Nest, maker of smart home thermostats and other devices, is adding two-step verification to its authentication process, making it more difficult for attackers to take over users’ devices.
The company said on Tuesday that it is implementing the ability for users to require a short code sent by SMS as part of the sign-in process for their accounts. This is the same form of two-step verification that many other services, such as iTunes and Twitter, use. It’s not considered as strong as full two-factor authentication, but it does provide another barrier for attackers interested in account takeovers.
“We all know data security is a moving target. Technology keeps advancing, but so do the people who want to break into your email, your credit card or any other account they can get their hands on. But your home is your safe haven, where private information should stay private. So today we’re adding a new layer of security with the introduction of two-factor authentication,” Matt Rogers, chief product officer at Nest, said in a post announcing the change.
The addition of two-step verification is optional for users, as it is on most other services that offer it. While protecting a thermostat or surveillance camera from hackers may not seem as important as protecting email or bank accounts, attackers have shown a willingness and ability to go after just about any device with an Internet connection. The emergence of the Mirai botnet last year demonstrated this clearly and repeatedly. That network is made up of millions of compromised embedded devices, including IP cameras, DVRs, and others that typically aren’t found in botnets.
IoT device manufacturers have been criticized from all sides for a lack of attention to security, and usually for good reason. Unpatched vulnerabilities and default or hardcoded credentials make many of these devices easy prey for attackers. While the addition of two-step verification doesn’t affect the security of the underlying products themselves, it does make it more difficult for attackers to gain access to users’ accounts, from which they can control connected devices and make other changes.
“It takes a minute or two for our customers, but for hackers working from computers all over the world, things get a whole lot harder,” Rogers said.
Image: Bill Bradford, CC By license.