SMART NEST THERMOSTAT: A SMART SPY IN YOUR HOME

Black Hat USA 2014

Presented by: Daniel Buentello, Grant Hernandez, Yier Jin
Date: Thursday August 07, 2014
Time: 11:45 - 12:45
Location: Mandalay Bay D

The Nest thermostat is a smart home automation device that aims to learn about your heating and cooling habits to help optimize your scheduling and power usage. Debuted in 2010, the smart NEST devices have been proved a huge success that Google spent $3.2B to acquire the whole company. However, the smartness of the thermostat also breeds security vulnerabilities, similar to all other smart consumer electronics. The severity of security breach has not been fully embraced due to the traditional assumption that thermostat cannot function more than a thermostat even though users are enjoying its smartness.

Equipped with two ARM cores, in addition to WiFi and ZigBee chips, this is no ordinary thermostat. In this presentation, we will demonstrate our ability to fully control a Nest with a USB connection within seconds (in our demonstration, we will show that we can plug in a USB for 15 seconds and walk away with a fully rooted Nest). Although OS level security checks are available and are claimed to be very effective in defeating various attacks, instead of attacking the higher level software, we went straight for the hardware and applied OS-guided hardware attacks. As a result, our method bypasses the existing firmware signing and allows us to backdoor the Nest software in any way we choose. With Internet access, the Nest could now become a beachhead for an external attacker. The Nest thermostat is aware of when you are home and when you are on vacation, meaning a compromise of the Nest would allow remote attackers to learn the schedule of users. Furthermore, saved data, including WiFi credentials, would now become available to attackers. Besides its original role of monitor the user's behavior, the smart Nest is now a spy rooted inside a house fully controlled by attackers.

Using the USB exploit mentioned above, we have loaded a custom compiled kernel with debug symbols added. This enables us to explore the software protocols used by the nest, such as Nest Weave, in order to find potential vulnerabilities that can be remotely exploited. Loading a custom kernel into the system also shows how we have obtained total control of the device, introducing the potential for rootkits, spyware, rogue services and other network scanning methods, further allowing the compromise of other nodes within the local network.

Yier Jin

Yier Jin is currently an assistant professor in the Electrical Engineering and Computer Science Department at the University of Central Florida. He received his PhD degree in Electrical Engineering from Yale University. His research focuses on the areas of trusted embedded systems, trusted hardware intellectual property (IP) cores and hardware-software co-protection on computer systems. He proposed various approaches in the area of hardware security, including the first hardware Trojan detection methodology relying on local side-channel information, the first post-deployment hardware trust assessment framework, and the first proof-carrying hardware IP protection scheme. He is also interested in the security analysis on Internet of Things (IoT) and wearable devices with particular emphasis on information integrity and privacy protection in the IoT era.

Grant Hernandez

Grant is an undergraduate security researcher attending school at the University of Central Florida (UCF). He is interested in embedded and OS/Kernel level security topics. In his spare time, he is a reverse engineer, and an avid CTF player with the KnightSec team.

Daniel Buentello

Hacker by day...still a hacker at night. Daniel spends most of his day taking apart software/hardware in order to appreciate other's work. Every now and then he finds mistakes that were left behind and has spoken about them at venues such as DerbyCon and ToorCon. His current fascination is with the "Internet of Things" as he hopes to prevent the next generation of cyber-physical malware.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats