The man’s voice came through the Nest camera of Houston mother Ellen Rigney just before midnight.
“I’m going to kidnap your baby. I’m in your baby’s room,” the voice said, Rigney told NBC affiliate KPRC in Houston earlier this week.
Rigney and her husband dashed in to check in on their 4-month-old, Topper, who they keep an eye on overnight with a Nest cam that doubles as a baby monitor. They found Topper sleeping peacefully in his crib, alone in his nursery.
That’s when the couple realized a hacker had gotten through the camera’s security.
Rigney’s story is not unique. Over the summer, Gabby Nader, a mother of three, “literally ripped” a Nest camera out of her nearly 2-year-old’s room in Upper Makefield, Pennsylvania, after the little girl pointed at the device and said a man had been talking to her through it, Nader told NBC News.
Meanwhile, in October, Alexandra, a mother of two from Tenafly, New Jersey, who asked to be identified by first-name only due to privacy concerns after her family’s experience, said what sounded like a group of teenagers started speaking through the camera, which she keeps in the living room to check in on her two young kids and their nanny.
“It was around 1 a.m. and my husband heard voices talking through the camera. They could see him and they started cursing at him,” she said.
“You never know who the heck is watching your kids and your house.”
“We felt unsafe, unsecure,” she said. “You never know who the heck is watching your kids and your house.”
The hacks exemplify the growing risks faced by consumers who are putting more internet-connected devices in their homes. A survey from March found that a third of U.S. consumers own two or more so-called smart home devices.
The Nest hacks also point to an emerging strategy from malicious hackers called “credential stuffing,” in which usernames and passwords from previous data breaches are used to access otherwise secure systems.
More devices, more risks
Headlines dating back at least five years have documented other instances of hackers accessing wifi baby monitors, but a recent rash of hacks have brought renewed attention to the issue.
Earlier this month, Arizona real estate agent Andy Gregg experienced a similar but far less nefarious Nest hack. A person who identified himself as a “white hat” — a friendly hacker who exposes security vulnerabilities so that they can be patched — began speaking to Gregg through his Nest cam, informing him he should take security precautions such as setting up two-factor authentication because “there’s so many malicious things someone could do with this.”
Gregg was able to record video of the interaction with the hacker, Hank Fordham — whom Gregg put in touch with NBC News.
“The method that we use here isn't particularly sophisticated, and that's the big problem,” said Fordham, an independent security researcher.
Fordham said he was able to hack Gregg’s camera using credential stuffing. In that method, easily accessible databases of usernames and passwords from previous data breaches are put into an automated system to look for accounts that reuse their credentials.
Fordham said credential stuffing has grown in popularity in hacking circles, leading him to look for ways to bring it to the public’s attention. (You can find out if you have been compromised by going to HaveIBeenPwned.com and entering your email address.)
Nest, a Google-owned home technology company, declined to comment on how often such breaches happen, but said in a statement earlier this week that the hacks are not due to any vulnerabilities in the device — rather, it’s a stolen password from another account or service.
Nest later told NBC News that the company is now preventing users from setting up accounts using old passwords that could be found in previous data breaches.
The company did not respond to a specific question about whether it had been hit by a credential stuffing attack.
"They didn’t actually hack Nest. They used somebody’s password from something else that they were able to get into."
Cybersecurity experts confirmed that Nest had not been breached.
“They didn’t actually hack Nest. They used somebody’s password from something else that they were able to get into,” said David Kennedy, CEO of TrustedSec and Binary Defense, security consulting firms that work with large companies worldwide to protect them against hackers.
How to keep your devices safe
Even if a Nest Cam has been compromised, it’s not necessary to trash it, experts say.
Nests are “absolutely” among the highest-security home automation platforms, and the company was not at fault here, according to Adwait Nadkarni, an assistant professor of computer science at the College of William & Mary who earlier this month co-authored a study on the security of the Nest and Philips SmartHue, a competing smart home system. These incidents, he said, illustrate that even secure systems can be at risk due to previous data breaches and the propensity of people to reuse passwords.
That combination makes the broader “Internet of Things” in homes — a web-connected toaster, a smart light bulb that you can dim on schedule remotely — a growing source of concern, particularly since a breach in one connected device can potentially give hackers a ladder of items to gain access to other devices.
“We’re involving these devices in really complex values in our home,” he said. “We’re integrating these devices in sort of a chain that helps us essentially completely automate our home, and it’s really hard to say how secure our home may be. There’s no real data.”
Nadkami, Kennedy and Fordham each recommended that consumers take basic steps to ensure their security — don’t reuse passwords and start using a password manager.
It’s also imperative to change a device’s default password — a weakness that can so easily be exploited that California has banned electronic firms from using them starting in 2020, instead requiring a unique password before the first use.
"You have something that’s supposed to make you feel better, and instead it makes you the opposite."
With video cameras, Nadkarni added, stick to brands known to be trustworthy and read the owner’s manual carefully to see if there are any default configurations that need to be changed.
For Rigney, the mother whose Nest was hacked earlier this week, the slight risk of it happening again simply isn’t worth it. She has unplugged all the cameras.
“It’s a voice I will never forget, unnerving and unsettling,” she told KPRC. “You have something that’s supposed to make you feel better, and instead it makes you the opposite. It makes you feel invaded and uncomfortable.”