Nest Cameras – Basic Defense In Depth

I’m sure many of you have seen or heard of the recently released viral video showing a young girl being yelled at in her room via her internet connected Nest camera. Obviously, this was on a home network, but it occurred to me that a large amount of commercial entities also have internet connected cameras and some of them are indeed Nest branded.

Fixing the Nest camera issue is actually very simple and just requires the user to turn on two-factor authentication. The guide to set this up can be found here.

The larger underlying issue that companies face is that they may be leveraging several different brands of cameras, thermostats, internet connected printers, refrigerators, among other Internet of Things (IoT) devices. To defend these devices, it is important to remember the concept of “defense in depth”.

Defense in depth essentially removes your reliance on a single point of failure and requires an attacker to overcome several hurdles before any access can be gained. If access is gained, defense in depth makes it very difficult to further exploit the environment.

Below are some quick examples of creating defense in depth with a Nest camera (this would work at home or at the office).

1. Change the default device password
2. Enable enhanced security options on the device (two-factor authentication)
3. Place the device on a network segment that is separate from other types of devices
   1. Primarily separate from phones and workstations as they are most likely to give an attacker a foothold via phishing, etc.
   2. For a home router, see steps 4 and 5
4. Within your firewall, block access to the camera from outside your network
   1. This may seem to remove these camera’s main features, but there are other ways to gain access
   2. For a home router follow this guide
   3. It's easiest to google “Netgear firewall setup”, replacing the word Netgear with whichever brand of router you own
5. Use a VPN solution to allow valid users to gain an internal position
   1. VPN software can be installed on most modern home routers, here is a guide
   2. Once connected to the VPN you can access your camera
6. Further limit which workstations and phones should be able to access the camera using the firewall
   1. Ask yourself, “Should my printers, thermostats, guest computers, and other cameras be able to see the Nest camera?” No!
   2. Create a rule that blocks all connections to the camera except the correct computers

I’ve attempted to lay out these steps in order of their levels of complexity. None of these steps are particularly difficult and you should not feel they are outside your level of expertise. Many home network admins don’t realize the power they have to secure their networks, or they feel it is too difficult. It isn’t! Compass IT Compliance has spent the past decade assisting organizations in securing their networks and IoT devices. Contact us today to learn more about the threats posed by these devices!