For the past several months, Nest has been plagued with stories about its cameras getting “hacked.” The underlying issue is bad password management and reuse, with Google encouraging 2FA and actively reseting compromised passwords. A new report today reveals that Nest accounts could eventually use Google log-ins.
The Washington Post today reported on these incidents that can be traced to hackers finding compromised passwords from other services, and successfully using them to log into Nest accounts due to credential reuse by end users. Once accessed, there is a long history of the smart devices being used for inane, profane, and inappropriate behavior.
Google has told Nest customers to enable two-factor authentication where a six digit pin code is texted to a user’s phone and has to be entered before proceeding with the sign-in. For those that don’t enable 2FA, Nest.com has other security measure in place.
This includes seeking out the compromised credentials to email Nest users that are vulnerable, while blocking mass log-in attempts that are fraudulent. Despise this, some users still had their accounts maliciously accessed. Google in the report today said that “only a small percentage of its millions of customers are vulnerable to this type of attack.”
Regardless, Nest protections pale in comparison to Google Account log-in as the backends have ultimately been different and separated since Nest was acquired by Google, moved to Alphabet, and finally integrated into the hardware division last year. This was due to the desire to keep private smart home products separate from the Google brand. There is also an attempt to balance ease of use and security.
In fact, the Washington Post reports that “Google is in the process of converting Nest user accounts so that they utilize Google’s security methods via Google’s log-in, in part to deal with the problem.” The article today only cites “people familiar with the matter,” but this should be a vast improvement.
In terms of ease of use, this streamlines what credentials users need to remember. Meanwhile, Google and Nest would not have to maintain and constantly secure two different infrastructures.
What this implementation looks like is still unclear, and its unknown when it will become available. Presumably, the brand and Nest.com will remain given that the Google Home Hub will likely be rebranded to the Google Nest Hub, while a Nest Hub Max is rumored. This move to integrate log-ins could be a part of this closer integration with Made by Google.