Family says hacked Nest camera warned them of North Korean missile attack
Laura Lyons and her family were enjoying a lazy Sunday afternoon in Orinda, California, when a warning claiming to be from Civil Defense rang out from their living room, alerting the family of three ballistic missiles aimed at Los Angeles, Chicago and Ohio.
The Lyonses scrambled to make sense of things and comfort their young son as the warning explained President Donald Trump had been taken to a "secure facility," she later told the Mercury News.
"It warned that the United States had retaliated against Pyongyang and that people in the affected areas had three hours to evacuate," Lyons told the Mercury News Monday. "It sounded completely legit, and it was loud and got our attention right off the bat ... It was five minutes of sheer terror and another 30 minutes trying to figure out what was going on."
The child, hiding under a living room rug, asked: "Mommy, is there a missile coming?"
The Lyons' would quickly learn that missiles were not coming, however. As the family stood petrified in their living room they realized that no news stations were reporting the supposed threat. Closer examination revealed the blaring the sound was coming from their Nest home security camera - located on top of their television.
Calls to 911 and Nest confirmed there was no danger. Instead, a Nest supervisor explained to the family they were likely victims of a "third-party hack," granting someone access to their cameras and its speakers through a compromised password.
Google, which owns Nest, told Mercury News that Nest was not breached.
"These recent reports are based on customers using compromised passwords (exposed through breaches on other websites). In nearly all cases, two-factor verification eliminates this type of the security risk," Nest said in an email statement to Mercury News. "We take security in the home extremely seriously, and we're actively introducing features that will reject comprised passwords, allow customers to monitor access to their accounts and track external entities that abuse credentials."
Lyons told the newspaper she didn't know the camera had speakers and a microphone - features they immediately disabled after the false warning. They'd installed the device for security purposes a few years ago, she said.
"They have a responsibility to let customers know if that is happening," she said. "I want to let other people know this can happen to them."
In December, a Houston family reported hearing a stranger's voice spewing "sexual expletives" through a baby monitor located in their infant's room. When the family turned on the lights, however, their Nest security camera activated, and the voice told them to turn the lights back off before threatening to kidnap the baby.
At the time, a Nest representative told The Washington Post that they urged all customers to use strong passwords and two-factor verification to prevent such incidents - a step the Lyonses also took after their apparent hack.
Nest told The Post then that they were preventing customers from using passwords that appeared on "known compromised lists." As the Mercury News notes, a massive data breach took place last week compromising 773 million emails and 21 million passwords. Websites such as haveibeenpwned.com allow users to see if their emails and passwords have been exposed.
"I am so sad and ANGRY, but also insanely grateful that it was a hoax!!" Lyons wrote in a post describing the false warning on Sunday.