Clearly they should've been using Hubitat.
This is exactly why certain things should not be accessible from the internet and exactly why certain things have no reason being cloud based.
If something is accessible from the internet, it’s only a matter of time before someone or something automated (bot, worm, etc) gets access to it.
I find it disturbing that the person in the Mercury article stated this is partially due to password reuse and the support representative stated it was possibly from a data breach.
NO! It’s because it’s openly accessible from the damn internet and it has exploitable vulnerabilities. You can have a username and password for something all day, but if you can’t talk with it from outside someone’s LAN, you’re not going to be able to use them.
These devices required unhindered bidirectional communication with the cloud. God forbid they require UPnP. I highly doubt that these bad guys are using complex attacks to get access inside someone’s home network just to harass them with their Nest cameras.
I’m not saying password reuse and leaked data breaches aren’t a problem, but that’s not the problem here. I follow Troy Hunt, he’s awesome, and if you haven’t used https://haveibeenpwned.com/ then you should check it out.
But, Troy can’t help you if some 14yr old in Singapore uses Shodan to find your vulnerable Nest camera is hooked to the internet.
And again, the author of the Techive article on Hubitat should experience this as well!
Another thought that worries me about connecting to the internet:
- Every company needs to make money to survive.
- None are so altruistic as to offer services that affect their bottom line.
- (Here's the scary part) If you don't know how they are making money by offering you "free" service through some internet connection, they are likely making in from your data in a way you don't realize and likely would not want.
Just my opinion.
According to Nest, password reuse was the issue and their systems were not breached. I'm an IT support tech. I deal with end consumers. Password reuse is still a huge issue. If consumers are going to purchase these two-way connected devices and put them online with a password they use everywhere, this is the result than can be expected.
I'm surprised that two factor is not possible. Sounds wrong to me. Isn't the Nest app the same for Nest Protect, Thermostats and Cameras? Two factor is available for the Nest app with my Protects, is this not the case with the Cameras? Honestly two factor needs to be mandatory. There's just to many people out there that don't know how to protect themselves online or with smart products.
Yup. But, sometimes the user isn't given a choice. Take online banking, for example ... no 2FA for non-business accounts ... my gmail accounts are more secure for online logins than logging into my bank accounts .
I really don’t care what Nest or Google has to say, it’s not like they have a good track record lol. Password reuse or not, if it is publically connected to the internet (directly or through some cloud service) it is only a matter of time before someone or something gets into it if they really want to.
2FA is far perfect, especially when it requires some providers cloud service. Ask Twitter or Instagram how well their 2FA kept bad guys from getting access to other people’s accounts. Then ask those people how 2FA screwed them when the bad guys changed the 2FA to themselves. There is a reason why physical 2FA tokens are becoming a bigger deal.
A LAN only system can still only be attacked from inside the LAN or physically. That is a fact.
You can reuse or have weak passwords, but if they can’t publically access the device from outside the LAN, it really doesn’t matter.
Once you open something to be talked to publically by something outside of the LAN without it requesting it first... all bets are off.
Too many devices nowadays offer publically internet connected convenience capabilities. You can’t have this and foolproof security.
These bad guys didn’t hack into these people’s home network by getting them to download some Word doc with a malicious macro and then decide “Hey, let’s screw with their Nest”. They went directly after the Nest. Maybe they did have the username and password, but that doesn’t matter. Again, they publically accessed the Nest remotely. Honestly they are lucky the bad guys probably did have the ability to start laterally pivoting into everything else and do worse things.
I can give you my hub IP, username, and password right now and I can guarantee that you won’t get into it because it is configured not to talk to anything on the internet right now. Hell, I can even through throw in my public IP just for fun.
IoT Security isn’t more complicated than anything else. Just like ICS/SCADA security now, people are trying to fix problems they created themselves because they wanted all kinds of crap connected willy-nilly to the internet.
2FA is an extra step, but it's increasingly being exploited.
