Couples Nest Security Hacked
-
@Dashrender said in Couples Nest Security Hacked:
@coliver said in Couples Nest Security Hacked:
@Dashrender said in Couples Nest Security Hacked:
The homeowner could have also had UPNP enabled in their firewall allowing the hackers to gain direct access
Is that possible with Nest?
With nest I don’t know with others absolutely
Sure, but this is a Nest thread. Very unlikely it would use UPnP or be exposed in that way. Doesn't make sense to just inject that unless you know that that is a vulnerability with the specific product at hand.
-
@scottalanmiller said in Couples Nest Security Hacked:
@WrCombs said in Couples Nest Security Hacked:
@DustinB3403 said in Couples Nest Security Hacked:
Technically speaking the person who "hacked" into this system can still be brought up on charges of "hacking". Regardless of the insecure passwords and failure to use 2FA.
Im not very hype on the laws of hacking. But that doesnt surprise, at the very least they were maliciously taking over someone elses property. That's technically theft (?)
No, it wasn't stolen. That's different. This was hacking.
I understand that, I got the two confused.
It's more like a hijacking / breaking and entering for sure. -
@scottalanmiller said in Couples Nest Security Hacked:
@Dashrender said in Couples Nest Security Hacked:
@WrCombs said in Couples Nest Security Hacked:
@DustinB3403 said in Couples Nest Security Hacked:
@WrCombs said in Couples Nest Security Hacked:
@DustinB3403 said in Couples Nest Security Hacked:
@WrCombs said in Couples Nest Security Hacked:
@Dashrender said in Couples Nest Security Hacked:
@WrCombs said in Couples Nest Security Hacked:
@Dashrender said in Couples Nest Security Hacked:
The homeowner could have also had UPNP enabled in their firewall allowing the hackers to gain direct access
So you're saying that potentially their router had UPnP enabled and from there opened the port to the camera\security system?
(sorry for the noob-ish question, Never heard of that until google told me what it was.)
Yep tons of shitty consumer stuff does that
but for why?
Because they are there to sell shitty consumer cameras "accessible from anywhere in the world".
Via an RTSP feed directly from the device. . .
which also means that anyone with half a brain in cyber security can get into your cameras just as well. ...
Don't even need that much. The feed is literally just sitting out on the open internet waiting for anyone to go to a self hosted webpage to view.
/sigh
that's ridiculous.Not really what is ridiculous is that there is no authentication mechanism in place. That is the fault of the maker
But there is, even two factor!
I think this was in regards to UPnP
Not Nest directly. -
The implication in the thread title that Nest messed up is the problem.
-
@JaredBusch said in Couples Nest Security Hacked:
The implementation in the thread title that Nest messed up is the problem.
but as every thread on ML that I have ever seen, It has turned different ways into different products within IT that could cause the issue : you even showed a website that allows people to view practically anything on the internet from my understanding.
-
@WrCombs said in Couples Nest Security Hacked:
@Dashrender said in Couples Nest Security Hacked:
The homeowner could have also had UPNP enabled in their firewall allowing the hackers to gain direct access
So you're saying that potentially their router had UPnP enabled and from there opened the port to the camera\security system?
(sorry for the noob-ish question, Never heard of that until google told me what it was.)
That's what he is saying, but it makes no sense. Yes, that is technically a way that COULD BE a vulnerability, if it existed, which there is no way that it does. That's insane. It's like claiming that the company you bought you door lock from included a button that just opens the door and bypasses the lock. COULD they do that? Of course. Did they? Of course not.
Nest is not in the business of making random, public webcam sites for people. This is not that kind of device, nor from that era. It most certainly does not tell your router to expose your house to the public just for fun. The implication of the statement was absurd.
Yes, there are devices that use that technology and that technology exists for a reason, but this isn't it. And implying that Nest would do that doesn't make any sense.
Nest might suck, I sure don't buy their stuff, but not liking them is not the same as thinking that they and everyone involved with their ecosystem and customers are insane.
-
Original news article: https://www.nbcchicago.com/on-air/as-seen-on/lake-barrington-smarthome-hacker-505120312.html
I caught this on the original live broadcast and just shook my head at the stupid of the reporting.
-
@DustinB3403 said in Couples Nest Security Hacked:
How you get in doesn't matter, since you legally aren't welcome there.
You aren't welcome in my house, you aren't welcome to watch my security cameras.
It's B and E at a minimum via hacking.
Actually, in the UPnP case, it does matter. What he's claiming is that it was or could have been a publicly published service where it is totally legal to just use it - like a public web page. If you leave the door open and provide an open service, you are not hacking, but welcome to use it.
-
@Dashrender said in Couples Nest Security Hacked:
@WrCombs said in Couples Nest Security Hacked:
@Dashrender said in Couples Nest Security Hacked:
The homeowner could have also had UPNP enabled in their firewall allowing the hackers to gain direct access
So you're saying that potentially their router had UPnP enabled and from there opened the port to the camera\security system?
