Couples Nest Security Hacked
-
@JaredBusch said in Couples Nest Security Hacked:
The implementation in the thread title that Nest messed up is the problem.
but as every thread on ML that I have ever seen, It has turned different ways into different products within IT that could cause the issue : you even showed a website that allows people to view practically anything on the internet from my understanding.
-
@WrCombs said in Couples Nest Security Hacked:
@Dashrender said in Couples Nest Security Hacked:
The homeowner could have also had UPNP enabled in their firewall allowing the hackers to gain direct access
So you're saying that potentially their router had UPnP enabled and from there opened the port to the camera\security system?
(sorry for the noob-ish question, Never heard of that until google told me what it was.)
That's what he is saying, but it makes no sense. Yes, that is technically a way that COULD BE a vulnerability, if it existed, which there is no way that it does. That's insane. It's like claiming that the company you bought you door lock from included a button that just opens the door and bypasses the lock. COULD they do that? Of course. Did they? Of course not.
Nest is not in the business of making random, public webcam sites for people. This is not that kind of device, nor from that era. It most certainly does not tell your router to expose your house to the public just for fun. The implication of the statement was absurd.
Yes, there are devices that use that technology and that technology exists for a reason, but this isn't it. And implying that Nest would do that doesn't make any sense.
Nest might suck, I sure don't buy their stuff, but not liking them is not the same as thinking that they and everyone involved with their ecosystem and customers are insane.
-
Original news article: https://www.nbcchicago.com/on-air/as-seen-on/lake-barrington-smarthome-hacker-505120312.html
I caught this on the original live broadcast and just shook my head at the stupid of the reporting.
-
@DustinB3403 said in Couples Nest Security Hacked:
How you get in doesn't matter, since you legally aren't welcome there.
You aren't welcome in my house, you aren't welcome to watch my security cameras.
It's B and E at a minimum via hacking.
Actually, in the UPnP case, it does matter. What he's claiming is that it was or could have been a publicly published service where it is totally legal to just use it - like a public web page. If you leave the door open and provide an open service, you are not hacking, but welcome to use it.
-
@Dashrender said in Couples Nest Security Hacked:
@WrCombs said in Couples Nest Security Hacked:
@Dashrender said in Couples Nest Security Hacked:
The homeowner could have also had UPNP enabled in their firewall allowing the hackers to gain direct access
So you're saying that potentially their router had UPnP enabled and from there opened the port to the camera\security system?
(sorry for the noob-ish question, Never heard of that until google told me what it was.)
Yep tons of shitty consumer stuff does that
More like... some, mostly really old, shitty consumer stuff in a different product category. Mostly things that are meant to do that. Might still be a bad idea, but it is typically what they are intended to do - to be published to the outside.
-
@scottalanmiller said in Couples Nest Security Hacked:
@DustinB3403 said in Couples Nest Security Hacked:
How you get in doesn't matter, since you legally aren't welcome there.
You aren't welcome in my house, you aren't welcome to watch my security cameras.
It's B and E at a minimum via hacking.
Actually, in the UPnP case, it does matter. What he's claiming is that it was or could have been a publicly published service where it is totally legal to just use it - like a public web page. If you leave the door open and provide an open service, you are not hacking, but welcome to use it.
I wasn't considering the UPnP scenario. But yeah absolutely.
-
@DustinB3403 said in Couples Nest Security Hacked:
@scottalanmiller said in Couples Nest Security Hacked:
@DustinB3403 said in Couples Nest Security Hacked:
How you get in doesn't matter, since you legally aren't welcome there.
You aren't welcome in my house, you aren't welcome to watch my security cameras.
It's B and E at a minimum via hacking.
Actually, in the UPnP case, it does matter. What he's claiming is that it was or could have been a publicly published service where it is totally legal to just use it - like a public web page. If you leave the door open and provide an open service, you are not hacking, but welcome to use it.
I wasn't considering the UPnP scenario. But yeah absolutely.
