Nest is a home automation company that Google bought in 2014, turned into an independent unit of Alphabet, then re-merged with Google again in 2018 (demonstrating that the "whole independent companies under Alphabet" thing was just a flag of convenience for tax purposes); the company has always focused on "ease of use" over security and internecine warfare between different dukes and lords of Google meant that it was never properly integrated with Google's security team, which is why, over and over again, people who own Nest cameras discover strangers staring at them from their unblinking camera eyes, sometimes shouting obscenities.
One of Nest's most popular uses is as a babycam, and there's something especially terrifying and ugly about discovering a hacker screaming obscenities at your baby in the middle of the night from out of their baby monitors, which is why hackers keep doing it.
The latest: the nanny in Jack Newcombe's family was in the nursery when a stranger started threatening her and shouting at her, trying to get a rise out of her, in an orgy of menace that ended with the hacker threatening to come over to Newcombe's house and kidnap their baby.
The most significant vulnerabilities in Nest's model are that it doesn't require robust passwords during setup, and it lacks a decent intrusion detection tripwire that would prevent someone from using a credential stuffing attack, wherein an attacker automatically tries millions of login/password combinations harvested from gargantuan breaches. It's quite a combination: weak passwords and weak protection against password guessing, and it means that people who just want to keep an eye on their babies need to have a subtle and sophisticated understanding of security to be safe when they do it.
I hear the familiar chime, which means someone is about to talk through the camera. Then, to my horror, a female voice that I don't recognize starts talking to my 18-month-old son. He looks around the room and then at the ceiling, wondering who's there.
It feels as though my heart is about to beat through my chest. The blood rushes to my face. I am completely helpless.
The voice is laughing when it chimes in. She says we have a nice house and encourages the nanny to respond. She does not. The voice even jokes that she hopes we don't change our password. I am sick to my stomach.
After about five minutes of verbal "joy riding," the voice starts to get agitated at the nanny's lack of response and then snaps, in a very threatening voice: "I'm coming for the baby if you don't answer me, bitch!"
The voice from our Nest camera threatened to steal our baby [Jack Newcombe/Silicon Valley]