(sorry for the noob-ish question, Never heard of that until google told me what it was.)
Yep tons of shitty consumer stuff does that
More like... some, mostly really old, shitty consumer stuff in a different product category. Mostly things that are meant to do that. Might still be a bad idea, but it is typically what they are intended to do - to be published to the outside.
-
@scottalanmiller said in Couples Nest Security Hacked:
@DustinB3403 said in Couples Nest Security Hacked:
How you get in doesn't matter, since you legally aren't welcome there.
You aren't welcome in my house, you aren't welcome to watch my security cameras.
It's B and E at a minimum via hacking.
Actually, in the UPnP case, it does matter. What he's claiming is that it was or could have been a publicly published service where it is totally legal to just use it - like a public web page. If you leave the door open and provide an open service, you are not hacking, but welcome to use it.
I wasn't considering the UPnP scenario. But yeah absolutely.
-
@DustinB3403 said in Couples Nest Security Hacked:
@scottalanmiller said in Couples Nest Security Hacked:
@DustinB3403 said in Couples Nest Security Hacked:
How you get in doesn't matter, since you legally aren't welcome there.
You aren't welcome in my house, you aren't welcome to watch my security cameras.
It's B and E at a minimum via hacking.
Actually, in the UPnP case, it does matter. What he's claiming is that it was or could have been a publicly published service where it is totally legal to just use it - like a public web page. If you leave the door open and provide an open service, you are not hacking, but welcome to use it.
I wasn't considering the UPnP scenario. But yeah absolutely.
Now if it is UPnP & has a password that they cracked, then certainly that's different.
-
@WrCombs said in Couples Nest Security Hacked:
@Dashrender said in Couples Nest Security Hacked:
@WrCombs said in Couples Nest Security Hacked:
@Dashrender said in Couples Nest Security Hacked:
The homeowner could have also had UPNP enabled in their firewall allowing the hackers to gain direct access
So you're saying that potentially their router had UPnP enabled and from there opened the port to the camera\security system?
(sorry for the noob-ish question, Never heard of that until google told me what it was.)
Yep tons of shitty consumer stuff does that
but for why?
Because it makes things ridiculously easy for really dumb consumers. And for a lot of consumers, easy trumps secure.
-
@DustinB3403 said in Couples Nest Security Hacked:
@WrCombs said in Couples Nest Security Hacked:
@Dashrender said in Couples Nest Security Hacked:
@WrCombs said in Couples Nest Security Hacked:
@Dashrender said in Couples Nest Security Hacked:
The homeowner could have also had UPNP enabled in their firewall allowing the hackers to gain direct access
So you're saying that potentially their router had UPnP enabled and from there opened the port to the camera\security system?
(sorry for the noob-ish question, Never heard of that until google told me what it was.)
Yep tons of shitty consumer stuff does that
but for why?
Because they are there to sell shitty consumer cameras "accessible from anywhere in the world".
Via an RTSP feed directly from the device. . .
Exactly. And people eat it up.
-
@scottalanmiller said in Couples Nest Security Hacked:
@WrCombs said in Couples Nest Security Hacked:
@Dashrender said in Couples Nest Security Hacked:
@WrCombs said in Couples Nest Security Hacked:
@Dashrender said in Couples Nest Security Hacked:
The homeowner could have also had UPNP enabled in their firewall allowing the hackers to gain direct access
So you're saying that potentially their router had UPnP enabled and from there opened the port to the camera\security system?
(sorry for the noob-ish question, Never heard of that until google told me what it was.)
Yep tons of shitty consumer stuff does that
but for why?
Because it makes things ridiculously easy for really dumb consumers. And for a lot of consumers, easy trumps secure.
I've noticed that as well.
-
@scottalanmiller said in Couples Nest Security Hacked:
@DustinB3403 said in Couples Nest Security Hacked:
@scottalanmiller said in Couples Nest Security Hacked:
@DustinB3403 said in Couples Nest Security Hacked:
How you get in doesn't matter, since you legally aren't welcome there.
You aren't welcome in my house, you aren't welcome to watch my security cameras.
It's B and E at a minimum via hacking.
Actually, in the UPnP case, it does matter. What he's claiming is that it was or could have been a publicly published service where it is totally legal to just use it - like a public web page. If you leave the door open and provide an open service, you are not hacking, but welcome to use it.
I wasn't considering the UPnP scenario. But yeah absolutely.
Now if it is UPnP & has a password that they "cracked", then certainly that's different.
FTFY since we know that a lot of these systems come with default passwords, like PASSWORD and it never gets changed.
