Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats //

Insider Threats

Tech Insight: Hacking The Nest Thermostat

Researchers at Black Hat USA demonstrated how they were able to compromise a popular smart thermostat.

Consumers are being bombarded by the Internet of Things (IoT) -- everyday embedded devices and appliances in your home that connect to the Internet. Those same devices are quickly becoming the targets of security researchers looking to show the dangers of such connectivity and the ill effects on owners' privacy. Last week at Black Hat USA 2014 in Las Vegas, the Nest Learning Thermostat was the latest IoT device to come under fire by University of Central Florida researchers Grant Hernandez and Yier Jin, and independent researcher Daniel Buentello.

The three researchers demonstrated the ease with which a Nest thermostat can be compromised if an attacker has physical access to the device. In less than 15 seconds, an attacker can remove the Nest from its mount, plug in a micro USB cable, and backdoor the device without the owner knowing anything has changed. The compromised Nest can then be used to spy on its owner, attack other devices on the network, steal wireless network credentials, and more.

What does this hack mean to the current and future Nest owners? Not much at this point. As we saw with the recent DropCam hack, the attack requires physical access and if a bad guy breaks into your house, it's typically for something much more serious than backdooring your thermostat. However, the researchers laid out several scenarios where Nests could be purchased, backdoored, and returned to the store, or sold on Craigslist in order target specific communities.

The biggest concern here is that the owner would never know if his or her device had been hacked. Antivirus is not available to run on it and look for malicious code. Essentially, the only way to know without dumping memory and analyzing the firmware from the device would be to monitor network traffic and hope to see anomalous behavior -- something that's unlikely to happen in the majority of home networks.

Photo Credit: Sarah Sawyer
Photo Credit: Sarah Sawyer

Meanwhile, the researchers gave Nest props for a well-designed product. To date, efforts to exploit the device are limited to physically plugging in USB cable, but the researchers are busy looking for flaws in Nest network clients, services, and protocols like Nest Weave that could allow for remote exploitation. With access to the files on the device and ability to interact with running processes thanks to the hardware backdoor, it's only a matter of time before they come up with a remote method of attack.

Beyond the potential for attacking other devices on the wireless home network, there are serious implications surrounding the compromise of the Nest that haven't been discussed. The researchers mentioned the Nest Weave protocol as a possible vulnerable entry point. Weave is an 802.15.4 based protocol similar to Zigbee and WirelessHART that allows the Nest thermostat to speak to other Nest devices like the Nest Protect smoke and carbon monoxide alarm. What's to stop an attacker from interfacing with other things that use 802.15.4 based protocols, like smart meters and keyless entry systems? Nothing at this point, and that's where research like this can uncover the potential for these threats.

During the presentation, it was clear that issues surrounding privacy are of particular importance to the researchers. They asked the audience if they would continue using a Nest at home. One of the researchers, Buentello, said, "Even after all this research and knowing how bad it can be, I'm still not giving mine up and I have two."

The researchers summed it up well when they concluded by saying that the actions we take and decisions about what we find acceptable for embedded devices could set the standard for the next 30 years.

Get the slides here (PDF).

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
8/14/2014 | 1:55:30 PM
Nesting
I don't know whether I'm reassured or frightened by Daniel Buentello's quote "Even after all this research and knowing how bad it can be, I'm still not giving mine up and I have two." I'm guessing the Black Hat audience shared that point of view... 

 
johnhsawyer
100%
0%
johnhsawyer,
User Rank: Moderator
8/14/2014 | 3:58:10 PM
Re: Nesting
I didn't want to get too deep into it in the article, but I also have 2 Nest thermostats and don't have any plans to get rid of them. I also want to add some of the Nest Protect fire and carbon monoxide alarms. I'm not worried about someone tracking if I'm "away" or not. If a bad guy wanted to know if I'm home or away, they can drive by my house -- no need to compromise my Nest to figure it out.

As for a Nest being a source of attack, mine are connected to a separate, isolated wireless network that is segmented from the rest of my network. One of them is rooted and the other is not. I've also been monitoring the traffic on the Nest network as it's something of interest since I have clients in the utility industry that may be encountering Nests in their clients' homes. Eventually, I want to look into sniffing the Nest Weave communications with my RZ Raven and Killerbee.

I'm glad these guys published their findings. It was something that I was interested from a personal and professional perspective. It's also something very relevant as the Internet of Things continues to introduce more and more devices onto our networks.

-jhs
Charlie Babcock
50%
50%
Charlie Babcock,
User Rank: Ninja
8/14/2014 | 4:42:39 PM
HP tried to warn us
Remember, on July 29, HP's Fortify div. tried to warn us. It didn't name specific vendors but cited thermostats. http://www.informationweek.com/cloud/software-as-a-service/hp-warns-of-iot-security-risks/d/d-id/1297617
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Ninja
8/14/2014 | 7:07:56 PM
Re: Nesting
> if an attacker has physical access to the device.

Cue horror movie music: They're calling from inside the house!

If someone is tinkering with the Nest inside your house, worry about arson, theft, or physical violence.
Somedude8
50%
50%
Somedude8,
User Rank: Apprentice
8/18/2014 | 1:07:01 PM
House too warm?
Hacker sets thermostat to 120. Email arrives with bad English asking for $500 to return control of the thermostat.

That strikes me as a really funny possibility!
Tom Mariner
50%
50%
Tom Mariner,
User Rank: Apprentice
12/31/2014 | 11:05:50 AM
Access to my Nest Thermostat
So someone standing in my living room can pry my Nest off the wall, connect a computer, upload, replace it and I'm hacked? If he was standing there he could also shoot my dog and drink my best wine. The point is??
Aviation Faces Increasing Cybersecurity Scrutiny
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/22/2019
Microsoft Tops Phishers' Favorite Brands as Facebook Spikes
Kelly Sheridan, Staff Editor, Dark Reading,  8/22/2019
Capital One Breach: What Security Teams Can Do Now
Dr. Richard Gold, Head of Security Engineering at Digital Shadows,  8/23/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-15540
PUBLISHED: 2019-08-25
filters/filter-cso/filter-stream.c in the CSO filter in libMirage 3.2.2 in CDemu does not validate the part size, triggering a heap-based buffer overflow that can lead to root access by a local Linux user.
CVE-2019-15538
PUBLISHED: 2019-08-25
An issue was discovered in xfs_setattr_nonsize in fs/xfs/xfs_iops.c in the Linux kernel through 5.2.9. XFS partially wedges when a chgrp fails on account of being out of disk quota. xfs_setattr_nonsize is failing to unlock the ILOCK after the xfs_qm_vop_chown_reserve call fails. This is primarily a ...
CVE-2016-6154
PUBLISHED: 2019-08-23
The authentication applet in Watchguard Fireware 11.11 Operating System has reflected XSS (this can also cause an open redirect).
CVE-2019-5594
PUBLISHED: 2019-08-23
An Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") in Fortinet FortiNAC 8.3.0 to 8.3.6 and 8.5.0 admin webUI may allow an unauthenticated attacker to perform a reflected XSS attack via the search field in the webUI.
CVE-2019-6695
PUBLISHED: 2019-08-23
Lack of root file system integrity checking in Fortinet FortiManager VM application images of all versions below 6.2.1 may allow an attacker to implant third-party programs by recreating the image through specific methods.