By Yier Jin, Grant Hernandez, and Daniel Buentello
“The Nest thermostat is a smart home automation device that aims to learn about your heating and cooling habits to help optimize your scheduling and power usage. Debuted in 2010, the smart NEST devices have been proved a huge success that Google spent $3.2B to acquire the whole company. However, the smartness of the thermostat also breeds security vulnerabilities, similar to all other smart consumer electronics. The severity of security breach has not been fully embraced due to the traditional assumption that thermostat cannot function more than a thermostat even though users are enjoying its smartness.
Equipped with two ARM cores,in addition to WiFi and ZigBee chips, this is no ordinary thermostat. In this presentation, we will demonstrate our ability to fully control a Nest with a USB connection within seconds (in our demonstration, we will show that we can plug in a USB for 15 seconds and walk away with a fully rooted Nest). Although OS level security checks are available and are claimed to be very effective in defeating various attacks, instead of attacking the higher level software, we went straight for the hardware and applied OS-guided hardware attacks. As a result, our method bypasses the existing firmware signing and allows us to backdoor the Nest software in any way we choose. With Internet access, the Nest could now become a beachhead for an external attacker. The Nest thermostat is aware of when you are home and when you are on vacation, meaning a compromise of the Nest would allow remote attackers to learn the schedule of users. Furthermore, saved data, including WiFi passwords, would now become available to attackers also. Besides its original role of monitor the user’s behavior, the smart Nest is now a spy rooted inside a house fully controlled by attackers.
We are currently exploiting the vulnerability of Nest’s proprietary peer-to-peer protocol, Nest Weave, in order to enable stealthy remote control or data exfiltration. Hopefully, by the time we give a talk at Black Hat, we would be able to skip the 15 seconds USB connection and control the Nest remotely.”