Hacked Nest Cam convinces family that US is being attacked by North Korea

Nest says its systems weren’t breached.

Richard Nieva Former senior reporter
Richard Nieva was a senior reporter for CNET News, focusing on Google and Yahoo. He previously worked for PandoDaily and Fortune Magazine, and his writing has appeared in The New York Times, on CNNMoney.com and on CJR.org.
Laura Hautala Former Senior Writer
Laura wrote about e-commerce and Amazon, and she occasionally covered cool science topics. Previously, she broke down cybersecurity and privacy issues for CNET readers. Laura is based in Tacoma, Washington, and was into sourdough before the pandemic.
Expertise E-commerce | Amazon | Earned wage access | Online marketplaces | Direct to consumer | Unions | Labor and employment | Supply chain | Cybersecurity | Privacy | Stalkerware | Hacking Credentials
  • 2022 Eddie Award for a single article in consumer technology
Richard Nieva
Laura Hautala
3 min read

A woman said a hacker used her Nest Cam for a hoax. 

Stephen Shankland/CNET

A woman living in the Bay Area says she got a hoax warning last weekend that the US was under nuclear attack. The warning came from an unlikely place: her Nest Cam.

Laura Lyons of Orinda, California told the San Jose Mercury News that her smart home security camera was infiltrated after it said on Sunday that three North Korean missiles were headed to Los Angeles, Chicago and Ohio. The warning was preceded by a blaring alarm, Lyons told the newspaper.

The message said the US was retaliating and affected areas had three hours to evacuate, she said. Lyons checked news stations for coverage of the apparent attack, but found nothing. When she realized the message was coming from the Nest Cam sitting above her TV, she called the company, which is part of Google, to find out what was going on.

Lyons said a representative told her that she was a victim of a "third party hack." Lyons didn't respond to a request for comment.

Nest says Lyons' device was most likely compromised by a stolen password.

"Nest was not breached," a spokeswoman said on Tuesday. "These recent reports are based on customers using compromised passwords (exposed through breaches on other websites). In nearly all cases, two-factor verification eliminates this type of the security risk.  

"We take security in the home extremely seriously, and we're actively introducing features that will reject comprised passwords, allow customers to monitor access to their accounts and track external entities that abuse credentials."

Still, as companies like Google, Amazon and Samsung try to convince consumers to turn their homes into hubs full of internet-connected gadgets and appliances, a scare like the one Lyons experienced could sour people from bringing those devices into their houses.

This isn't the first time Nest's cameras have been infiltrated by outsiders. In December, a hacker took over the camera of a man in Arizona to warn him of security vulnerabilities. In another case last month, a hacker told a couple through the device he'd kidnap their child.

Security experts have been warning for years that smart home devices are vulnerable to hackers. Some vulnerable devices come with bugs that hackers can exploit. To prevent hackers from using stolen passwords to log into security cameras and other connected devices, experts say companies need to educate users on how to use better security. Betsy Cooper, founding director of the Aspen Policy Hub, said that would help keep hackers out of security cameras and other internet connected "things."

Consumers can choose to use a stronger password and enable extra security features like two-factor authentication -- but they aren't required to do so. Device makers should flip that around, Cooper said. For example, they could turn on two-factor authentication by default and leave it up to consumers to turn it off if they don't want it.

"Companies should shift the way that they think about those things," Cooper said, "so they're not making stronger security so easy to avoid."

People can check if any of their passwords have been caught up in known data breaches using sites like Have I Been Pwned or Mozilla's Firefox Monitor. Some websites will also flag your password for you if it's been caught up in a breach, using a tool from the login company Okta

The Smartest Stuff: Innovators are thinking up new ways to make you, and the things around you, smarter.

Special Reports: CNET's in-depth features in one place.