This is exactly why certain things should not be accessible from the internet and exactly why certain things have no reason being cloud based.
If something is accessible from the internet, it’s only a matter of time before someone or something automated (bot, worm, etc) gets access to it.
I find it disturbing that the person in the Mercury article stated this is partially due to password reuse and the support representative stated it was possibly from a data breach.
NO! It’s because it’s openly accessible from the damn internet and it has exploitable vulnerabilities. You can have a username and password for something all day, but if you can’t talk with it from outside someone’s LAN, you’re not going to be able to use them.
These devices required unhindered bidirectional communication with the cloud. God forbid they require UPnP. I highly doubt that these bad guys are using complex attacks to get access inside someone’s home network just to harass them with their Nest cameras.
I’m not saying password reuse and leaked data breaches aren’t a problem, but that’s not the problem here. I follow Troy Hunt, he’s awesome, and if you haven’t used https://haveibeenpwned.com/ then you should check it out.
But, Troy can’t help you if some 14yr old in Singapore uses Shodan to find your vulnerable Nest camera is hooked to the internet.
