“It warned that the United States had retaliated against Pyongyang and that people in the affected areas had three hours to evacuate,” Lyons told the Mercury News on Monday. “It sounded completely legit, and it was loud and got our attention right off the bat. … It was five minutes of sheer terror and another 30 minutes trying to figure out what was going on.”
The child, hiding under a living room rug, asked: “Mommy, is there a missile coming?”
The Lyonses would quickly learn that missiles were not coming. As the family stood petrified in their living room, they realized that no news stations were reporting the supposed threat. Closer examination revealed the blaring sound was coming from their Nest home security camera — located on top of their television.
Calls to 911 and Nest confirmed there was no danger. Instead, a Nest supervisor explained to the family they were probably victims of a “third-party hack,” granting someone access to their cameras and its speakers through a compromised password.
Google, which owns Nest, told the Mercury News that Nest was not breached.
“These recent reports are based on customers using compromised passwords (exposed through breaches on other websites). In nearly all cases, two-factor verification eliminates this type of the security risk,” Nest said in an email statement to the Mercury News. The firm said it is “actively introducing features” that will reject compromised passwords, allow customers to monitor access to their accounts and track external entities that abuse credentials.
Lyons told the newspaper she didn’t know the camera had speakers and a microphone — features they immediately disabled after the false warning. They had installed the device for security purposes a few years ago, she said.
“They have a responsibility to let customers know if that is happening,” she said. “I want to let other people know this can happen to them.”
In December, a Houston family reported hearing a stranger’s voice spewing “sexual expletives” through a baby monitor in their infant’s room. When the family turned on the lights, however, their Nest security camera activated, and the voice told them to turn the lights back off before threatening to kidnap the baby.
At the time, a Nest representative told The Washington Post that they urged all customers to use strong passwords and two-factor verification to prevent such incidents — a step the Lyonses took after their apparent hack.
Nest told The Post then that it was preventing customers from using passwords that appeared on “known compromised lists.” As the Mercury News notes, a massive data breach took place last week compromising 773 million emails and 21 million passwords. Websites such as haveibeenpwned.com allow users to see whether their emails and passwords have been exposed.
“I am so sad and ANGRY, but also insanely grateful that it was a hoax!!” Lyons wrote in a Facebook post describing the false warning on Sunday, the newspaper reported.