In early November, 22-year-old Hank Fordham logged into an Arizona man’s Nest security camera from his home in Calgary, Alberta, and started broadcasting his voice, talking to the owner directly and warning him about his insecure device. It wasn’t the first time that Fordham had done this.
In the last year, Fordham says he and his colleagues in the Anonymous Calgary Hivemind—a collective of white hat hackers—have hacked into between five and 10 different smart home security camera accounts and communicated with people on the other end.
Fordham told me in a phone call that his goal in the much-publicized Arizona incident wasn’t to frighten anyone, he simply wanted to warn users about the fact that their accounts weren’t as secure as they may have thought.
“The goal was that after enough interaction we would prompt some kind of response from Nest in the form of mitigating the vulnerability,” Fordham said.
I contacted Fordham via the Anonymous Calgary email. Someone responded and said they would put the right person in touch. Shortly after I got an email, Twitter DM, and voicemail all from Fordham. He even recited my initial email to Anonymous Calgary back to me in the voicemail to verify that he got my information from the group.
Fordham told me he gained access through a simple technique known as credential stuffing. When a large scale data breach happens, such as the Quora leak earlier this month, the database of stolen information—which may include emails and associated passwords— often gets bought and sold across the web. Those lists of emails and passwords can be easily accessed; you don’t even need to go on the dark web.
If you use the same email and password to log in to multiple accounts, a hacker can easily gain access to them just by popping in credentials leaked in a previous breach. There is even software that will automatically try the logins of all the users in a dataset to find which ones work. It makes it an all-too-easy hack to pull off, Fordham warned.
“There are plenty of these tools becoming available even on the clear web,” Fordham said. “It’s not even uncommon now to go on Facebook and find Fortnite cracking groups, with younger people selling Fortnite accounts they’ve received through this exact same method. There are literally kids out there doing this.”
The Arizona call in early November was filmed by the Nest user himself, Phoenix-based realtor Andy Gregg. Gregg then shared the video with a local news source to try to raise awareness about the risks of insecure internet-connected devices. In the video, Fordham’s voice can be heard over the speaker telling Gregg that he was contacting him in the creepiest way possible to warn him.
Motherboard was able to verify that Fordham was the same person who hacked the device through screenshots he shared that included the name of the camera Gregg set up, which we corroborated with Gregg. He also had Gregg’s email address, and Gregg said he had spoken to Fordham over the phone since the incident and is convinced it is the same person.
Gregg told me he has since unplugged his Nest cam altogether and does not plan to use it anymore, even with a different password or two-factor authentication enabled, because he’s too disturbed by the whole experience.
“It was so freaky,” Gregg said. “It was a similar feeling to how I imagine it feels to get robbed, with all your stuff scattered everywhere. I was totally freaked out.”
Fordham told me he recognized how creepy this approach is, and said he and his fellow hackers agonized a bit over whether this was the best way to contact people.
“Usually we would send out mass emails [to alert people], which generally get ignored,” Fordham said. “After talking with a few other users in the Hivemind and discussing that there was nothing being done, so we decided to contact a handful of users.”
It’s a scenario that Fordham is convinced could have been avoided if Nest took some simple precautionary measures, he told me, such as prompting users to set up two-factor authentication (2FA.) and changing their re-used passwords when its been compromised in a hack on another site.
Nest has previously sent out emails to users when their password has been detected in a leak, as it did May this year. Gregg told me he never received such an email.
“Nest has reset all the accounts where customers reused passwords that were previously exposed through breaches on other websites and published publicly,” a Nest spokesperson told me in an email. “For added password security, we’re preventing customers from using passwords which appear on known compromised lists. As before, we encourage all customers to use two-factor verification for added account security, even if your password is compromised.”
But Fordham, who himself is a Nest user, said it’s not really intuitive to set up 2FA for a Nest unit, and it’s clear that not all users are getting the message, as evidenced by the number of accounts Fordham and his fellow hackers at the Calgary Anonymous Hivemind logged into. Fordham told me about one user, a hair salon in Toronto, that also recorded the encounter, though he hasn’t seen the footage shared online yet.
While taking the time to set up basic security and privacy protections can help reduce the risk of this kind of thing happening to you, it’s also a good reminder that big corporations don’t necessarily have your privacy and security top of mind.
Many people take for granted that nobody is peering into their home through their internet-connected cameras, but that’s not an assumption that’s safe to make.