upon creation) --- this would eliminate the "same password on multiple sites" issue
2.) Require a device whitelist where some type of fingerprinting/calibrating is done upon initial login by each device added to the list.
3.) Geofence logins to a pre-specified radius surrounding the camera location. E.g. if the parents work < 10 miles from home, they can set up a radius of 10 miles and understand that if they travel further than 10 miles away from home they won't be allowed access. --- this would be hackable, but would at least add another layer of protection.
[+] [-] mastre_|6 years ago|reply
This is how Tesla pairs a new phone to work as a key -- you need to have one of the two RFID key cards that come with the car present, and be inside the car with the new phone. You pair _that particular device_ and then authorize it with the RFID card. Simply having the login to the app/account is not enough, and from the car itself you can always remove a paired phone.
A key for a car frames the problem in much clearer terms and Tesla engineered a secure solution. It is unfortunate this isn't done for other things where security is equally important.
[+] [-] freeflight|6 years ago|reply
Omitting the lack of 2FA is missing an even more important point because it's cases like this why 2FA is pretty much mandatory today.
But instead of using already available solutions, you want to reinvent the wheel with "a pairing procedure". Gee, that sounds awfully familiar to what 2FA does, which also would have completely eliminated this failure mode, if the user would have bothered to actually use it.
In that context, I really don't see what Google could do differently with Nest. If users don't use additional security, then you can add all the additional security you want.
[+] [-] hinkley|6 years ago|reply
We just aren't trying that hard.
[+] [-] wrs|6 years ago|reply
[+] [-] rjkennedy98|6 years ago|reply
Its easy to say 'my mom should know better', but like most users in the world she is not technical. She grew up on a farm, how is she supposed to understand this stuff. It should be on these companies that make enormous profits to protect all users. This includes users who are not technical.
[+] [-] driverdan|6 years ago|reply
I'm sure it wasn't your intention but that's quite insulting. Just because someone didn't grow up with technology doesn't mean they can't learn and understand it. Farmers especially since they're very DIY and resourceful.
[+] [-] markstos|6 years ago|reply
I hope you helped your mom set up 2FA after that.
Would basic checks would you recommend that Google on top of offering a robust 2FA solution?
[+] [-] infinitezest|6 years ago|reply
I have to disagree with the first part here. Privacy is a pretty central (and I would say _obvious_) concern, especially given the function of this particular product. I get that some people care less about privacy than others but the fact that this tech is being misused like this doesn't seem surprising to me at all.
[+] [-] not_a_cop75|6 years ago|reply
[+] [-] freeflight|6 years ago|reply
If users decide not to use it, then there's nobody to blame but them.
Thinking up ever more complex schemes, to offload all the responsibility on the services, won't solve any of this.
At the end of the day user error overrides it all and massive database breaches even affect those that should know how to properly secure their stuff [0].
2FA is not perfect, it's not convenient but it's one of the last remaining effective defenses when massive breaches have become so normalized that known pwned accounts outnumber people alive on the planet [1].
[0] https://krebsonsecurity.com/2019/10/briansclub-hack-rescues-...
[1] https://haveibeenpwned.com/
[+] [-] rvnx|6 years ago|reply
Likely safer than SMS 2FA as well.
[+] [-] thorwasdfasdf|6 years ago|reply
[+] [-] TheRealWatson|6 years ago|reply
It's the manufacturer's fault to allow the weak configuration in the first place.
[+] [-] Cpoll|6 years ago|reply
This doesn't sound like a Nest vulnerability? Does Nest offer MFA?
[+] [-] _Microft|6 years ago|reply
Ideally, being susceptible to a leaked password-email-combination should be considered gross negligence.
[+] [-] _bxg1|6 years ago|reply
[+] [-] ollie87|6 years ago|reply
[+] [-] AdamJacobMuller|6 years ago|reply
Not perfect, but, its decent.
I still use it and will continue to do so until someone releases a better ecosystem.
