Sign in with
Sign up | Sign in

Nest Smart Thermostat Can Be Hacked to Spy on Owners

By - Source: Tom's Guide US | B 16 comments

Credit: Paul Wagenseil/Tom's GuideCredit: Paul Wagenseil/Tom's Guide

LAS VEGAS — Google's Nest "smart" thermostats may be the most secure devices in the "Internet of Things," but can still easily be hacked into, three researchers showed today (Aug. 7) at the BlackHat security conference here.

Yier Jin and Grant Hernandez of the University of Central Florida, along with independent researcher Daniel Buentello, demonstrated that by holding down the power button on a Nest device for 10 seconds, then plugging in a USB flash drive, one can inject malicious software that can take over the device.

MORE: Hacking the Internet of Things

The trio got the Nest's color screen to display a starfield animation, then the HAL 9000 red eye from "2001: A Space Odyssey" along with the words, "Hello, Dave."

"I know that you and Frank were planning to disconnect me," the Nest then stated, "and I am afraid that is something I cannot allow to happen."

"I don't know how you'll feel when you get back to your home and see your thermostat displaying 'Hello Dave,'" Jin joked.

The Nest backdoor

The problem arises, Buentello said, because while Nest thermostats are well protected when it comes to wireless communications, the USB port is lightly secured. He explained that the port is there only to update the thermostat's firmware manually, in case something goes wrong with a regular cloud-based firmware update.

Normally, the Nest will accept only firmware updates "signed" with the company's cryptographic code. But pressing the power button while plugging in a USB device overrides the security, allowing anyone to upload custom firmware.

So what's the big deal about hacking a thermostat? Well, the researchers explained, the Nest is much more than just a thermostat. It's actually a full-fledged Linux computer with 2 gigabytes of flash memory, Wi-Fi networking and proximity sensors.

The Nest can tell when you're home or not, knows your postal code, knows your Wi-Fi network name and password (and stores them in plain text and can communicate with other nearby Nest devices using the company's custom implementation of the Zigbee mesh-networking protocol.

The Nest routinely uses the Internet to communicate with the Nest cloud, but can be modified to contact any other device on the Internet. As such, mass compromising of Nest devices could be used to create a malicious botnet to pump out spam or malware — or sell information about homeowners' habits to burglars.

Buentello said an attacker could buy Nest devices in bulk, quickly infect them with malware and then resell them to customers who would be completely unaware of the malicious device residing in their own homes.

"How the hell are you ever going to know your thermostat is infected?" Buentello wondered. "You won't!"

Follow the leader

Even worse, Buentello said, are the implications for the greater Internet of Things. The Nest company takes security very seriously, and the company's founder has said the company has a dedicated hacking team probing the devices for vulnerabilities. If the Nest can be hacked, it means even the best-protected embedded device is vulnerable.

"The more convenient or smart something is, the less secure it is," Buentello said, adding that the information-security community should insist on high standards for embedded devices while the Internet of Things is still in its infancy.

"You guys are making the choices that the next 30 years of children are going to have to endure," he told the audience of security professionals, "because we're setting the standard."

Follow Paul Wagenseil at @snd_wagenseil. Follow Tom's Guide at @tomsguide, on Facebook and on Google+.

Discuss
Ask a Category Expert

Create a new thread in the Streaming Video & TVs forum about this subject

Example: Notebook, Android, SSD hard drive

This thread is closed for comments
  • 7 Hide
    hotwire_downunder , August 7, 2014 4:16 PM
    If an intruder's able to physically get to your thermostat, then you've got more pressing security issues than a hacked thermostat :) 
  • -1 Hide
    DalaiLame , August 7, 2014 4:50 PM
    Will get worse once Google's influence fully permeates the company.
  • -3 Hide
    bluestar2k11 , August 7, 2014 5:07 PM
    Why would my thermostat need to know my zip code? Or even internet access??
    The only thing my thermostat needs to ever know is the temperature I set it too, and the temperature inside the house. And the only thing it ever needs to do is activate the heater or AC systems when the temperature goes below/above the setting I gave it.
  • Display all 16 comments.
  • 1 Hide
    Yoshimitsu Fujimoto , August 7, 2014 5:15 PM
    More pressing is if they can get into your home and install cameras and microphones they can watch you,..../scarier lol
  • 2 Hide
    Christopher1 , August 7, 2014 5:46 PM
    First off, this needs physical access. Common knowledge goes "If someone has physical access to a device and you are not watching what they are doing every second, assume it is compromised!"
  • -1 Hide
    razor512 , August 7, 2014 5:56 PM
    So far not an issue. when it gets hacked from the WAN, then it becomes a major issue, kinda like with the belkin wemo.
  • 2 Hide
    palladin9479 , August 7, 2014 6:21 PM
    Yeah this is mostly just FUD. The old adage is "there is no network security without physical security". If someone can get to your thermostat without you seeing them, then they can get to your PC, wifi devices and do anything they want. They can hide in your closet and stab you with a knife or shoot you. Worrying about being spied on suddenly becomes much less of an issue then being stabbed or shot.
  • -2 Hide
    TheDraac , August 7, 2014 9:58 PM
    Oh yeah, as for the cameras and microphones, you must have heard about the baby monitor issues.
  • 6 Hide
    TheDraac , August 7, 2014 9:58 PM
    Did you people miss the point of someone buying these devices in bulk, infecting them and then reselling them??? I know I am guilty of buying items online "from the lowest price" seller. Just because the web site "looks" professional doesn't mean it's not just one guy at home selling stuff on the internet.

    As for needing to know your zip code, I think you need to read what the Nest is capable of and trys to do to save the homeowner money on their energy costs.
  • -2 Hide
    Skylarz , August 8, 2014 12:41 AM
    Lmao this is like going into your house and sticking an infected usb drive into your pc
  • 2 Hide
    paesan , August 8, 2014 4:22 AM
    When I read comments about needing physical access to the thermostat by getting inside the person's home, I wonder how many people actually read this article. Did they miss the section where it says, "Buentello said an attacker could buy Nest devices in bulk, quickly infect them with malware and then resell them to customers who would be completely unaware of the malicious device residing in their own homes".
  • -1 Hide
    electricfirebolt , August 8, 2014 5:44 AM
    This could be done with all devices that feature storage, Removable Drives, Hard Drives, Phones etc then resold on.. I don't see what the big fuss is about... People just need to not buy from dodgy sellers and make sure that your house door is lock, wouldn't want a random stranger walking in and physically infecting your equipment.
  • -2 Hide
    WyomingKnott , August 8, 2014 7:15 AM
    Quote:
    More pressing is if they can get into your home and install cameras and microphones they can watch you,..../scarier lol


    Err, that's the Kinect.
  • 1 Hide
    srystore , August 8, 2014 8:20 AM
    Seems like Google put this backdoor in for themselves and it was discovered
  • 1 Hide
    RCguitarist , August 8, 2014 9:16 AM
    "The more convenient or smart something is, the less secure it is" Exactly. If you are too lazy to do things yourself, then you must accept this risk.

    As for those who are saying it's no big deal because someone would have to break into your home...who's to say that a hacker can't get a job at best buy or walmart and then take to infecting the devices in the storage area of the store?
  • 0 Hide
    Donna F , August 9, 2014 6:14 AM
    So is this what Keith Alexander was promising to protect banks and utilities from for 1 million per month? Can he rule the world with that knowledge? Read the paper at IOActive.
    Google Keith Alexander Banks. Is this the intelligence secret that Congressman Grayson accuses Alexander of selling?
Tom’s guide in the world
  • Germany
  • France
  • Italy
  • Ireland
  • UK
Follow Tom’s guide
Subscribe to our newsletter
  • add to twitter
  • add to facebook
  • ajouter un flux RSS