Now if it is UPnP & has a password that they cracked, then certainly that's different.
-
@WrCombs said in Couples Nest Security Hacked:
@Dashrender said in Couples Nest Security Hacked:
@WrCombs said in Couples Nest Security Hacked:
@Dashrender said in Couples Nest Security Hacked:
The homeowner could have also had UPNP enabled in their firewall allowing the hackers to gain direct access
So you're saying that potentially their router had UPnP enabled and from there opened the port to the camera\security system?
(sorry for the noob-ish question, Never heard of that until google told me what it was.)
Yep tons of shitty consumer stuff does that
but for why?
Because it makes things ridiculously easy for really dumb consumers. And for a lot of consumers, easy trumps secure.
-
@DustinB3403 said in Couples Nest Security Hacked:
@WrCombs said in Couples Nest Security Hacked:
@Dashrender said in Couples Nest Security Hacked:
@WrCombs said in Couples Nest Security Hacked:
@Dashrender said in Couples Nest Security Hacked:
The homeowner could have also had UPNP enabled in their firewall allowing the hackers to gain direct access
So you're saying that potentially their router had UPnP enabled and from there opened the port to the camera\security system?
(sorry for the noob-ish question, Never heard of that until google told me what it was.)
Yep tons of shitty consumer stuff does that
but for why?
Because they are there to sell shitty consumer cameras "accessible from anywhere in the world".
Via an RTSP feed directly from the device. . .
Exactly. And people eat it up.
-
@scottalanmiller said in Couples Nest Security Hacked:
@WrCombs said in Couples Nest Security Hacked:
@Dashrender said in Couples Nest Security Hacked:
@WrCombs said in Couples Nest Security Hacked:
@Dashrender said in Couples Nest Security Hacked:
The homeowner could have also had UPNP enabled in their firewall allowing the hackers to gain direct access
So you're saying that potentially their router had UPnP enabled and from there opened the port to the camera\security system?
(sorry for the noob-ish question, Never heard of that until google told me what it was.)
Yep tons of shitty consumer stuff does that
but for why?
Because it makes things ridiculously easy for really dumb consumers. And for a lot of consumers, easy trumps secure.
I've noticed that as well.
-
@scottalanmiller said in Couples Nest Security Hacked:
@DustinB3403 said in Couples Nest Security Hacked:
@scottalanmiller said in Couples Nest Security Hacked:
@DustinB3403 said in Couples Nest Security Hacked:
How you get in doesn't matter, since you legally aren't welcome there.
You aren't welcome in my house, you aren't welcome to watch my security cameras.
It's B and E at a minimum via hacking.
Actually, in the UPnP case, it does matter. What he's claiming is that it was or could have been a publicly published service where it is totally legal to just use it - like a public web page. If you leave the door open and provide an open service, you are not hacking, but welcome to use it.
I wasn't considering the UPnP scenario. But yeah absolutely.
Now if it is UPnP & has a password that they "cracked", then certainly that's different.
FTFY since we know that a lot of these systems come with default passwords, like PASSWORD and it never gets changed.
-
@DustinB3403 said in Couples Nest Security Hacked:
@WrCombs said in Couples Nest Security Hacked:
@DustinB3403 said in Couples Nest Security Hacked:
@WrCombs said in Couples Nest Security Hacked:
@Dashrender said in Couples Nest Security Hacked:
@WrCombs said in Couples Nest Security Hacked:
@Dashrender said in Couples Nest Security Hacked:
The homeowner could have also had UPNP enabled in their firewall allowing the hackers to gain direct access
So you're saying that potentially their router had UPnP enabled and from there opened the port to the camera\security system?
(sorry for the noob-ish question, Never heard of that until google told me what it was.)
Yep tons of shitty consumer stuff does that
but for why?
Because they are there to sell shitty consumer cameras "accessible from anywhere in the world".
Via an RTSP feed directly from the device. . .
which also means that anyone with half a brain incyber security can get into your cameras just as well. ...
