Laura Lyons was preparing food in her kitchen Sunday when the lazy afternoon took a turn for the absurd. A loud squawking — similar to the beginning of an emergency broadcast alert — blasted from the living room, the Orinda mother said, followed by a detailed warning of three North Korean intercontinental ballistic missiles headed to Los Angeles, Chicago and Ohio.
“It warned that the United States had retaliated against Pyongyang and that people in the affected areas had three hours to evacuate,” Lyons said Monday. “It sounded completely legit, and it was loud and got our attention right off the bat. … It was five minutes of sheer terror and another 30 minutes trying to figure out what was going on.”
Lyons and her husband stood slack-jawed in the living room, terrified but also confused because the television continued airing the NFC Championship football game. As their scared 8-year-old son crawled underneath the rug, the couple realized the apocalyptic warning came from their Nest security camera atop their living room television.
After many panicked minutes and phone calls to 911 and to Nest, the couple learned they likely were the victims of a hacker. And that panic turned to anger when they found out that Nest knew that there had been a number of such incidents — none involving nuclear strike scenarios — but failed to alert customers. Lyons said a Nest supervisor told them Sunday they likely were the victims of a “third party hack” that gained access to their camera and its speakers.
A Google spokesperson — the search engine owns Nest — said Nest was not breached in this incident.
“These recent reports are based on customers using compromised passwords (exposed through breaches on other websites). In nearly all cases, two-factor verification eliminates this type of the security risk,” the company said in an email statement. “We take security in the home extremely seriously, and we’re actively introducing features that will reject comprised passwords, allow customers to monitor access to their accounts and track external entities that abuse credentials.”
The Lyons are not alone.
Reports from across the country indicate a growing problem of hackers accessing the WiFi-enabled cameras from Nest and other similar companies. In December, a Houston couple rushed to their infant’s room when a hacker began screaming over the family’s Nest camera baby monitor that he was going to kidnap their child. The same month, a benevolent Canadian hacker began speaking to a Nest camera user in Arizona, warning him that his system was ripe for hacking and how to protect it.
Adwait Nadkarni, an assistant professor of computer science at the College of William & Mary, was a lead investigator in a December study on the vulnerability of Nest and similiar technology.
“Our recent study of the Nest platform shows that it is reasonably secure, in comparison with other similar platforms,” Nadkarni said. “In such cases, the problem most often lies in how the devices are configured and used in the smart home, especially in terms of setting the account password.”
Nadkarni said there have been other hack attacks, but he had not heard of a nuclear hoax.
For the Orinda family, the incident began around 2 p.m. Sunday and froze Lyons in her tracks. She initially anticipated an Amber Alert warning, but the detailed nuclear war message claimed to be from Civil Defense and provided details down to the fact President Trump had been taken to a secure facility.
As the frightening message repeated a second time, Lyons’ young son asked, “Mommy, is there a missile coming?”
As she tried to calm her son, Lyons’ mind raced.
“My first thought was which car are we going to get into now because the Bay Area would be such an obvious target,” Lyons said. “I was thinking we can stop at our friends in Napa. I was disappointed I didn’t have much cash on me. I was going right down the rabbit hole.”
Lyons switched to CNN and other news stations but found no discussion of a nuclear threat. She called 911 and the dispatcher told her she had heard of no other calls.
Lyons didn’t even realize the pair of surveillance cameras the family installed a couple years ago for home security had speakers. The couple began to get more and more suspicious and eventually Googled “Nest and hack” but found nothing about a nuclear attack.
Finally, after a few calls to Nest customer service, they were told they most likely were a victim of a hacker who accessed their data through a “third party data breach.”
“They have a responsibility to let customers know if that is happening,” she said. “I want to let other people know this can happen to them.”
Nadkarni said the recycling of passwords for multiple online services is even more troubling now with the prevalence of in-home, WiFi-enabled devices that provide a hacker access inside someone’s property.
“If even one of the services is compromised, the attacker can use the password to gain access to everything else,” Nadkarni said. “I would definitely recommend using a password manager to use different passwords for all services and enabling 2-factor authentication.”
Just last week, a massive list of 773 million emails and more than 21 million passwords were exposed publicly. Individuals can look if they’ve been exposed to such breaches online at sites such as https://haveibeenpwned.com/.
Lyons said her husband killed the speaker and microphone capabilities on the cameras, changed the passwords and added 2-factor authentication.
Hours after the stressful incident, Lyons shared her experience on a local family Facebook group, and other Nest users shared their recent experiences, including one man who said he got hacked last week after he heard dogs barking and the sound of laughter in his garage and learned it came from his Nest camera.
“My son heard it and crawled under our living room rug,” Lyons wrote in one post describing Sunday’s incident. “I am so sad and ANGRY, but also insanely grateful that it was a hoax!!”
© 2019 the Contra Costa Times (Walnut Creek, Calif.)
Distributed by Tribune Content Agency, LLC.