Spooked by a speaking security camera? Polite hacker tells owner how to fix his IoT security

If it was late at night and you were out in your back yard, and you heard an unknown voice coming from inside your house – how would you feel?

My guess is that you would feel pretty spooked, especially if you knew there was no-one in your house.

Well, just a few weeks ago that’s what happened to Phoenix real estate agent Andy Gregg. And his initial petrified thought was that he had an intruder in his home.

Well, the truth was that he did have a type of intruder – but not one who had physically entered his home. You see the person who had broken their way into Gregg’s home was a Canadian hacker – whose voice was being broadcast through a Nest security camera.

Gregg had the quick wits to record what happened next on his smartphone, and described his experience to the Arizona Republic.

The “white hat” hacker, who claimed to be part of a group calling itself the “Anonymous Calgary Mindhive”, said it hadn’t been hard for him to hijack control of Gregg’s Nest security camera.

But, claimed the unnamed hacker’s disembodied voice, his intention wasn’t to spy, steal, or instil fear:

“We don’t have any malicious intent, but I’m just here to kind of let you know so that no one else, like any black-hat hackers, follow. There are so many malicious things somebody could do with this.”

Gregg had made the mistake of using the same password to “secure” his IoT camera as he had used in online accounts. Like so many others, Gregg hadn’t recognised the danger of reusing login credentials and when a breach occurred at an online site, his login and password were leaked into the public domain.

And whereas many maliciously-minded hackers might have used the details to break into Gregg’s email account, seize control of his Facebook profile, or order goods on Amazon, this particular intruder used the details to log into Gregg’s camera instead.

Gregg’s camera would most likely not have been compromised if he had taken the sensible step of using a unique, hard-to-crack password or had enabled two-step verification (2SV) on his Nest app.

For years security experts have advocated that users should enable 2SV or two-factor authentication on their online accounts, and that advice is just as wise for IoT devices.

With an additional level of authentication in place, it should be much harder for hackers to gain access to your internet-enabled devices – even if they have managed to gain access to your password.

Gregg told the Arizona Republic that he has taken the polite Canadian hacker’s advice to heart, changed his passwords, and unplugged the camera.

But, as a real estate agent, Gregg has given IoT cameras to his clients as gifts in the past. He wonders how many of them may have set them up as insecurely as he did:

“I have a ton of clients in real estate that use these things to watch their kids. They’ll watch their living rooms, they’ll keep them all over the house for their protection. But these hackers can go in there, and if they can watch your kids while they’re sleeping or changing, just think of what they can do with that.”

Smart devices and IoT gadgets appeal to the geek in all of us, and can make our lives run more smoothly – but we all need to be careful to follow best practices to ensure that they don’t bring unwelcome visitors into our homes.

*** This is a Security Bloggers Network syndicated blog from HOTforSecurity authored by Filip Truta. Read the original post at: