Stories like this just reenforce my desire to have completely local control over everything in my house.
With that said, someone claiming they changed their password is just stupidity as they probably changed it to some personally identifiable, weak password (like their or their kids birthdays). I have zero faith in people actually using strong passwords, or even better, passphrases. Anyone that doesn't in this day and age, after years of warnings, is just begging for something like this to happen to them.
That's the 2nd "smarthome breach" story I've read in general newsfeeds. The other was 4 or 5 months ago in LA. IIRC, that one involved a Nest tstat as well.
Compromised password != hackers
Other story is here:
5 bucks this was an inside job via one of their kids...
There are more hacks on baby monitors than I can count. I do remember that there was this foreign site that had a pay per service to get access to cameras. Some were baby monitors, others were IP security cameras, and other were Macbook cameras.
Yep the air gap is the best thing you can do but there are way to many cloud services that are easy to setup but can't be run without a direct connection to the internet. In my home I have mostly firewalled off my Hubitat. It's allowed to check for firmware, time, and access the ecobee API's that is it.
One thing I like about my Pearl Thermostat is the ability to set min and max temperatures for both heating and cooling.
For heating I have the Max at 75 °F and minimum around 65 °F. These are in the thermostat menu and not exposed to the system. So if my thermostats were hacked, the effect would be minimal.
My ecobee has a similar capability but I'm not 100% convinced it can't be overridden by the cloud.
It boggles the mind that all thermostats don't have this feature. Some have only Max for heat and min for cooling.
Also, we have tape blocking the laptop cameras.....difficult to hack a piece of tape. At least through the internet.
Eventually, they got in touch with their internet provider to change their network ID. They think someone hacked into their Wi-Fi and then their Nest system.
"If someone hacks into your Wi-Fi, they shouldn't be able to have access to those Nest devices without some sort of wall they have to get over," Lamont Westmoreland said.
got in touch with their internet provider...
Let me guess they also had a default login/password on their router =S
If you search it out, you can find all of the hacked webcams on one website. I'm not going to share the link here, but i will say that I was appalled at how many there actually were.
Username = Admin
Password = Admin
But sure, they got hacked. It was all the ISP's fault. Or Nest. Or the hacker. It sure wasn't the stupid homeowner who doesn't know how to make strong passwords, or secure accounts.
Most of the time the out of box experience of many of these devices is poor. They allow you to use insecure passwords and in the worse case remove the passwords altogether. To make matters worse many devices with web services just let you blindly setup a account using a Google or other public id services. Sounds good on paper until you realize that how may services you have tied to that one id.
I am impressed that the good router vendors are now prompting for tighter passwords and no longer allow for "admin" or "root" as the username. It's a small step but it goes a long way. But there is so much more work to be done and I agree with many network security folks that the day of the password needs to be retired since it's the most compromised method of intrusion.
THIS!
And sensationalist news outlets are not journalists.
Unfortunately there are those folks who think they know better than the router instructions. Something like "...we don't need a password there are just a PIA and needed only for banks and such....".
The bureaucratic solution will be to automate the security somehow. Kind of like the automotive industry. where folks don't want to bother to test the air pressure in their tires so now we all have tire pressure systems in our cars.
Which are the ports and IPs you allow them out to? NTP is UDP port 123, but I don't know where they go to do the firmware update checks. I played a bit with this at my house, but the firewalling on my Asus router is pretty limited.