Security

Hello, Dave. I control your thermostat. Google’s Nest gets hacked

Above: Google Nest hacked

Image Credit: KRWG

[Updated with a comment from Nest]

“Hello, Dave.”

Daniel Buentello of UCF at Black Hat

Above: Daniel Buentello of UCF at Black Hat

Image Credit: Dean Takahashi

The immortal words of Hal, the rogue computer in 2001: A Space Odyssey, showed up on the display of a Google Nest appliance control system. That’s not supposed to happen.

But hackers at the Black Hat security conference this week made those words appear on a Nest display after they showed how they compromised the device in front of an audience of hundreds. The vulnerability of the Nest device, which can control your thermostat or lighting, shows the flaws in security that could slow down the rush to connect all of our devices to the internet in the so-called “internet of things.” Hacking smart devices was a big theme of this year’s show. [See our photo gallery showing the cultures of Black Hat and Defcon here].

“This goes back to the theme of what are we sacrificing in the name of convenience,” said Daniel Buentello, a student security researcher at the University of Central Florida and one of four presenters who talked about hacking the smart device. “This is a computer that the user can’t put an antivirus on. Worse yet, there’s a secret back door that a bad person could use and stay there forever. It’s a literal fly on the wall.”

Nest uses your home’s sensors to tell when you are home, and it adjusts the temperature to your liking. If you are not home in the afternoon, Nest will put the heater or air conditioner into low-energy mode. It works so well that Google paid $3.2 billion to acquire the company earlier this year.

“If I were a bad guy, I would tunnel all of your traffic through me, sniffing for any kind of credentials like credit cards,” Buentello said. “That’s horrible because if you have a computer, it crashes and you take it to Best Buy. How the hell will you know your thermostat is infected? You won’t.”

Yier Jin of UCF at Black Hat

Above: Yier Jin of UCF at Black Hat

The thing has a silver rim and black display. Buentello and the team — Orlando Arias, Grant Hernandez, and Yier Jin (engineering professor) — put an image of HAL 9000, the rogue computer from 2001: A Space Odyssey, in its center to show that they could take over the machine live on stage. A second screen showed the dialogue from the film, “I know that you and Frank were planning to disconnect me, and I am afraid that is something I cannot allow to happen.”

In a statement, Zoz Cuccias of Nest said, “All hardware devices – from laptops to smartphones – are susceptible to jailbreaking; this is not a unique problem. This is a physical jailbreak requiring physical access to the Nest Learning Thermostat. If someone managed to get in your home and had their choice, chances are they would install their own devices, or take the jewelry. This jailbreak doesn’t compromise the security of our servers or the connections to them and to the best of our knowledge, no devices have been accessed and compromised remotely. Customer security is very important to us, and our highest priority is on remote vulnerabilities. One of your best defenses is to buy a Dropcam Pro so you can monitor your home when you’re not there.”

Nest has Wi-Fi access so that data can be sent to it from various sensors and get automatic updates and energy usage reports. The device can store two gigabytes of data. It has a rechargeable battery and an ARM Cortex M3 processor from Texas Instruments. It also has two motion sensors that can detect whether you are moving through the house.

Buentello plugged a universal serial bus (USB) into the device to put it into developer mode. When you do that, you can upload your own custom code into the device.  It has configurable boot options, and the hackers use that to load their own software, so long as they know the correct boot pin configuration. There is no “chain of trust” security procedure, and Jin said that for future internet of things devices, he recommends such precautions be implemented.

“It was not so difficult and target the device,” Hernandez said in the talk.

That allows you to compromise the existing code, then put your own in. Then you reboot it. Hernandez said he could program the device to send data to him as well as the customer actually using the device. The hackers can gain full root access to the device, or pretty much do anything they want with it.

Google Nest board

Above: Google Nest board

Image Credit: iFixit

The hackers didn’t show they could hack the device remotely. Rather, they needed the physical access to the device. But that might not be that hard to do. You could buy devices, compromise them, and then put them up on eBay for resale.

They were able to send data to the device such as temperature data, rest settings, and other data.

Hacking the device can have severe consequences. You could compromise one Nest and use it to corrupt other Nest devices in the larger network, Buentello said. It also shows the way that you live, and that could be useful to a spy. The hackers are releasing a a tool for Nest users s that they can patch the device.

“This has a lot more implications than a normal thermostat,” Hernandez said. “It’s a node on your network which you control on your phone. You can then use normal attacks against the network to gain access to other devices.”

Hackers said they could also “brick” the device, or disable it.

Buentello said, “We are giving up our privacy to this device, and we don’t know anything about it.”

In comments to other publications, Google said a very small number of devices have been actually compromised, as it tracks changes to the devices. Jin said the possibility of a “remote attack” is still under investigation.

“This thing always reminded me of HAL 9000,” Hernandez said.

