Nest Smart Thermostat Can Be Hacked to Spy on Owners

Credit: Paul Wagenseil/Tom's Guide

(Image credit: Paul Wagenseil/Tom's Guide)

LAS VEGAS — Google's Nest "smart" thermostats may be the most secure devices in the "Internet of Things," but can still easily be hacked into, three researchers showed today (Aug. 7) at the BlackHat security conference here.

Yier Jin and Grant Hernandez of the University of Central Florida, along with independent researcher Daniel Buentello, demonstrated that by holding down the power button on a Nest device for 10 seconds, then plugging in a USB flash drive, one can inject malicious software that can take over the device.

MORE: Hacking the Internet of Things

The trio got the Nest's color screen to display a starfield animation, then the HAL 9000 red eye from "2001: A Space Odyssey" along with the words, "Hello, Dave."

"I know that you and Frank were planning to disconnect me," the Nest then stated, "and I am afraid that is something I cannot allow to happen."

"I don't know how you'll feel when you get back to your home and see your thermostat displaying 'Hello Dave,'" Jin joked.

The Nest backdoor

The problem arises, Buentello said, because while Nest thermostats are well protected when it comes to wireless communications, the USB port is lightly secured. He explained that the port is there only to update the thermostat's firmware manually, in case something goes wrong with a regular cloud-based firmware update.

Normally, the Nest will accept only firmware updates "signed" with the company's cryptographic code. But pressing the power button while plugging in a USB device overrides the security, allowing anyone to upload custom firmware.

So what's the big deal about hacking a thermostat? Well, the researchers explained, the Nest is much more than just a thermostat. It's actually a full-fledged Linux computer with 2 gigabytes of flash memory, Wi-Fi networking and proximity sensors.

The Nest can tell when you're home or not, knows your postal code, knows your Wi-Fi network name and password (and stores them in plain text and can communicate with other nearby Nest devices using the company's custom implementation of the Zigbee mesh-networking protocol.

The Nest routinely uses the Internet to communicate with the Nest cloud, but can be modified to contact any other device on the Internet. As such, mass compromising of Nest devices could be used to create a malicious botnet to pump out spam or malware — or sell information about homeowners' habits to burglars.

Buentello said an attacker could buy Nest devices in bulk, quickly infect them with malware and then resell them to customers who would be completely unaware of the malicious device residing in their own homes.

"How the hell are you ever going to know your thermostat is infected?" Buentello wondered. "You won't!"

Follow the leader

Even worse, Buentello said, are the implications for the greater Internet of Things. The Nest company takes security very seriously, and the company's founder has said the company has a dedicated hacking team probing the devices for vulnerabilities. If the Nest can be hacked, it means even the best-protected embedded device is vulnerable.

"The more convenient or smart something is, the less secure it is," Buentello said, adding that the information-security community should insist on high standards for embedded devices while the Internet of Things is still in its infancy.

"You guys are making the choices that the next 30 years of children are going to have to endure," he told the audience of security professionals, "because we're setting the standard."

Follow Paul Wagenseil at @snd_wagenseil. Follow Tom's Guide at @tomsguide, on Facebook and on Google+.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.