Nest owners, if you aren’t already flying with two-factor authentication (2FA) on your accounts, get ready for Google to push you into spreading those security wings.

On Tuesday – which, appropriately enough, was Safer Internet DayGoogle announced that in the spring (or in the fall, for those in the Southern Hemisphere), it will start forcing users of its Nest webcams and other products to use 2FA to secure their accounts.

Nest users who haven’t yet enrolled in the 2FA option or migrated to a Google account will be required to take an extra step by verifying their identity via email, Google said in a blog post. When a new login hits your Nest account, you’ll get a login notification from moc.tsennull@tnuocca containing a six-digit verification code. Without that code, anybody trying to get into your account will be locked out.

That should help with, say, keeping creeps from talking to your baby through a Nest security cam, or trying to crank up your Nest thermostat to tropical levels, both of which have happened to people who say they weren’t aware that 2FA is an option.

Google:

This will greatly reduce the likelihood of an unauthorised person gaining access to your Nest account.

Google started sending out login notifications for Nest accounts in December 2019. Sometimes, simply being told that somebody’s logged into your account is all it takes to spot suspicious activity, Google said:

Every time someone on your account logs in you’ll receive an email notification. That way if it wasn’t you, you can take action immediately.

Credential-stuffing-b-gone

Earlier this year, Google also addressed the problem of automated attacks such as credential stuffing – a type of attack that’s on the rise. Between November 2017 and June 2018, internet content delivery company Akamai estimated that its customers fielded 30 billion credential-stuffing attempts.

As Akamai went on to report in April 2018, three of the largest credential stuffing attacks against streaming services in 2018 – ranging in sise from 133 million to 200 million attempts – followed close on the heels of reported data breaches, indicating that hackers were likely testing stolen credentials before selling them.

Google said on Tuesday that Google accounts already come with protection against credential-stuffing, but earlier this year, it began applying an anti-stuffing-attack technology on Nest accounts that haven’t migrated to Google accounts. That technology – called reCAPTCHA Enterprise – sniffs out attacks from bots that scrape email addresses and content, post spam and try to brute-force stolen user credentials on a huge scale.

And, just like reCAPTCHA v3, reCAPTCHA Enterprise can tell the difference between bots and humans without forcing users to jump through hoops – no ticking of boxes, no tedious visual puzzles that force you to check all the boxes with a bus or crosswalk in them.

Google’s also been proactively checking lists of breached passwords when users supply a password for their Nest accounts, to see if the password has been exposed in credential breaches outside of Google – a tactic it had already been using for months on its browser via a Chrome extension. It’s one way to keep users from committing the all too common security sin of reusing passwords.

Google says it’s also proactively resetting accounts when it detects suspicious activity. It is also issuing automatic updates, disallowing default or easy-to-guess device passwords, and performing verified boot: a way to ensure that all executed code comes from a trusted source (usually device OEMs), rather than from an attacker or code corruption.

Best practices to secure Nest devices

Finally, Google provided this list of security best practices for your Nest products:

  • Migrating to a Google account gets you more security features, and it lets you integrate the products so you can issue “OK, Google” commands to your Nest devices, such as telling Google to turn up the heat.
  • Enable 2FA whenever possible. Here’s an informative podcast that tells you all about 2FA, if you’d like to learn more:
  • If you have multiple people in your non-migrated Nest household who need access to your Nest devices, create a Family account so you don’t need to share your personal credentials with anyone. Remind them to sign up for 2FA, too.
  • Don’t reuse passwords. Ask people you’ve added to your devices to do the same.
  • Don’t try to memorise passwords. Instead, use a password manager, like the one offered in the Chrome browser. Password managers store your passwords securely, and some even generate complicated passwords for you. They’re certainly not perfect, as multiple glitches have made clear. Still, we recommend using them, given that whatever issues have turned up are still heavily outweighed by the known advantages of using one. At any rate, the issues get tidied up through updates.
  • Check on whether your passwords or accounts have been compromised using the new tool offered by Chrome; another great tool is haveibeenpwned.com.
  • Avoid clicking on suspicious-looking emails, and never provide personal information when senders hit you up for it.

 


Beratung Consulting

Beratung Consulting are dedicated to Security solutions and are a trusted Sophos Partner.

Sophos Authorised Partner