Google Nest hacked 'in 15 seconds' as reality bites for Internet of Things

News by Doug Drinkwater

Security researchers quickly rooted Google's Nest at Black Hat over the weekend, with one describing the internet-connected thermostat as a "computer you cannot patch".

Nest hit the news seven months ago when Google paid US$ 3.2 billion (£1.9 billion) to acquire its maker, the Palo Alto-based Nest Labs, and it has since become one of the front-runners in the emerging Internet of Things.

Nest has home sensors which tell when the user is home and adjust the temperature accordingly. The device connects to the internet so that the user can control settings from a smartphone or tablet application, as well as get automatic software updates and energy usage reports. Users can also log into to edit their thermostat schedule, adjust settings or see how much heat they've used in recent days.

The thermostat stores two gigabytes of data, has a rechargeable battery and an ARM Cortex M3 processor from Texas Instruments, while two motion sensors detect if the user is moving in the house – all of which has led various experts to pinpoint Nest as the ‘poster boy' of the Internet of Things movement.

But in Las Vegas over the weekend,  a team of student security researchers (Yier Jin, Grant Hernandez and Daniel Buentello) from the University of Central Florida demonstrated how they could compromise the thermostat in “ten to 15 seconds” by pressing and holding the power button, inserting a USB drive and entering developer mode.

At that point, Buentello was able to upload custom code and program the device to send data to him as well as the customer. To illustrate the attack, the researchers put quotes and photos on the thermostat from Hal, the rogue computer in the 1968 film '2001: A Space Odyssey'.

The only saving grace here is that hackers would need physical access for the hack, although Buentello and Jin described how this compromise could be more wide-spread if second-hand models are eventually sold on the internet.

“If I were a bad guy, I would tunnel all of your traffic through me, sniffing for any kind of credentials like credit cards,” Buentello said. “That's horrible because if you have a computer, it crashes and you take it to Best Buy. How the hell will you know your thermostat is infected? You won't.”

“This has a lot more implications than a normal thermostat,” Hernandez added. “It's a node on your network which you control on your phone. You can then use normal attacks against the network to gain access to other devices.” The group also said that they could “brick” (disable) the device or compromise one Nest to corrupt others on the network.

“We are giving up our privacy to this device, and we don't know anything about it,” Buentello added.

In a statement to Venture Beat, Nest's Zoz Cuccias said: “All hardware devices – from laptops to smartphones – are susceptible to jailbreaking; this is not a unique problem. This is a physical jailbreak requiring physical access to the Nest Learning Thermostat.

“If someone managed to get in your home and had their choice, chances are they would install their own devices, or take the jewellery. This jailbreak doesn't compromise the security of our servers or the connections to them and to the best of our knowledge; no devices have been accessed and compromised remotely. Customer security is very important to us, and our highest priority is on remote vulnerabilities.”

In a recent study, HP revealed that 70 percent of Internet of Things devices have common vulnerabilities, weak passwords or encryption, while Gartner earlier this week indicated - in its annual Hype Cycle - how IoT is one of the industry's most hyped technologies.

The research outfit says the technology is five to ten years from actual productivity and says that the concept is currently at the “peak of inflated expectations”, partly because a lack of standardisation.

Mark Sparshott, EMEA director at Proofpoint, told recently that the Nest hack was one of many with routers and other internet-connected devices being regularly recruited into botnets.

“Proofpoint has already started to see internet connected home devices like routers being hacked and enrolled into botnets and believes that the Internet of Things (IoT) will be the next industrial revolution for cyber-criminals bringing about technological, socioeconomic, and cultural changes which deeply concern forward thinking security professionals. “

Sparshott added that the ‘almost endless supply' of new IP addresses will make traditional IP reputational systems many security vendors rely on extinct and says that future IoT botnet campaigns could be hundreds to thousands of times larger than current phishing campaigns.

Barry Coatesworth, CISO and industry advisor, told SC in an email to usability often trumps security, especially as high-tech firms are keen to spot the latest trend.

“Balancing security against usability, is one of the hardest things makers of IoT devices have to do, security by design is not usually their priority, and to a degree that is understandable, - ease of use, connectivity, and stability are there primary concern,” said Coatesworth.

“IoT Security should be seen as paramount, not an afterthought, and needs to be on the same level as we see safety. Most of these smart devices like the Nest thermostat, regulate or monitor the environment; if these devices are compromised not only may data be lost, but more importantly it could potentially impact on the safety of you and your family, in winter the heating being turned off, or smart cars where the brakes failed.”

Coatesworth pointed to OWASP's (open web application security project)  Internet of Things top ten security list as a good starting pointing for reducing vulnerabilities, but added that the Allseen Alliance and OIC – two consortiums working on IoT standards -  have ‘fallen far short of putting security more prominently'.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews