Nest Smart Thermostat Can Be Hacked to Spy on Owners

Credit: Paul Wagenseil/Tom's Guide

(Image credit: Paul Wagenseil/Tom's Guide)

LAS VEGAS — Google's Nest "smart" thermostats may be the most secure devices in the "Internet of Things," but can still easily be hacked into, three researchers showed today (Aug. 7) at the BlackHat security conference here.

Yier Jin and Grant Hernandez of the University of Central Florida, along with independent researcher Daniel Buentello, demonstrated that by holding down the power button on a Nest device for 10 seconds, then plugging in a USB flash drive, one can inject malicious software that can take over the device.

MORE: Hacking the Internet of Things

The trio got the Nest's color screen to display a starfield animation, then the HAL 9000 red eye from "2001: A Space Odyssey" along with the words, "Hello, Dave."

"I know that you and Frank were planning to disconnect me," the Nest then stated, "and I am afraid that is something I cannot allow to happen."

"I don't know how you'll feel when you get back to your home and see your thermostat displaying 'Hello Dave,'" Jin joked.

The Nest backdoor

The problem arises, Buentello said, because while Nest thermostats are well protected when it comes to wireless communications, the USB port is lightly secured. He explained that the port is there only to update the thermostat's firmware manually, in case something goes wrong with a regular cloud-based firmware update.

Normally, the Nest will accept only firmware updates "signed" with the company's cryptographic code. But pressing the power button while plugging in a USB device overrides the security, allowing anyone to upload custom firmware.

So what's the big deal about hacking a thermostat? Well, the researchers explained, the Nest is much more than just a thermostat. It's actually a full-fledged Linux computer with 2 gigabytes of flash memory, Wi-Fi networking and proximity sensors.

The Nest can tell when you're home or not, knows your postal code, knows your Wi-Fi network name and password (and stores them in plain text and can communicate with other nearby Nest devices using the company's custom implementation of the Zigbee mesh-networking protocol.

The Nest routinely uses the Internet to communicate with the Nest cloud, but can be modified to contact any other device on the Internet. As such, mass compromising of Nest devices could be used to create a malicious botnet to pump out spam or malware — or sell information about homeowners' habits to burglars.

Buentello said an attacker could buy Nest devices in bulk, quickly infect them with malware and then resell them to customers who would be completely unaware of the malicious device residing in their own homes.

"How the hell are you ever going to know your thermostat is infected?" Buentello wondered. "You won't!"

Follow the leader

Even worse, Buentello said, are the implications for the greater Internet of Things. The Nest company takes security very seriously, and the company's founder has said the company has a dedicated hacking team probing the devices for vulnerabilities. If the Nest can be hacked, it means even the best-protected embedded device is vulnerable.

"The more convenient or smart something is, the less secure it is," Buentello said, adding that the information-security community should insist on high standards for embedded devices while the Internet of Things is still in its infancy.

"You guys are making the choices that the next 30 years of children are going to have to endure," he told the audience of security professionals, "because we're setting the standard."

Follow Paul Wagenseil at @snd_wagenseil. Follow Tom's Guide at @tomsguide, on Facebook and on Google+.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.

  • hotwire_downunder
    If an intruder's able to physically get to your thermostat, then you've got more pressing security issues than a hacked thermostat :)
  • DalaiLame
    Will get worse once Google's influence fully permeates the company.
  • bluestar2k11
    Why would my thermostat need to know my zip code? Or even internet access??
    The only thing my thermostat needs to ever know is the temperature I set it too, and the temperature inside the house. And the only thing it ever needs to do is activate the heater or AC systems when the temperature goes below/above the setting I gave it.
  • Yoshimitsu Fujimoto
    More pressing is if they can get into your home and install cameras and microphones they can watch you,..../scarier lol
  • Christopher1
    First off, this needs physical access. Common knowledge goes "If someone has physical access to a device and you are not watching what they are doing every second, assume it is compromised!"
  • razor512
    So far not an issue. when it gets hacked from the WAN, then it becomes a major issue, kinda like with the belkin wemo.
  • palladin9479
    Yeah this is mostly just FUD. The old adage is "there is no network security without physical security". If someone can get to your thermostat without you seeing them, then they can get to your PC, wifi devices and do anything they want. They can hide in your closet and stab you with a knife or shoot you. Worrying about being spied on suddenly becomes much less of an issue then being stabbed or shot.
  • TheDraac
    Oh yeah, as for the cameras and microphones, you must have heard about the baby monitor issues.
  • TheDraac
    Did you people miss the point of someone buying these devices in bulk, infecting them and then reselling them??? I know I am guilty of buying items online "from the lowest price" seller. Just because the web site "looks" professional doesn't mean it's not just one guy at home selling stuff on the internet.

    As for needing to know your zip code, I think you need to read what the Nest is capable of and trys to do to save the homeowner money on their energy costs.
  • Skylarz
    Lmao this is like going into your house and sticking an infected usb drive into your pc