Checklist 122: Unrest In The Nest

Jan 24, 2019

It’s the end of the world as we know it — or at least, for one Californian family, that’s what it seemed like for about thirty minutes or so. Meanwhile, the police are leaking data all over the place online, but hey, at least Apple has a new raft of updates for all your favorite products to download and install. Those stories, and our thoughts on them, make up this week’s list. We’re going down the following items:

• Unrest in the Nest
• Teaching Police Departments About Safety
• All Your Apple Gear Has an Update

We’ll get started by looking at one unfortunate event that recently happened to a family in California — and whether it means others are at any risk.

Unrest in the Nest

According to a story from the Mercury News based in San Jose, California, one Bay Area family experienced what has been described as “five minutes of sheer terror” this week. One afternoon, the family heard loud noises very similar in tone to the one used by the official Emergency Alert System, coming from their living room. These terrifying tones were followed up by a warning: North Korea had launched three ICBMs at the United States, and one was headed to Los Angeles. Quoted in Mercury News, the woman from the family featured in the story had this to say:

“It warned that the United States had retaliated against Pyongyang and that people in the affected areas had three hours to evacuate… It sounded completely legit, and it was loud and got our attention right off the bat. It was five minutes of sheer terror and another 30 minutes trying to figure out what was going on.”

Of course, you probably know by now that we weren’t attacked by North Korea last weekend. In fact, you probably didn’t hear the warning, or even anything about it — because only this family did. The alert came from the family’s Nest security camera, which someone had hacked to deliver the bogus warning. It was only after placing terrified phone calls to both 911 and Nest customer service that it became clear the warning was a fake sent through by some bad actor. 

During their investigations, the family learned to their dismay that Nest is actually aware of several incidents similar to these, although none were quite so alarming as one involving nuclear missiles. Google, which owns and operates Nest, said through a spokesperson that Nest did not suffer any breaches and that a direct attack on the family’s device was likely responsible for the problem. The other incidents along with this one, Google said, probably occurred because of customers re-using passwords previously compromised in other online data breaches. Enabling 2FA, the spokesperson went on, would eliminate the risk of these incidents occurring at all.

So, is Nest really to blame for this, as the woman in the story alleges? Well — no. First, it probably would have been simple enough to walk outside and see that no one else was panicking and fleeing for their lives; second, though, it really does sound like someone simply “hacked” in using a username and password combo they found in a breach. There’s a certain level of responsibility that comes with owning IoT devices such as a Nest, and that includes securing your device and using common sense if something weird begins happening. Assuming Nest didn’t suffer a data breach (and it seems they didn’t), the fault probably lies with whoever set up the family’s Nest int he first place.

So, who was the “hacker”? We don’t know, but we can speculate a little that it was probably someone who had a bone to pick with this particular family. It could be a random attack, but more likely it was crafted specifically to scare them — for whatever reason. To Nest’s credit, an assistant professor of computer science from the College of William & Mary quoted in the Mercury News says that the platform is “reasonably secure,” and that problems with users’ passwords created during setup are often the source of problems with these devices.

In other words, here’s a solution if you use smart home devices: make and use strong passwords, and don’t re-use them anywhere. Consider using a password manager to diversify your credentials across all your services and enable two-factor authentication wherever it is available to you. Most reputable services have or are adding 2FA, but if there’s a service you use that doesn’t yet have it, email their support team and ask them for it. In fact, be persistent — the more you ask for protection for your online data, the more likely someone will be to sit up and take notice. It starts with you!

Teaching Police Departments About Safety

Now we move on from solving the “Internet of Things” issue to a story that’s just plain disappointing. According to TechCrunch, police departments aren’t just collecting tons of data — they’re leaving it online for all the world to see. What kind of data are we talking about in this story? It’s all about a technology known as ALPR — or automatic license plate recognition. 

According to TechCrunch, there are thousands of these cameras operated by police departments across the country. Aimed at traffic to enable the reading of license plates, these computerized systems make it easy to follow particular license plates (and the people associated with them) wherever they may go. The data is often used for serving criminal warrants, making arrests, and conducting investigations — but in the wrong hands, that data could reveal a lot about you, including where you live.

