Vulnerabilities / Threats // Insider Threats
8/14/2014
11:35 AM
100%
0%

Tech Insight: Hacking The Nest Thermostat

Researchers at Black Hat USA demonstrated how they were able to compromise a popular smart thermostat.

Consumers are being bombarded by the Internet of Things (IoT) -- everyday embedded devices and appliances in your home that connect to the Internet. Those same devices are quickly becoming the targets of security researchers looking to show the dangers of such connectivity and the ill effects on owners' privacy. Last week at Black Hat USA 2014 in Las Vegas, the Nest Learning Thermostat was the latest IoT device to come under fire by University of Central Florida researchers Grant Hernandez and Yier Jin, and independent researcher Daniel Buentello.

The three researchers demonstrated the ease with which a Nest thermostat can be compromised if an attacker has physical access to the device. In less than 15 seconds, an attacker can remove the Nest from its mount, plug in a micro USB cable, and backdoor the device without the owner knowing anything has changed. The compromised Nest can then be used to spy on its owner, attack other devices on the network, steal wireless network credentials, and more.

What does this hack mean to the current and future Nest owners? Not much at this point. As we saw with the recent DropCam hack, the attack requires physical access and if a bad guy breaks into your house, it's typically for something much more serious than backdooring your thermostat. However, the researchers laid out several scenarios where Nests could be purchased, backdoored, and returned to the store, or sold on Craigslist in order target specific communities.

The biggest concern here is that the owner would never know if his or her device had been hacked. Antivirus is not available to run on it and look for malicious code. Essentially, the only way to know without dumping memory and analyzing the firmware from the device would be to monitor network traffic and hope to see anomalous behavior -- something that's unlikely to happen in the majority of home networks.

Photo Credit: Sarah Sawyer
Photo Credit: Sarah Sawyer

Meanwhile, the researchers gave Nest props for a well-designed product. To date, efforts to exploit the device are limited to physically plugging in USB cable, but the researchers are busy looking for flaws in Nest network clients, services, and protocols like Nest Weave that could allow for remote exploitation. With access to the files on the device and ability to interact with running processes thanks to the hardware backdoor, it's only a matter of time before they come up with a remote method of attack.

Beyond the potential for attacking other devices on the wireless home network, there are serious implications surrounding the compromise of the Nest that haven't been discussed. The researchers mentioned the Nest Weave protocol as a possible vulnerable entry point. Weave is an 802.15.4 based protocol similar to Zigbee and WirelessHART that allows the Nest thermostat to speak to other Nest devices like the Nest Protect smoke and carbon monoxide alarm. What's to stop an attacker from interfacing with other things that use 802.15.4 based protocols, like smart meters and keyless entry systems? Nothing at this point, and that's where research like this can uncover the potential for these threats.

During the presentation, it was clear that issues surrounding privacy are of particular importance to the researchers. They asked the audience if they would continue using a Nest at home. One of the researchers, Buentello, said, "Even after all this research and knowing how bad it can be, I'm still not giving mine up and I have two."

The researchers summed it up well when they concluded by saying that the actions we take and decisions about what we find acceptable for embedded devices could set the standard for the next 30 years.

Get the slides here (PDF).

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Somedude8
50%
50%
Somedude8,
User Rank: Apprentice
8/18/2014 | 1:07:01 PM
House too warm?
Hacker sets thermostat to 120. Email arrives with bad English asking for $500 to return control of the thermostat.

That strikes me as a really funny possibility!
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Moderator
8/14/2014 | 7:07:56 PM
Re: Nesting
> if an attacker has physical access to the device.

Cue horror movie music: They're calling from inside the house!

If someone is tinkering with the Nest inside your house, worry about arson, theft, or physical violence.
Charlie Babcock
50%
50%
Charlie Babcock,
User Rank: Moderator
8/14/2014 | 4:42:39 PM
HP tried to warn us
Remember, on July 29, HP's Fortify div. tried to warn us. It didn't name specific vendors but cited thermostats. http://www.informationweek.com/cloud/software-as-a-service/hp-warns-of-iot-security-risks/d/d-id/1297617
johnhsawyer
100%
0%
johnhsawyer,
User Rank: Moderator
8/14/2014 | 3:58:10 PM
Re: Nesting
I didn't want to get too deep into it in the article, but I also have 2 Nest thermostats and don't have any plans to get rid of them. I also want to add some of the Nest Protect fire and carbon monoxide alarms. I'm not worried about someone tracking if I'm "away" or not. If a bad guy wanted to know if I'm home or away, they can drive by my house -- no need to compromise my Nest to figure it out.

As for a Nest being a source of attack, mine are connected to a separate, isolated wireless network that is segmented from the rest of my network. One of them is rooted and the other is not. I've also been monitoring the traffic on the Nest network as it's something of interest since I have clients in the utility industry that may be encountering Nests in their clients' homes. Eventually, I want to look into sniffing the Nest Weave communications with my RZ Raven and Killerbee.

I'm glad these guys published their findings. It was something that I was interested from a personal and professional perspective. It's also something very relevant as the Internet of Things continues to introduce more and more devices onto our networks.

-jhs
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
8/14/2014 | 1:55:30 PM
Nesting
I don't know whether I'm reassured or frightened by Daniel Buentello's quote "Even after all this research and knowing how bad it can be, I'm still not giving mine up and I have two." I'm guessing the Black Hat audience shared that point of view... 

 
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-1421
Published: 2014-11-25
mountall 1.54, as used in Ubuntu 14.10, does not properly handle the umask when using the mount utility, which allows local users to bypass intended access restrictions via unspecified vectors.

CVE-2014-7839
Published: 2014-11-25
DocumentProvider in RESTEasy 2.3.7 and 3.0.9 does not configure the (1) external-general-entities or (2) external-parameter-entities features, which allows remote attackers to conduct XML external entity (XXE) attacks via unspecified vectors.

CVE-2014-8001
Published: 2014-11-25
Buffer overflow in decode.cpp in Cisco OpenH264 1.2.0 and earlier allows remote attackers to execute arbitrary code via an encoded media file.

CVE-2014-8002
Published: 2014-11-25
Use-after-free vulnerability in decode_slice.cpp in Cisco OpenH264 1.2.0 and earlier allows remote attackers to execute arbitrary code via an encoded media file.

CVE-2014-8004
Published: 2014-11-25
Cisco IOS XR allows remote attackers to cause a denial of service (LISP process reload) by establishing many LISP TCP sessions, aka Bug ID CSCuq90378.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?