Starting spring this year, all users of Google Nest (Google’s subsidiary that sells smart home products) will be required to enroll for two-factor authentication to reduce the likelihood of unauthorized persons gaining access to a Nest account, Google Nest’s head of security announced in a blog post on February 11. MediaNama has reached out to Google seeking clarification on the exact date when the change will be brought into effect and whether this feature will also be available for Nest users in India. The move comes a month after a user of Xiaomi’s Mijia, a smart home security camera, claimed that their Google Nest Hub smart display started showing images from strangers’ cameras.

“Automated attacks like credential stuffing are becoming more common. That’s when stolen information like email addresses and passwords used on other websites are repurposed to gain unauthorized access to an account or device.” – Google Nest said in the blog.

Spring onwards, Google will require all Nest users who have not already enrolled in two-factor authentication or migrated to a Google account to verify their identity via email. This essentially means that simply having a username and a password will not be sufficient for someone to login to an account.

How the 2-factor authentication will work: When a new login into an account will be initiated, users will receive an email from account@nest.com with a six-digit verification code. That code will be used to verify that it’s the genuine account holder trying to login. Without it, the account will be barred from access. Google still encourages users to migrate to their Google accounts as they claim it gives them additional security protections.

Nikhil adds: For now, the two factor authentication might be email based, but in future, it’s likely that Google will have to take a mobile-first approach, including for the setting up of devices in India, where many users are unlikely to have ready or easy access to an email, and where mobile phones and mobile number + OTP might be the preferred means of logging in.

How secure are smart home devices?

Google Nest displaying random images from strangers’ cameras: Last month, a user of Xiaomi’s Mijia, a smart home security camera, claimed that their Google Nest Hub smart display started showing images from strangers’ cameras, including a sleeping baby in a crib. A Google spokesperson had confirmed to MediaNama that the company had disabled Xiaomi’s integration on its devices as a result of this problem. Google did not give reasons behind the issue and did not clarify if this was an isolated instance. Xiaomi told us that “a very small number of users in India were potentially affected by the issue”.

Smart home devices have often been compromised in the past too:

  • In December 2019,  a vulnerability in Wyze’s smart home cameras and devices compromised the data of about 2.4 million customers, including information like usernames, email addresses, camera nicknames, device models, firmware information, Wi-Fi SSID details, API tokens for iOS and Android, The Verge had reported.
  • The same month, a user of Amazon’s Ring security camera in USA’s Mississippi said that a stranger gained control over the camera and could see and talk to his 8-year-old daughter via the camera.