Nest hit the news seven months ago when Google paid US$ 3.2 billion (£1.9 billion) to acquire its maker, the Palo Alto-based Nest Labs, and it has since become one of the front-runners in the emerging Internet of Things.
Nest has home sensors which tell when the user is home and adjust the temperature accordingly. The device connects to the internet so that the user can control settings from a smartphone or tablet application, as well as get automatic software updates and energy usage reports. Users can also log into nest.com/home to edit their thermostat schedule, adjust settings or see how much heat they've used in recent days.
The thermostat stores two gigabytes of data, has a rechargeable battery and an ARM Cortex M3 processor from Texas Instruments, while two motion sensors detect if the user is moving in the house – all of which has led various experts to pinpoint Nest as the ‘poster boy' of the Internet of Things movement.
But in Las Vegas over the weekend, a team of student security researchers (Yier Jin, Grant Hernandez and Daniel Buentello) from the University of Central Florida demonstrated how they could compromise the thermostat in “ten to 15 seconds” by pressing and holding the power button, inserting a USB drive and entering developer mode.
At that point, Buentello was able to upload custom code and program the device to send data to him as well as the customer. To illustrate the attack, the researchers put quotes and photos on the thermostat from Hal, the rogue computer in the 1968 film '2001: A Space Odyssey'.
The only saving grace here is that hackers would need physical access for the hack, although Buentello and Jin described how this compromise could be more wide-spread if second-hand models are eventually sold on the internet.
“If I were a bad guy, I would tunnel all of your traffic through me, sniffing for any kind of credentials like credit cards,” Buentello said. “That's horrible because if you have a computer, it crashes and you take it to Best Buy. How the hell will you know your thermostat is infected? You won't.”
“This has a lot more implications than a normal thermostat,” Hernandez added. “It's a node on your network which you control on your phone. You can then use normal attacks against the network to gain access to other devices.” The group also said that they could “brick” (disable) the device or compromise one Nest to corrupt others on the network.
“We are giving up our privacy to this device, and we don't know anything about it,” Buentello added.
In a statement to Venture Beat, Nest's Zoz Cuccias said: “All hardware devices – from laptops to smartphones – are susceptible to jailbreaking; this is not a unique problem. This is a physical jailbreak requiring physical access to the Nest Learning Thermostat.
“If someone managed to get in your home and had their choice, chances are they would install their own devices, or take the jewellery. This jailbreak doesn't compromise the security of our servers or the connections to them and to the best of our knowledge; no devices have been accessed and compromised remotely. Customer security is very important to us, and our highest priority is on remote vulnerabilities.”