Imagine watching a football game on TV when your Sunday afternoon is ruined by a detailed warning being blasted out about “three North Korean intercontinental ballistic missiles headed to Los Angeles, Chicago and Ohio.” Except the emergency warning did not affect the TV – the football game kept going, CNN and other news station didn’t mention it all. That’s when a Bay Area family realized the warning came from the Nest security camera sitting on their TV. They hadn’t even realized their Wi-Fi connected Nest camera had a speaker or a microphone.

Regarding the nuclear attack warning, Laura Lyons told The Mercury News:

“It warned that the United States had retaliated against Pyongyang and that people in the affected areas had three hours to evacuate,” Lyons said Monday. “It sounded completely legit, and it was loud and got our attention right off the bat. … It was five minutes of sheer terror and another 30 minutes trying to figure out what was going on.”

Eventually, Nest told the Lyons a hacker had likely gained access to their camera thanks to credentials harvested from a third-party data breach. Google, which owns Nest, claimed the cameras being hijacked are due to customers using compromised passwords and using two-factor verification would eliminate the security risk is “nearly all cases.”

The Lyons family was the first known victim of an imminent nuclear attack warning coming from a hacked Nest camera, but there have been plenty of other scary hoaxed threats coming from hijacked IoT devices. The Lyons, who had no idea this was an actual thing, believe Nest has “a responsibility to let customers know if that is happening. I want to let other people know this can happen to them.”

Other cybersecurity news

Bomb threat and sextortion spammers abuse GoDaddy authentication weakness

Speaking of fake but frightening warnings, Brian Krebs reported that the attackers behind the bomb threat emails sent in December — as well as those behind sextortion spam — abused an authentication weakness at GoDaddy to hijack more than 5,000 domains. The majority of the “domains were registered long ago and are still owned by dozens of Fortune 500 and Fortune 1000 companies.”

Source link