CHICAGO — Arjun and Jessica Sud routinely use a baby monitor to keep tabs on their 7-month-old’s bedroom. Last month, they heard something chilling through the monitor: A deep male voice was speaking to their child.
“Immediately I barge into the room because I’m like, ‘Oh my God, maybe someone got in there,’” said Arjun Sud, 29. “The moment I walk in, it’s quiet.”
The couple grabbed their son, now fully awake, and headed downstairs. When they passed their Nest thermostat, normally set around 72 degrees, they noticed it had been turned up to 90. Then, the voice was back, coming through the speaker in a downstairs security camera. And this time, it was talking to them.
The voice was rude and vulgar, using the n-word and cursing, he said. At first, he yelled back. But then, Sud composed himself and stared into the camera.
“He was like, ‘Why are you looking at me? I see you watching me,’” Sud said. “That’s when I started to question him back.”
The Lake Barrington, Ill., family’s Nest cameras and thermostat had been hacked.
“I felt like I (was) trapped in an episode of ‘Black Mirror,’” Arjun Sud said, referring to a television series that explores the darker aspects of technology. “All these devices you’ve put in there to safeguard yourself, to protect your home, your family, (are) now being used maliciously to turn against you.”
Nest users across the country have reported similar incidents in recent weeks, but the Google-owned company has insisted that it was not breached. Instead, Nest has said that affected customers could have done more to protect their devices. And on Wednesday, Nest sent an email to users telling them what they can do to “get the most out of” its security features.
In an interview with the Tribune, Google spokeswoman Nicol Addison said the company automatically rolls out updates to its software and stays on top of security and safety measures. Addison declined to comment on specific hacking incidents.
The smart home devices Americans are increasingly installing — which connect to the Internet and can be controlled and monitored remotely via smartphone app — are ushering in unprecedented convenience for homeowners on the go, but they also represent one of the new frontiers when it comes to internet hacking.
There are no firm numbers about the number of smart devices that have been hacked, but experts expect the problem to grow along with the proliferation of smart devices, which include speakers like Google Home and Amazon Echo, thermostats, doorbells and other household devices. Twenty-five billion connected devices are expected to be in use by 2021, up from 14.2 billion this year, according to research company Gartner.
No single organization appears to be monitoring or regulating smart device hackings, but growing use of the technology raises questions about whether that may become necessary.
Experts say it’s vital for homeowners to create strong and unique passwords for their smart devices. But they also say manufacturers aren’t doing enough to secure the products they sell to the public.
“These gizmos are being manufactured at a crazy rate, yet they’re not being secured,” said Christian Vezina, chief information security officer at Chicago-based mobile security company OneSpan. Anything that gets exposed to the internet is subject to being hacked, he said.
“Families and individuals everywhere need to recognize that and say, ‘OK, what can happen if someone gets a hold of your connected device? What’s the worst case?’ The one that we saw is a pretty frightening case,” Vezina said.
Designed for convenience
One reason smart home devices may be vulnerable to hacking is that they are often developed by vendors who know how to manufacture a standard appliance, but aren’t as well-versed in how to securely connect it to the internet, said Karl Sigler, threat intelligence manager at SpiderLabs, a team of ethical hackers at the Chicago-based cybersecurity company Trustwave.
The devices are also developed with convenience in mind, and manufacturers are sensitive about security steps that consumers may interpret as frustrating or a hassle, Sigler said.
And because the devices are used within the intimate confines of the home, some consumers fail to grasp the ramifications of not adequately securing them.
Most people aren’t yet thinking of these devices as something that needs protected the same way laptops or smartphones do, Sigler said.
“If you’re thinking about your smart toaster, you might not think it’s an issue … Who wants to hack your smart toaster? Until someone does,” and it starts a fire, Sigler said. “You don’t really think your refrigerator is important until somebody turns it off and your food spoils overnight.”
Cyber criminals usually gain access to connected devices through a weak password or a vulnerability in the device itself, such as how it’s programmed or how it connects to the internet, Sigler said.
When someone hacks into just one connected device, they’re usually looking for a point of entry into the network, said John Grimm, senior director of strategy and business development at cybersecurity company nCipher Security, which has headquarters in Florida and England. He pointed to an incident in which a Las Vegas casino’s high-roller database was accessed through a smart thermometer in a fish tank.
