Tuesday, August 12, 2014

Google Nest thermostats vulnerable to simple hack attack

Following up on an earlier IPBiz post [
Google/Nest v. Honeywell in the thermostat business
], note some interesting issues with Google Nest thermostats:

When Google bought Nest Labs for $3.2 billion seven months ago, I described the move as the start of a home invasion. Google already knows a lot about you, including where you live, what your interests are, where you go on the Internet and in the real world (via Android), and its acquisition of Nest, which makes smart thermostats and (not so smart) smoke detectors, meant it would potentially also know what you get up to in your own home.

As it turns out, Google using Nest products to find out what customers are doing is just one worry. A team of researchers has discovered an easy hack that allows anyone to gain control of Nest’s smart thermostat and turn it into a spying device which can reveal when you’re at home or away, and even divulge your Wi-Fi credentials.

The work was done by University of Central Florida students and reported at the Black Hat security conference in Las Vegas.

Essentially, all the attacker has to do is hold down the power button and insert a USB flash drive in order to enter developer mode. From there, they can load a custom compiled kernel to gain access to the software protocols used by the device.


the researchers said, "Although OS level security checks are available and are claimed to be very effective in defeating various attacks, instead of attacking the higher level software, we went straight for the hardware and applied OS-guided hardware attacks. As a result, our method bypasses the existing firmware signing and allows us to backdoor the Nest software in any way we choose". This includes introducing rootkits, spyware, rogue services and other network scanning methods.

"Entering into that mode allows you to upload your own code, your custom code, which allows you to attack existing code, implant your own and reboot normally, but maybe have something else running in the background," Hernandez adds. "We have access to the device on the highest level, and we can send stuff that Nest sends to us as well".

link for quoted material: http://betanews.com/2014/08/11/googles-nest-thermostat-can-be-easily-hacked-to-spy-on-owners/


Post a Comment

<< Home