SIM swapping consists of tricking a provider like AT&T or T-Mobile into transferring the target’s phone number to a SIM card controlled by the criminal. Once they get the phone number, fraudsters can leverage it to reset the victims’ passwords and break into their online accounts (cryptocurrency accounts are common targets.) In some cases, this works even if the accounts are protected by two-factor authentication. This kind of attack, also known as “port out scam,” is relatively easy to pull off and has become widespread, as a recent [Motherboard investigation showed]
(The Hackers Who Can Hijack Your SIM Card Using Only Your Phone Number).
Password breach teaches Reddit that, yes, phone-based 2FA is that bad
2FA codes can be phished by new pentest tool – Naked Security
Google switched to keys:
" U2F is an emerging open source authentication standard, and as such only a handful of high-profile sites currently support it, including Dropbox, Facebook, Github (and of course Google’s various services). Most major password managers also now support U2F, including Dashlane, and Keepass. Duo Security also can be set up to work with U2F."
Google: Security Keys Neutralized Employee Phishing
Google is pushing Titan keys
Protect your online accounts with Titan Security Keys
Some of my high-security enterprise IT friends use Duo.
"Phone based" 2FA is not bad.... SMS based 2FA is.
Huge difference.
The issue with security keys is that they can't be used on mobile devices.
Well Google is working to implement it on android. Will be interesting to see how
All forms of 2FA have issues. As posted above, SIMjacking is specifically to get the phone because it’s end game after that.
Identity and access management are going to be a problem for a very long time.
I think the latest Yubi key can work with a mobile device via NFC.
I think the problem is that not all application and service providers don’t support it.
It's the YubiKey Neo ... I use it with my Android w/ NFC ... works fine.
Don't bank online unless you're judgment-proof.
Time for a new bank! There are plenty to choose from these days!
Only used for paying bills ... I suppose I could go back to snail-mailing my bill payments --- yet another way to steal identity
In a previous internet life (not related to banking) I was good friends with the guys who write the code for bank-to-bank international transfers. It was my friends who gave the advice to not bank online.
I am also a retired regional director of a very conservative, multi-state bank chain. Unless it's changed in the last 2 years, banks are not required to disclose much about a breach, even to the Fed. Their general M-O has been to pay the ransom or fix the loss, rather than face the public relations sh*tstorm and loss of customers.
Don't bank online. Use a PERSONAL credit card and paper checks. Yes. the micr code is hackable, but I think that's far less of a risk.
I'm not wildly paranoid, but you can see one reason I went with HE.
I work in FinTech and have been with several F500s that build software for the banking industry. I have worked with small regional banks, and found their security practices astoundingly naive. The software on the other hand, is WELL vetted and conforming to PCI in the extreme. PII is encrypted at rest or there is no way we'd ever sell to any reasonably sized bank. Audits are performed regularly.
I do grow weary of alarmists.
Unless, for example, UK's Ross Anderson has started banking online in the last 2 years, he says much the same as I have here.
https://www.cl.cam.ac.uk/~rja14/banksec.html
To each his own.
I don’t know if I’d go as far as to say this sort of thing (ie certain home automation devices) shouldn’t be cloud based as a blanket statement. It’s a balance of risk and convenience. Personally, I do like the ability to see if Motion was detected in my house when I’m away from home. Is it a risk because it uses a cloud-based system for that particular action? I guess. However, you try to mitigate the risks as best you can and you do so with things that wouldn’t be devastating in the off-chance that it there is a breech.
You balance risk and convenience in every aspect of your life. It’s the reason we don’t all bar the doors and windows of our houses, wear a helmet when we go for a jog, or chew each bite of food precisely 40 times so we don’t choke. To make a blanket statement that home automation should not be cloud based, to me, is a rather alarmist viewpoint.
You compare the need for eating to the convenience home automation?
There is a huge difference between balancing inherent risk and risk you create out of convenience.
You need to eat, you don’t need to have everything connected to the internet.
An alarmist viewpoint would be saying get rid of all your home automation technology and go live in a cave.
A smart risk adverse viewpoint says certain things should not need to be accessible via the internet. Which is exactly what was said, not what your last statement is.
Too many people have don’t fully understand that there are real threats, vulnerabilities, and risks evolved with current technology. That combined with today’s rampant Optimism Bias leads to all the news headlines like this.