As a former Nest owner, I got a creepy email from the Google-owned Internet-of-Things company.
The email reads, in part:
This is a realproblem. If you have a Nest camera (or any home IoT device really), and it uses a “home” website account in the cloud and is bound to your account on that website, if a nefarious hacker gets a hold of the website account credentials, then they have the same access you have to the device itself.
And if you use the same username and password on any other site, or if you log in with “single sign-on” (SSO) to a bunch of websites, stores, social media, etc, and one of those sites gets hacked, your whole treasure chest gets emptied. Your password security, in a very real sense, is only as strong as the weakest link.
Problem is, the weakest link is not in your control most of the time.
Google–Nest–recommends you take some simple precautions to protect yourself.
First, they recommend you use multi-factor, or two-factor, authentication.
This is a great idea for any critical websites like your bank, major shopping destinations that have your credit cards stored, your tax preparer (you’d be surprised how many scammers are out to use your taxpayer ID to steal your refund), or your mobile app or music store.
If you use your Apple ID to store other website passwords, or if you store passwords in Google Chrome, make sure you have “2-step verification” or “multi-factor” authentication turned on. This will force you to respond to a text message, use the Google Authenticator, or use some other method in addition to a username and password to access those sites.
Second, use individual, strong passwords on other websites and avoid using single-sign-on if possible.
It’s tempting to have every website you use set up with the same credentials. After all, remembering 32 usernames and passwords is cumbersome. Many people write their credentials down on notepads, or tape them under the keyboard (a no-no if you are doing it at work).
The best way to use strong passwords is to store credentials in your browser or smartphone. Apple’s “Keychain” is very well integrated between devices using your Apple ID. If you use this, then remember to protect your Apple ID with multi-factor or “2-step verification.” Same with Chrome, which can sync across many platforms including Android phones.
Other products that allow you to store passwords include Keepass, an open source product that runs on various operating systems. It’s secure and fairly easy to set up. Best thing about Keepass is it will store passwords for documents, websites, and just about anything else.
Third, don’t share your accounts with family, use family accounts if they are available.
Apple and Google are moving toward forcing you to create family accounts for each member of your household instead of sharing one account. They do this for security, and also to better track you and your preferences.
Fourth–this one is from me–be careful setting up devices that can bug your home.
Call me a Luddite, but I don’t have an Alexa device. I have Siri and Google Assistant configured not to listen for “Hey Siri” or “Hey Google” commands. I don’t have Internet Cloud cameras in my home. Since Apple’s FaceTime eavesdrop vulnerability was announced, I stopped using that app.
I used to have two Nests, but since we moved to a different home we don’t have them anymore. I don’t want any device in my house that records my every word, and can record video of me or my family and ship it off to who-knows-where because some hacker bought a list culled from a compromised site.
Remember, any site you log in to is a clue to the puzzle of your online life. If you share the same user ID on multiple sites (who doesn’t, because many require you to use your email address as a username), then one site being hacked exposes that username and password combination. It’s child’s play for hackers to try that combination on every major site they can over a period of time.
And every site that’s hacked increases the odds that your username/password could be compromised, especially if it’s an easy one.
Once the hackers get into your camera, or your other IoT devices, they have entered your home, virtually. The instances Nest users experienced, while frightening and creepy, didn’t do any actual damage. But those users may have had their home networks compromised, which means every single one of their passwords, email accounts, and other data could be harvested by a skilled hacker.
These days, you can hardly survive without being online. I get that. I protect my home network and computers with the same degree of paranoia as I have on my work network and computers. But when it comes to cameras and other IoT devices in my home, I go back to what the Air Force taught me about COMPUSEC: the only safe computer is the one that’s unplugged.
It is the height of white, western arrogance to think one can be a Christian while rejecting settled, shared two-thousand year old orthodoxy that has tied together a bunch of Christians who agree on a …