Google Nest device

Above: Google Nest device

Image Credit: Nest
More information:

Google's innovative search technologies connect millions of people around the world with information every day. Founded in 1998 by Stanford Ph.D. students Larry Page and Sergey Brin, Google today is a top web property in all major glob... read more »

The creator of the world’s first learning thermostat, Nest Labs is focused on reducing home-energy consumption. The Nest Learning Thermostat learns about you and your home to automatically turn itself down when you're away, guide you... read more »

Powered by VBProfiles


Mobile developer or publisher? VentureBeat is studying mobile marketing automation. Fill out our 5-minute survey, and we'll share the data with you.
32 comments
Larry Karisny
Larry Karisny

Don't underestimate the seriousness of this Nest security problem.    See my article written over four years ago on the security concerns of smart meters ( http://www.digitalcommunities.com/articles/The-Smart-Grid-Needs-to-Get.html ). There are solutions to this big IoT security issue that Nest is just beginning to expose and patches are not the fix.  What happens when we have billions of IoT out there. That's a lot of patching.  


See my video presentation on the subject and the paradigm shift in information processing required to fix the problem: http://youtu.be/EYaTeb0uQhc  . Nest security issues are just the beginning of a much bigger problem in IoT security.  

none none
none none

The Nest has 2 processors:

1) An OMAP in the Display Head

2) an MSP430 (ver 1) or a STMicro Cortex M3  (ver 2) in the Wallplate

נ. ר.
נ. ר.

very worthwhile article, thanks for sharing.

Richard J. Scully
Richard J. Scully

It looks like they used physical access to the devices USB port. I guess now we'll have to lock up our thermostats with a master lock? Very high tech ;)  The other exposure is probably the unsecured wifi network many people have. needs a VPN.

Nikunj Parekh
Nikunj Parekh

Wow. Now someone can *actually* turn up the heat on us. Quite literary. What I feel is best stated in Hindi: Paisa Vasool...

Sid Burgess
Sid Burgess

Why do I keep reading VB. Total garbage article. 

franklin tineo
franklin tineo

Anything can be hack with physical access, I don't think that can even be called a hack. I mean why would anyone already in your house sorounded by all your goodies be interested in hardwiring your freggin thermostat, let's be real.

Bob Smith
Bob Smith

So much for VB being a rational source of fact based information.  Salacious headlines, and burying the truth that this device requires physical access for a compromise to occur... come on VB, just as bad as the Huff. post.  What's next, jiggling bikini ads? 


I can hack a tennis shoe with physical access.


Stop with the fear mongering and turn back towards respectable presentation of information.  


Otherwise, all i see in your future is...Unsubscribe.

LM Stewart
LM Stewart

They also don't control your lights. Accuracy in reporting is this thing people should try.

Colin Jingleheimer Schmidt
Colin Jingleheimer Schmidt

Even 'life-hacks' are hacking, because you're reconfiguring / cheating in ways that aren't conventional.

Colin Jingleheimer Schmidt
Colin Jingleheimer Schmidt

It's hacking, because it is custom firmware / software. It's not off-the-shelf. It's custom tailored to a specific device. Technically custom ROMs are hacking. Hacking can be as loosely defined as editing files to a system.

Colin Jingleheimer Schmidt
Colin Jingleheimer Schmidt

I don't know if you know anything about how electronics work, but generally, with new systems, you need to locally develop and infiltrate before you can figure out how to do it remotely. It's pretty hard to flash memory over the air, considering you'd need to figure out the proper partition to store the file on so it wouldn't get wiped during the flash and all that..... BIOS doesn't have wireless capabilities.

Richard Nichols
Richard Nichols

OK, until you can remote connect and hack my device this story is dead... These types of stories are turning into the same types of link-baiting the Facebook Messenger permissions stories have become.

Earl C. Ruby III
Earl C. Ruby III

The first line of defense for any device is physical security. Once you've given up physical control of your laptop, phone, or thermostat, the device can be compromised. It's ridiculous to call that a "hack" or to imply that the device is insecure because you've given up physical control.

Joe Diviak
Joe Diviak

That's the only decent point made in the article. I know I wouldn't buy a Nest off of Ebay for warranty reasons alone. But most people see this type of article and think it's totally hackable from wherever.

VentureBeat
VentureBeat

as described: they can buy them, infect them, and resell them cheap on ebay.

VentureBeat
VentureBeat

as described: they can buy them, infect them, and resell them cheap on ebay.

VentureBeat
VentureBeat

The research continues on an over-the-air remote attack

Tim Fox
Tim Fox

Put the red gradient in the center.

Joe Diviak
Joe Diviak

No remote access...I wonder how many hackers are going to get into your home and directly plug in to your Nest just to hack it.....stupid article

Earl C. Ruby III
Earl C. Ruby III

So if I take your laptop, reboot it with a USB stick and install my software on it, does that prove that the laptop's OS is vulnerable to hacking?

Raphael Pacanek
Raphael Pacanek

Uploading and using a customized firmware by plugging in your USB stick and actually hacking that thing over the internet are 2 different things... Much hacking, so skills, wow

Chris Hacken
Chris Hacken

This is stupid. Of course if you have physical access you can hack it. You can hack just about anything with physical access. Take control of it over WiFi and I'll be impressed/concerned.

Some IOTSecurity Guy
Some IOTSecurity Guy

If I cook your fish in the aquarium or freeze your pipes until they burst, you might have a different reaction ... especially when you get your next energy bill.

If I turn everyone's HVAC on and off in a pattern to create a cascading failure of the electric grid ... now everyone cares.

Wade Mitchell
Wade Mitchell

The nest CAN control LIFX bulbs. Part of the "away" setting on the nest is that it turns your LIFX bulbs on & off periodically to make it seem like you're home.