Phoenix man says hacker talked to him through a Nest security camera in his home

Andy Gregg was in his back yard a few weeks ago when he heard a voice he didn't recognize inside his house.

It was dark, and Gregg, who lives in the north Phoenix, said his first thought was somebody had broken into his home.

The source of the voice surprised him: It was coming from a Nest Cam IQ security camera in his front window.

The man speaking to him through the camera said he was a "white hat" hacker in Canada with the group Anonymous. He told Gregg his private information had been compromised.

The hacker couldn't see images through the camera and didn't know where Gregg lived, he said. But he told Gregg such information wouldn't be hard to find. 

The man then recited a password Gregg had used for multiple websites.

"I'm really sorry if I startled you or anything. I realize this is super unprofessional, and I'm sorry that it's a little late in the day to do this," the hacker can be heard telling Gregg on a recording of the interaction provided to The Arizona Republic/azcentral.

"We don't have any malicious intent."

The hacker said he had accessed Gregg's camera to warn him about its security vulnerabilities. Other hackers, he said, might exploit the same gaps for nefarious ends.

Gregg said he changed his passwords and unplugged the camera.

"You basically feel very vulnerable," Gregg said. "It feels like you've been robbed essentially and somebody's in your house. They know when you're there. They know when you're leaving."

Connected devices vulnerable to hacks

Experts have long warned that wireless internet-connected devices similar to Gregg's Nest — the Amazon Alexa, Google Home, smartphones and smart appliances— have glaring security vulnerabilities.

These devices, popular holiday gifts and part of what's known as the "internet of things," have become more common even as the industry has struggled to address security concerns.

MORE:'Hacker' who talked to man via Nest camera warns about tech vulnerabilities

Georgia Weidman, founder of IT security company Shevirah, said consumers are often unaware of these vulnerabilities or lack the technological know-how to keep their devices safe from attacks.

"We buy things — they're cool or make our lives easier — and we don't think about the security implications," she said. "In order for an end-user consumer to secure their devices, they basically have to be a security expert."

Gregg, who is a real-estate agent, said people don't fully appreciate the risk associated with bringing such devices into their homes. Before the incident, he had given Nest cameras as gifts to his clients to celebrate the closing of a deal.

"I have a ton of clients in real estate that use these things to watch their kids. They'll watch their living rooms, they'll keep them all over the house for their protection," he said. "But these hackers can go in there, and if they can watch your kids while they're sleeping or changing, just think of what they can do with that."

Cameras have been accessed before

Gregg isn't the first Nest customer to claim an outsider accessed his or her camera. Earlier this year, a New York family said someone used their indoor camera to talk to their 5-year-old son, according to TV station WPIX.

Last year, a security researcher exposed a flaw in the company's security cameras that allowed them to be disabled by a hacker. The company said that vulnerability has been addressed.

MORE:Should social media be regulated? Support grows for protecting data

Nest, which is owned by Google parent company Alphabet, said in a statement it is aware that passwords stolen in hacks of other companies have been used to access its cameras. The cameras can't be wirelessly controlled without a customer-created username and password and don't come with default logins.

The company, which also sells smart thermostats and door locks, recommends setting two-factor authentication for such devices to add an additional layer of security.

Nest's website says the devices automatically update, although users may not receive them immediately because the company sends them to only a portion of its cameras at a time.

How to protect your devices

Weidman said people who buy internet-connected devices should make sure they read the documentation that comes with it to ensure they know how to keep the software up to date.

She also said people must change default passwords that come with the device and use a different password for each account and device. But she said for those with dozens or hundreds of accounts, that may not be possible.

MORE:Criminals hacked into my phone and drained my checking

"I recognize that this is a hard problem that we haven't solved," she said.

Even after taking those steps, Weidman warns no device is completely secure.

"You'll be ahead of most people at that point," she said. "Will it be 100 percent secure? No, the devices just aren't built to be 100 percent secure. But you'll be out of the low-hanging-fruit range."

Agnel Philip is an investigative reporter at The Arizona Republic/azcentral.com. Reach him at aphilip@gannett.com, on Twitter at @agnel88_philip or on Facebook.