-
@DustinB3403 said in Couples Nest Security Hacked:
@WrCombs said in Couples Nest Security Hacked:
@DustinB3403 said in Couples Nest Security Hacked:
@WrCombs said in Couples Nest Security Hacked:
@Dashrender said in Couples Nest Security Hacked:
@WrCombs said in Couples Nest Security Hacked:
@Dashrender said in Couples Nest Security Hacked:
The homeowner could have also had UPNP enabled in their firewall allowing the hackers to gain direct access
So you're saying that potentially their router had UPnP enabled and from there opened the port to the camera\security system?
(sorry for the noob-ish question, Never heard of that until google told me what it was.)
Yep tons of shitty consumer stuff does that
but for why?
Because they are there to sell shitty consumer cameras "accessible from anywhere in the world".
Via an RTSP feed directly from the device. . .
which also means that anyone with half a brain incyber security can get into your cameras just as well. ...
Don't even need that much. The feed is literally just sitting out on the open internet waiting for anyone to go to a self hosted webpage to view.
Exactly. Its' like a billboard, but on a back road. Public, but not in your face.
-
@Dashrender said in Couples Nest Security Hacked:
@WrCombs said in Couples Nest Security Hacked:
@Dashrender said in Couples Nest Security Hacked:
@WrCombs said in Couples Nest Security Hacked:
@DustinB3403 said in Couples Nest Security Hacked:
@WrCombs said in Couples Nest Security Hacked:
@DustinB3403 said in Couples Nest Security Hacked:
@WrCombs said in Couples Nest Security Hacked:
@Dashrender said in Couples Nest Security Hacked:
@WrCombs said in Couples Nest Security Hacked:
@Dashrender said in Couples Nest Security Hacked:
The homeowner could have also had UPNP enabled in their firewall allowing the hackers to gain direct access
So you're saying that potentially their router had UPnP enabled and from there opened the port to the camera\security system?
(sorry for the noob-ish question, Never heard of that until google told me what it was.)
Yep tons of shitty consumer stuff does that
but for why?
Because they are there to sell shitty consumer cameras "accessible from anywhere in the world".
Via an RTSP feed directly from the device. . .
which also means that anyone with half a brain in cyber security can get into your cameras just as well. ...
Don't even need that much. The feed is literally just sitting out on the open internet waiting for anyone to go to a self hosted webpage to view.
/sigh
that's ridiculous.Not really what is ridiculous is that there is no authentication mechanism in place. That is the fault of the maker
Okay, fair enough.
So when I think of accessing cameras anywhere i start thinking of "Ring" doorbells, Similar situation here?There definitely could be, but I do not believe that the ring video doorbell uses there definitely could be, but I do not believe that the ring video doorbell uses P UPNP To open any ports on your firewall.
No real security devices open ports on your firewall UPnP or otherwise. Not how things work. Nothing "real" does that.
-
It's the "viewing it without permission when it was secured" that is the issue. The fact that bad security was used doesn't really matter.
If the default password was on this device, and the hacker used that password to get into the camera to see what was going on it's still B and E.
But if it's like the billboard, well its a public service at that point. The people are asking to be seen essentially. Reverse voyeurism.
-
@DustinB3403 said in Couples Nest Security Hacked:
It's the "viewing it without permission when it was secured" that is the issue. The fact that bad security was used doesn't really matter.
If the default password was on this device, and the hacker used that password to get into the camera to see what was going on it's still B and E.
But if it's like the billboard, well its a public service at that point. The people are asking to be seen essentially. Reverse voyeurism.
No, default passwords can be seen as an exception. Not always, but sometimes. The same as "you can't disable it, so you set it as close to no password as possible to make it effectively public."
-
@scottalanmiller said in Couples Nest Security Hacked:
@DustinB3403 said in Couples Nest Security Hacked:
@WrCombs said in Couples Nest Security Hacked:
@DustinB3403 said in Couples Nest Security Hacked:
@WrCombs said in Couples Nest Security Hacked:
@Dashrender said in Couples Nest Security Hacked:
@WrCombs said in Couples Nest Security Hacked:
@Dashrender said in Couples Nest Security Hacked:
The homeowner could have also had UPNP enabled in their firewall allowing the hackers to gain direct access
So you're saying that potentially their router had UPnP enabled and from there opened the port to the camera\security system?
(sorry for the noob-ish question, Never heard of that until google told me what it was.)
Yep tons of shitty consumer stuff does that
but for why?
Because they are there to sell shitty consumer cameras "accessible from anywhere in the world".
Via an RTSP feed directly from the device. . .
which also means that anyone with half a brain incyber security can get into your cameras just as well. ...
Don't even need that much. The feed is literally just sitting out on the open internet waiting for anyone to go to a self hosted webpage to view.
Exactly. Its' like a billboard, but on a back road. Public, but not in your face.
What would the use of UPnP be then?
Where would that come into play?
