Nest's "ease of use" imperative plus poor integration with Google security has turned it into a hacker's playground


40 years ago, antitrust law put strict limits on mergers and acquisitions, but since the Reagan era, these firewalls have been dismantled, and now the biggest companies grow primarily by snapping up nascent competitors and merging with rivals; Google is a poster-child for this, having only ever created two successful products in-house (search and Gmail), with all other growth coming from acquisitions and mergers.


When companies grow this way, they experience "diseconomies of scale" — dysfunctions brought on by their inability to integrate the acquired companies into their culture and technology. Yahoo (more than Google) is the obvious poster-child for these diseconomies, a company that will go down in history as a voracious acquirer and murderer of the best technology startups of a generation (Flickr, Delicious, etc etc etc).


One Google's most prominent acquisitions is the Internet of Things company Nest, whose "smart thermostats" were a beachhead for the company's "ecosystem" — a group of surveillance devices and controllers that were bound to the Nest by DRM, meaning that independent security researchers who audited these actuators and sensors faced potential criminal and civil liability.


This limited scrutiny, plus Nest's inability to integrate with Google's security systems, has proven to be a uniquely toxic mix. Today, for as little as $20, you can buy "credential stuffing" software that will take the massive dumps of billions of passwords that have accumulated over the years and try them on Nest devices that are discoverable on the internet. Once a working username/password combo is hit, the system is yours: you can listen in and watch the owner, and play audio through the devices' speakers (terrorizing toddlers with pornography on their baby monitors is an intruder's favorite), etc. Recall that Nest installed secret, undocumented mics in some of its products.


There are at least two ways Nest could limit these attacks: first, they could implement two-factor authentication, which is becoming a gold standard for securing systems, and, conveniently, a field where Google is a clear leader, with its own 2FA app for mobile platforms. But Nest's pitch is that it's a plug-and-play system with no technical expertise necessary, and the company has decided that its target audience will be daunted by a 2FA requirement to set up its products.


Additionally, Nest could make use of Google's extensive infrastructure for detecting credential-stuffing: the company has so much surveillance and telemetry deployed around the internet that it can detect many fraud attempts, by looking at everything from anomalies in users' customary locations to IP addresses that have been implicated in earlier attacks.


But Google and Nest — despite being organized as sister companies under Alphabet (the confusingly named holding company whose pretense is that it owns Google and all of Google's acquisitions) — do not share a security back-end. Rather, Google's security team (one of the best in the world) offers "advice" to Nest's security team. Clearly the advice was not sufficient, as can be seen in the mass-scale credential-stuffing attacks on Nest owners.


Tara Thomas thought her daughter was just having nightmares. "There's a monster in my room," the almost-3-year-old would say, sometimes pointing to the green light on the Nest Cam installed on the wall above her bed.

Then Thomas realized her daughter's nightmares were real. In August, she walked into the room and heard pornography playing through the Nest Cam, which she had used for years as a baby monitor in their Novato, Calif., home. Hackers, whose voices could be heard faintly in the background, were playing the recording, using the intercom feature in the software. "I'm really sad I doubted my daughter," she said.

Though it would be nearly impossible to find out who was behind it, a hack like this one doesn't require much effort, for two reasons: Software designed to help people break into websites and devices has gotten so easy to use that it's practically child's play, and many companies, including Nest, have effectively chosen to let some hackers slip through the cracks rather than impose an array of inconvenient countermeasures that could detract from their users' experience and ultimately alienate their customers.

How Nest, designed to keep intruders out of people's homes, effectively allowed hackers to get in [Reed Albergotti/Washington Post]


(via Naked Capitalism)