A hacker was able to speak through and watch people through their Nest home security cameras by cracking weak logins and gaining access to their Nest profiles. From there, he was able to see what the camera sees, speak through its speakers, and access any part of the user’s account.
This hacker then demanded that his targets subscribe to the YouTuber PewDiePie—and prove it, while he watched. The hack is reminiscent of the printers that started flinging sheets of paper with ASCII brofists and the smart TVs that were possessed to play a video out of their owners control, all in the name of getting the hacked parties to subscribe to PewDiePie.
The hacker, who goes by the pseudonym SydeFX, told me in an email that he was able to find around 300 exposed cameras within a matter of minutes, and over the course of 15 hours, he said he accessed and spoke through dozens of cameras. To date, he said he’s been able to get successful login combinations for around 4,000 unique Nest user accounts.
“This is very dangerous,” he said.
In one video shared with Motherboard and posted publicly on Reddit, you can see a teenager following directions from SydeFX, who is speaking through the camera and watching them. The hacker tells the teen to subscribe to PewDiePie and show him the proof that he did it (or was already subscribed to PewDiePie), by holding his phone to the Nest camera. The hacker then plays music through the Nest cam, which the teen floss dances to. Motherboard has blurred the video to protect the identity of the victim.
Another video sent to Motherboard but not shared publicly shows two young women—who seem very confused about what’s happening—as SydeFX directs them to subscribe, too.
These attacks were done through credential stuffing, Sydefx told me. This is a method where hackers recycle passwords exposed from other breaches, and see if they work on other accounts, such as here with Nest accounts. He said he ran multiple password databases through cracker software—a hacking tool that cracks passwords—made specifically for Nest. He wasn’t targeting specific individuals, but the hack found random exposed devices.
He confirmed this process with another video of the cracker working, which Motherboard has viewed. In the video, you can see the targets’ home addresses, email addresses, full names and phone numbers. Nest login doesn’t require two-factor authentication (Motherboard tested this by making an account.)
“I’m trying to secure a position as an ethical hacker in the future, so I start finding every vulnerability I can now,” SydeFX told me.
Like the previous PewDiePie-themed hacks, tampering with people’s personal devices without their permission is illegal and can be dangerous—and creepy. And legality aside, the repercussions of calling yourself an amateur “white-hat hacker” while using vulnerabilities in the wild can be serious: HackerGiraffe, the printer hacker, had a breakdown and swore off hacking forever after he was harassed on social media.
I’ve reached out to Nest to comment on their login procedures and this vulnerability, and will update if I hear back.