“Once you’re on the network using those devices, what else can you get to?” Grimm said.
The rise of connected homes can also be tracked through usage of smart speakers, such as Amazon Echo and Google Home. The number of smart speakers installed in U.S. homes increased from 36 million in December 2017 to 66 million in December 2018, according to data from Chicago-based Consumer Intelligence Research Partners. The majority of smart speaker owners use them to stream music or ask questions, but roughly 40 percent depend on the speakers to help control their connected homes.
A proactive approach
Smart home hacking incidents are often reported to local police departments or sheriff’s offices. The FBI’s Internet Crime Complaint Center also handles internet-based crimes.
As these types of hacking incidents continue to rise, so too might a debate surrounding regulation of smart device security. Consumers have grown more aware of their internet privacy in the wake of news last year that political consulting firm Cambridge Analytica used ill-gotten Facebook data in an effort to influence voter behavior. In the months since, a debate over how and if the government should regulate social media has raged, and Facebook CEO Mark Zuckerberg has testified before Congress. With smart devices, too, experts say the public could end up calling for more oversight.
The Lake County Sheriff’s Office in Illinois, which is investigating the situation that unfolded at the Sud’s home last month, recommends that people change the factory-set passwords that come on their devices.
Users should also make sure the software on their devices is regularly updated, so it has the latest security patches. Experts say not to wait for the company to push through an update, because some don’t.
It can be hard for homeowners to notice when a smart device has been compromised. Sometimes, the device is just slower, unresponsive or reboots without notice.
Consumers should also keep an eye on the IP addresses that are accessing their smart home devices. Each computer that accesses a device has a unique numerical label that should appear on the log.
If people don’t know how to do that, they should contact the device manufacturer and ask whether that data can be recorded and how they can view it, said Sgt. Chris Covelli, spokesman for the Lake County Sheriff’s Office.
Sud said he contacted Nest about getting a copy of a log tracking who had accessed his devices, but was told that was not available.
Terrified and angry
The Lake Barrington family isn’t the only household with a Nest system to be hacked recently.
Around the same time the Suds heard a stranger talking to their baby, a warning claiming to be from Civil Defense blared out of a speaker on a Nest camera in a California family’s living room. It said three ballistic missiles were aimed at Los Angeles, Chicago and Ohio, and that President Donald Trump had been taken to a secure facility.
The California family called Nest and 911 to confirm there was no danger as their child hid under the living room rug in fear of an impending missile.
In December, a Houston family reported hearing a voice saying sexual expletives through a baby monitor in their infant’s room. When they turned on the lights, the Nest camera in the room activated. A voice told them to turn off the lights and threatened to kidnap the baby.
Nest said affected customers were reusing passwords that had been compromised on other sites and encouraged users to make sure their routers and home networks are updated. The company also suggests using two-factor verification on their devices. Two-factor verification, which Nest has offered since March 2017, usually requires a code delivered through text message in addition to a username and password.
The extra layer of security in the log-in process “eliminates this type of security risk,” according to the statement from Nest. The company is also working on software updates that will reject compromised passwords and let users monitor access to their accounts. Separately, Google launched a Chrome extension that will prompt users to change their password if it appears to have been compromised.
Sud said he checked his records and could not find a notification from Nest alerting him to the two-factor authentication option.
Sud said he felt terrified and then angry that day in January, when he and his wife heard the disembodied voice coming over their Nest speaker. Mostly, he felt violated.
Sud asked the stranger who and where he was. Now, Sud wonders how long he had been watching them.
When Sud contacted Nest after the hack, he said he was told the incident occurred because he used a compromised password. Still, he felt the company could have done more to help protect the devices.
There was “zero accountability,” Sud said.
As soon as the voice stopped talking to them, Sud and his wife started unplugging the Nest cameras inside their home. The family had 17 Nest devices hooked up, which they also used to monitor the outside of their house and keep an eye on their dogs while they traveled. Sud said he hopes to return the roughly $4,000 worth of equipment to the company.
“I’m very, very upset,” he said. “I hope that with more eyes on my experience, this saves somebody else from going through the same terrifying experience.”