It took a growing mountain of home hacking horror stories going viral, but Google on Wednesday finally took action by telling their customers to stop messing everything up.
In the last few weeks, multiple stories have emerged about owners of Nest security cameras – at least some of which have speakers through which users can talk – seeing their devices hijacked so that hackers can not only look into their homes but also terrorise unsuspecting families by issuing fake bomb threats and threatening to kidnap children.
Nest sent an email to all its customers on Wednesday morning with a warning to better secure your accounts: Enable two-factor authentication, pick strong passwords, and be alert. The message from Nest is that customers have repeatedly messed up by reusing weak passwords and not setting up multi-factor authentication.
The question is, does responsibility to secure something as important as a home camera fall on customers or Google itself? Should one of the richest and most technically advanced companies on Earth ship a product that produces a live stream of video inside your home with security at the level of your Spotify account?
“We’re reaching out to assure you that Nest security has not been breached or compromised,” the company told worried customers.
That might be a distinction without much of a difference for someone who suddenly hears a threatening voice inside their own home.
The Nest breaches are the latest in a long line of worries about insecure smart home devices creating a patchwork of vulnerabilities that can result in the potential for real physical harm inside the home.
Why is something as important as a live video stream from inside your home secured as weakly as a video game by default?
Smart home devices like Nest should require two-factor authentication by default at the bare minimum. This should be the industry standard for devices that could directly affect your physical safety.
It would be as easy as adding into the Nest app, which is already required to use the camera, a push-alert authentication tool in the same way that Gmail can currently enable two-factor with the mobile app.
For the small price of an extra step, Nest’s devices would be immensely more secure. Reusing a weak password – a common mistake – would no longer leave your house open to hackers.
An app authentication option would also be more secure than Nest’s only current multi-factor authentication option, which is only a text message, a famously weak method that is impossible to verify and easy to intercept. App authentication and physical security keys are now the standard for security.
Google, which didn’t have much to say when we asked them about minimum security standards, recently launched Password Checkup to help encourage password security.
Does that really address the problem? No.
If the user is going to take an extra step, why not make the extra step toward far more effective tool of multi-factor authentication. Don’t treat customers like lazy, ineffectual idiots at the expense of their safety.
They’ve already got the Nest app doing everything else, now the job is to make the whole thing safe.