Don't even need that much. The feed is literally just sitting out on the open internet waiting for anyone to go to a self hosted webpage to view.
Exactly. Its' like a billboard, but on a back road. Public, but not in your face.
-
@Dashrender said in Couples Nest Security Hacked:
@WrCombs said in Couples Nest Security Hacked:
@Dashrender said in Couples Nest Security Hacked:
@WrCombs said in Couples Nest Security Hacked:
@DustinB3403 said in Couples Nest Security Hacked:
@WrCombs said in Couples Nest Security Hacked:
@DustinB3403 said in Couples Nest Security Hacked:
@WrCombs said in Couples Nest Security Hacked:
@Dashrender said in Couples Nest Security Hacked:
@WrCombs said in Couples Nest Security Hacked:
@Dashrender said in Couples Nest Security Hacked:
The homeowner could have also had UPNP enabled in their firewall allowing the hackers to gain direct access
So you're saying that potentially their router had UPnP enabled and from there opened the port to the camera\security system?
(sorry for the noob-ish question, Never heard of that until google told me what it was.)
Yep tons of shitty consumer stuff does that
but for why?
Because they are there to sell shitty consumer cameras "accessible from anywhere in the world".
Via an RTSP feed directly from the device. . .
which also means that anyone with half a brain in cyber security can get into your cameras just as well. ...
Don't even need that much. The feed is literally just sitting out on the open internet waiting for anyone to go to a self hosted webpage to view.
/sigh
that's ridiculous.Not really what is ridiculous is that there is no authentication mechanism in place. That is the fault of the maker
Okay, fair enough.
So when I think of accessing cameras anywhere i start thinking of "Ring" doorbells, Similar situation here?There definitely could be, but I do not believe that the ring video doorbell uses there definitely could be, but I do not believe that the ring video doorbell uses P UPNP To open any ports on your firewall.
No real security devices open ports on your firewall UPnP or otherwise. Not how things work. Nothing "real" does that.
-
It's the "viewing it without permission when it was secured" that is the issue. The fact that bad security was used doesn't really matter.
If the default password was on this device, and the hacker used that password to get into the camera to see what was going on it's still B and E.
But if it's like the billboard, well its a public service at that point. The people are asking to be seen essentially. Reverse voyeurism.
-
@DustinB3403 said in Couples Nest Security Hacked:
It's the "viewing it without permission when it was secured" that is the issue. The fact that bad security was used doesn't really matter.
If the default password was on this device, and the hacker used that password to get into the camera to see what was going on it's still B and E.
But if it's like the billboard, well its a public service at that point. The people are asking to be seen essentially. Reverse voyeurism.
No, default passwords can be seen as an exception. Not always, but sometimes. The same as "you can't disable it, so you set it as close to no password as possible to make it effectively public."
-
@scottalanmiller said in Couples Nest Security Hacked:
@DustinB3403 said in Couples Nest Security Hacked:
@WrCombs said in Couples Nest Security Hacked:
@DustinB3403 said in Couples Nest Security Hacked:
@WrCombs said in Couples Nest Security Hacked:
@Dashrender said in Couples Nest Security Hacked:
@WrCombs said in Couples Nest Security Hacked:
@Dashrender said in Couples Nest Security Hacked:
The homeowner could have also had UPNP enabled in their firewall allowing the hackers to gain direct access
So you're saying that potentially their router had UPnP enabled and from there opened the port to the camera\security system?
(sorry for the noob-ish question, Never heard of that until google told me what it was.)
Yep tons of shitty consumer stuff does that
but for why?
Because they are there to sell shitty consumer cameras "accessible from anywhere in the world".
Via an RTSP feed directly from the device. . .
which also means that anyone with half a brain incyber security can get into your cameras just as well. ...
Don't even need that much. The feed is literally just sitting out on the open internet waiting for anyone to go to a self hosted webpage to view.
Exactly. Its' like a billboard, but on a back road. Public, but not in your face.
What would the use of UPnP be then?