Right now I get an alert on my phone if someone rings the bell, or leaves/removes a package. Plus with facial recognition I get alerts which include the person's name for common visitors (via facial recognition) and will announce visitors via a set of google home minis. Nest will alert my phone if the smoke detector sees smoke or CO. I'm obviously quite "all in" on their ecosystem.
I also will note I have an elderly relative at home as well as 3 dogs and we are not there most days so the ability to see what's going on at home and potentially take action like calling the police/fire/EMS is extremely valuable to me.
[+] [-] basseq|6 years ago|reply
https://support.google.com/googlenest/answer/9295081?hl=en
[+] [-] sco1|6 years ago|reply
I don't remember what Nest used before being bought by Google (I believe SMS MFA was available), but they're transitioning accounts to sign in with your Google account.
[+] [-] linsomniac|6 years ago|reply
A surprising number of sites that really should do not offer any MFA. Like bank accounts, credit cards, investing accounts, payroll, cars...
My money may not be safe, but at least my github commits are!
[+] [-] _iyig|6 years ago|reply
[+] [-] NinoScript|6 years ago|reply
[+] [-] whoisjuan|6 years ago|reply
[+] [-] dwild|6 years ago|reply
There's 8 billions people in the world. There's every kinds of them.
The commons one aren't interesting, they are commons, they aren't the one that we want to talk about. Thus what you see are only the best or the worst.
Please don't lose hope because of that.
[+] [-] keiferski|6 years ago|reply
[+] [-] defen|6 years ago|reply
[+] [-] 4ntonius8lock|6 years ago|reply
I think the super angry response we are seeing is a result of the authoritarian lean of our current times.
It's like the concept of freedom IMPLYING responsibility has been completely done away with. The operating concept is: adult consumers are children, and need to be protected.
[+] [-] lawn|6 years ago|reply
[+] [-] nkrisc|6 years ago|reply
I'm no Google apologist, just a pragmatist.
[+] [-] danielovichdk|6 years ago|reply
It's beyond uintelligent, i you really think about it.
[+] [-] dylan604|6 years ago|reply
[+] [-] vezycash|6 years ago|reply
In the mind of the populace, I think Google might stay in the same brain spot reserved for father christmas. I would have suggested a massive privacy awareness campaign but I doubt it'll work - especially when it comes at the cost of convenience.
[+] [-] giarc|6 years ago|reply
"The cause appears to be that login and password credentials stolen in external privacy breaches unrelated to Canada Post were used to access individual Canada Post accounts. This is possible when users reuse their credentials on several websites to avoid having to remember different passwords."
I'm not sure how they plan to prevent users from just reusing another password, however perhaps this education will help.
1. https://www.canadapost.ca/cpc/en/our-company/news-and-media/...
[+] [-] miguelmota|6 years ago|reply
Well, isn't that's exactly what the customer support team is suppose to do? They'd be a terrible customer support representative if they didn't encourage good security practices and didn't try to maintain customer relationships.
Not having 2FA is unacceptable in 2019. The best form of security is a combination of these 3 things:
- "Something you know — Password, security questions, personal information, etc.
- "Something you have" — Security key (Yubikey, Smartcard, Ledger Nano, etc.), software key (HOTP/TOTP), ̶S̶M̶S̶, email, etc.
- "Something you are" — Biometrics (Touch ID, Face ID, etc.)
[+] [-] hartator|6 years ago|reply
Very low technical skill for someone writing for a website called siliconvalley.com.
[+] [-] Xyik|6 years ago|reply
[+] [-] jakobegger|6 years ago|reply
[+] [-] sashavingardt2|6 years ago|reply
[+] [-] cbsmith|6 years ago|reply
[+] [-] Havoc|6 years ago|reply
https://i.imgur.com/ZtacKhz.jpg
[+] [-] _57jb|6 years ago|reply
People reusing passwords is risky and frankly stupid behavior.
The same way you are responsible for your financial identity and can be taken to court over these disputes, you are also responsible for your cyber identity.
The longer you avoid being held responsible, the worse the pain will be.
[+] [-] teslaberry|6 years ago|reply
[deleted]
[+] [-] rezmeplease|6 years ago|reply
[deleted]