Maybe one of the greatest ironies of Google’s Nest security cameras—and the Nest line of products in general—is just how dang insecure they are. In the past, we’ve seen these devices hijacked to spout North Korean propaganda, spy on sleeping toddlers, and harass families in their homes—leading the company to start beefing up Nest’s internal security substantially over the past year.
The latest example of this beef-up comes in the form of a public post made by one of Google’s employees on the company’s Nest support forum. Per the post, all Nest-owners will be mandated to authenticate their identities using a six-digit verification code that’ll be emailed to each Nestie with each new login attempt.
Aside from hopping onto the two-factor authentication bandwagon, the post also encourages users to use “a strong and unique password,” and to migrate accounts from Nest to Google proper, citing “industry-leading protections” as one of the perks of making that shift.
If something like two-factor authentication sounds like a pretty basic security measure to take for, well, a security-camera manufacturer, you’d be right. Over the years, Nest has been forced to reckon with the reality that the company’s security is only as strong as its least tech-savvy users, and that taking a few steps to accommodate them is increasingly necessary, even at the risk of providing a clunkier user experience. This means locking Nesties out of their accounts if they’re victim to an expected breach, and emailing Nest users every time they log in to use the service, and now, it also means using two-factor authentication to log in to their device.
While most of us probably think that we’re smart enough to lock down our devices without Nest holding our hand every step of the way, the truth is that plenty of us aren’t. Thanks to IoT search engines like Shodan and Insecam, anyone can freely browse internet-connected cams around the world just by knowing which search terms to use and which servers to plug into. And these sites alone boast literally hundreds of cameras that are either password-less or use the default password that came with the device to log in—no “hacking” required.
Granted, the Nest-hacks of the past weren’t always on the consumer’s hands. Though it’s since amended its ways, Nest devices were once guilty of using plaintext to store people’s passwords, freely airing people’s locations on the open web, and came packaged with more than a few backdoors that were ripe for exploitation.
A quick Giz analysis of some of these publicly available IoT search engines revealed that, by and large, Nest’s name is largely absent from the freely hackable devices, as is Dropcam, the home-monitoring cam startup acquired by Google back in 2014. It might be a sign that Google’s actually practicing what it’s preaching to consumers—and its devices are all the better for it.