Griefer terrorizes baby by taking over their Nest babycam...again

Nest is a home automation company that Google bought in 2014, turned into an independent unit of Alphabet, then re-merged with Google again in 2018 (demonstrating that the "whole independent companies under Alphabet" thing was just a flag of convenience for tax purposes); the company has always focused on "ease of use" over security and internecine warfare between different dukes and lords of Google meant that it was never properly integrated with Google's security team, which is why, over and over again, people who own Nest cameras discover strangers staring at them from their unblinking camera eyes, sometimes shouting obscenities.

One of Nest's most popular uses is as a babycam, and there's something especially terrifying and ugly about discovering a hacker screaming obscenities at your baby in the middle of the night from out of their baby monitors, which is why hackers keep doing it.

The latest: the nanny in Jack Newcombe's family was in the nursery when a stranger started threatening her and shouting at her, trying to get a rise out of her, in an orgy of menace that ended with the hacker threatening to come over to Newcombe's house and kidnap their baby.

The most significant vulnerabilities in Nest's model are that it doesn't require robust passwords during setup, and it lacks a decent intrusion detection tripwire that would prevent someone from using a credential stuffing attack, wherein an attacker automatically tries millions of login/password combinations harvested from gargantuan breaches. It's quite a combination: weak passwords and weak protection against password guessing, and it means that people who just want to keep an eye on their babies need to have a subtle and sophisticated understanding of security to be safe when they do it. Read the rest