Where would that come into play? -
In the old FTP days, you'd put in your own email address as a password. That was considered public. If you make zero attempt to secure, you struggle to claim someone broke in.
-
@WrCombs said in Couples Nest Security Hacked:
@scottalanmiller said in Couples Nest Security Hacked:
@DustinB3403 said in Couples Nest Security Hacked:
@WrCombs said in Couples Nest Security Hacked:
@DustinB3403 said in Couples Nest Security Hacked:
@WrCombs said in Couples Nest Security Hacked:
@Dashrender said in Couples Nest Security Hacked:
@WrCombs said in Couples Nest Security Hacked:
@Dashrender said in Couples Nest Security Hacked:
The homeowner could have also had UPNP enabled in their firewall allowing the hackers to gain direct access
So you're saying that potentially their router had UPnP enabled and from there opened the port to the camera\security system?
(sorry for the noob-ish question, Never heard of that until google told me what it was.)
Yep tons of shitty consumer stuff does that
but for why?
Because they are there to sell shitty consumer cameras "accessible from anywhere in the world".
Via an RTSP feed directly from the device. . .
which also means that anyone with half a brain incyber security can get into your cameras just as well. ...
Don't even need that much. The feed is literally just sitting out on the open internet waiting for anyone to go to a self hosted webpage to view.
Exactly. Its' like a billboard, but on a back road. Public, but not in your face.
What would the use of UPnP be then?
Where would that come into play?shitty consumer gear where the goal is to sell "easy to use equipment".
-
@WrCombs said in Couples Nest Security Hacked:
@scottalanmiller said in Couples Nest Security Hacked:
@DustinB3403 said in Couples Nest Security Hacked:
@WrCombs said in Couples Nest Security Hacked:
@DustinB3403 said in Couples Nest Security Hacked:
@WrCombs said in Couples Nest Security Hacked:
@Dashrender said in Couples Nest Security Hacked:
@WrCombs said in Couples Nest Security Hacked:
@Dashrender said in Couples Nest Security Hacked:
The homeowner could have also had UPNP enabled in their firewall allowing the hackers to gain direct access
So you're saying that potentially their router had UPnP enabled and from there opened the port to the camera\security system?
(sorry for the noob-ish question, Never heard of that until google told me what it was.)
Yep tons of shitty consumer stuff does that
but for why?
Because they are there to sell shitty consumer cameras "accessible from anywhere in the world".
Via an RTSP feed directly from the device. . .
which also means that anyone with half a brain incyber security can get into your cameras just as well. ...
Don't even need that much. The feed is literally just sitting out on the open internet waiting for anyone to go to a self hosted webpage to view.
Exactly. Its' like a billboard, but on a back road. Public, but not in your face.
What would the use of UPnP be then?
Where would that come into play?UPnP is for consumer things only, mostly things like video game systems that need to open ports specifically for gaming. UPnP is mostly useless since no good networking devices support it. Put something as simple as a UBNT router in your house and UPnP is dead in the water. It was popular for a small time in the late 2000s when people were really getting into having networked gear in their homes, but hosted services were not yet common, and no one knew anything about networking.
All of those factors have changed and today it has no real use case and you never really see it.
-
@scottalanmiller said in Couples Nest Security Hacked:
@DustinB3403 said in Couples Nest Security Hacked:
It's the "viewing it without permission when it was secured" that is the issue. The fact that bad security was used doesn't really matter.
If the default password was on this device, and the hacker used that password to get into the camera to see what was going on it's still B and E.
But if it's like the billboard, well its a public service at that point. The people are asking to be seen essentially. Reverse voyeurism.
No, default passwords can be seen as an exception. Not always, but sometimes. The same as "you can't disable it, so you set it as close to no password as possible to make it effectively public."
Only if the person is prompted to change the password and they don't. I know of many scenarios where you're constantly asked to change the default password but are given the option "not now".
That is the same as using bad security. It's still an invasion to break in with the default password. And is thus still hacking.