According to the piece, a number of these ALPR cameras are networked to the Internet. Worse still, those with a little know-how find it easy to identify these cameras, and they’re leaking data all over the place — the data they’re gathering on license plates and the drivers of vehicles. The problem is so bad, apparently, that the Electronic Frontier Foundation sounded the alarm about ALPR cameras back as far as 2015. Unfortunately, and perhaps not surprisingly, that had no effect, and now TechCrunch reporters have discovered the extent to which any bad guys can access and abuse this data.

Over a week of research for the article, TechCrunch discovered that more than a hundred ALPR cameras were searchable on the web through Shodan, a search engine for identifying Internet-connected devices. Many of these cameras, according to their official product manuals, come set with a default password; though the reporters did not attempt to break in to any of the cameras, it’s very possible that many of them are using default settings across the board. That would explain why the cameras are so easily accessible on the web, but it also means that any bad actors with some basic research skills could tap into these systems.

According to an EFF spokesperson, this type of behavior isn’t unusual. Law enforcement makes investments in technology, but not in the cybersecurity needed to use those technologies safely. Instead, hardware and software are often seen as “set & forget” systems with no need to put in any additional work that the vendor did not do themselves. One of the systems identified in the piece was apparently set up initially in 2004. If the hardware has worked for 15 years without problems, it’s no surprise that law enforcement might not think about the need to secure the system — but it’s dangerously irresponsible not to take these steps.

The EFF points out that in California, these agencies could be on the hook for punitive damages were someone to be harmed because of the data leaked from an insecure ALPR camera. However, how would we ever be able to find out that was actually the source? In most cases, it would seem it would be challenging to hold anyone accountable for these lapses.

There is one saving grace, though, again coming to us out of California, and it’s something we’ve discussed on the Checklist before. Starting in 2020, California will ban the sale of IoT devices that come with default passwords which are not wholly unique. In other words, no more “admin/password” combinations. California is a huge market, and it seems unlikely that manufacturers would make a “California-specific” version of their hardware. In other words, we should hopefully all benefit as a result of this law, with manufacturers ideally shifting to unique device passwords. That, at least, is a significant step forward.

Oh, and one more thing this situation reminds us all about — change your default passwords. 

All Your Apple Gear Has an Update

One last quick reminder before we sign off for this week: Apple has just dropped new updates for all its operating systems this week, and we do mean all of them — from iOS to tvOS, there’s a little something for every user here. Here’s how it breaks down in addition to the usual stability patches and compatibility fixes:

• iOS 12.1.3 addresses 23 separate security issues
• macOS Mojave 10.14.3 addresses 20 issues
• watchOS 5.1.3 covers 13 issues
• tvOS 12.1.2 covers 17 issues
• Safari 12.0.3 covers 5 issues
• iCloud for Windows 7.10 solves 5 issues

There are no new features in these updates, but there are several bug fixes big enough for Apple to address. Now, here’s an important question: do you have auto-update turned on? In most cases, you can trust Apple’s quality control to push out good updates that won’t negatively impact your phone. That’s not to mention the fact that with automatic updates, you don’t have to ever worry about managing the installation yourself. The peace of mind that comes from knowing you’ve always got the latest and greatest updates on hand is pretty nice, too. 

Don’t have automatic updates turned on yet? Don’t worry: we’ve got you covered. Here’s how to take care of it easily:

On the Mac: Open the Mac App Store in the upper left of the screen. Next to the Apple logo, click App Store, then select “Preferences.” The first choice on the preferences screen is “Automatic Updates,” which you can turn off or on there.

On iOS Devices: Tap Settings -> Tap General -> Tap Software Updates -> Turn on Automatic Updates

On Apple TV: Select Settings -> System -> Software Updates -> Automatically Update

And that’s all it takes!

We do love a good how-to on this show, and we’re glad to be able to wrap up this week’s discussion with a handy one. Be sure that you grab those updates, since they do contain a whole lot of good security fixes. For Nest users, make sure you’ve got a secure password set up on your devices — and in the meantime, we’ll just have to hope that the police do the same.