Tech Insight: Hacking The Nest ThermostatResearchers at Black Hat USA demonstrated how they were able to compromise a popular smart thermostat.
Consumers are being bombarded by the Internet of Things (IoT) -- everyday embedded devices and appliances in your home that connect to the Internet. Those same devices are quickly becoming the targets of security researchers looking to show the dangers of such connectivity and the ill effects on owners' privacy. Last week at Black Hat USA 2014 in Las Vegas, the Nest Learning Thermostat was the latest IoT device to come under fire by University of Central Florida researchers Grant Hernandez and Yier Jin, and independent researcher Daniel Buentello.
The three researchers demonstrated the ease with which a Nest thermostat can be compromised if an attacker has physical access to the device. In less than 15 seconds, an attacker can remove the Nest from its mount, plug in a micro USB cable, and backdoor the device without the owner knowing anything has changed. The compromised Nest can then be used to spy on its owner, attack other devices on the network, steal wireless network credentials, and more.
What does this hack mean to the current and future Nest owners? Not much at this point. As we saw with the recent DropCam hack, the attack requires physical access and if a bad guy breaks into your house, it's typically for something much more serious than backdooring your thermostat. However, the researchers laid out several scenarios where Nests could be purchased, backdoored, and returned to the store, or sold on Craigslist in order target specific communities.
The biggest concern here is that the owner would never know if his or her device had been hacked. Antivirus is not available to run on it and look for malicious code. Essentially, the only way to know without dumping memory and analyzing the firmware from the device would be to monitor network traffic and hope to see anomalous behavior -- something that's unlikely to happen in the majority of home networks.
Photo Credit: Sarah Sawyer
Meanwhile, the researchers gave Nest props for a well-designed product. To date, efforts to exploit the device are limited to physically plugging in USB cable, but the researchers are busy looking for flaws in Nest network clients, services, and protocols like Nest Weave that could allow for remote exploitation. With access to the files on the device and ability to interact with running processes thanks to the hardware backdoor, it's only a matter of time before they come up with a remote method of attack.
Beyond the potential for attacking other devices on the wireless home network, there are serious implications surrounding the compromise of the Nest that haven't been discussed. The researchers mentioned the Nest Weave protocol as a possible vulnerable entry point. Weave is an 802.15.4 based protocol similar to Zigbee and WirelessHART that allows the Nest thermostat to speak to other Nest devices like the Nest Protect smoke and carbon monoxide alarm. What's to stop an attacker from interfacing with other things that use 802.15.4 based protocols, like smart meters and keyless entry systems? Nothing at this point, and that's where research like this can uncover the potential for these threats.
During the presentation, it was clear that issues surrounding privacy are of particular importance to the researchers. They asked the audience if they would continue using a Nest at home. One of the researchers, Buentello, said, "Even after all this research and knowing how bad it can be, I'm still not giving mine up and I have two."
The researchers summed it up well when they concluded by saying that the actions we take and decisions about what we find acceptable for embedded devices could set the standard for the next 30 years.
Get the slides here (PDF).