[Updated with a comment from Nest]
The immortal words of Hal, the rogue computer in 2001: A Space Odyssey, showed up on the display of a Google Nest appliance control system. That’s not supposed to happen.
But hackers at the Black Hat security conference this week made those words appear on a Nest display after they showed how they compromised the device in front of an audience of hundreds. The vulnerability of the Nest device, which can control your thermostat or lighting, shows the flaws in security that could slow down the rush to connect all of our devices to the internet in the so-called “internet of things.” Hacking smart devices was a big theme of this year’s show. [See our photo gallery showing the cultures of Black Hat and Defcon here].
“This goes back to the theme of what are we sacrificing in the name of convenience,” said Daniel Buentello, a student security researcher at the University of Central Florida and one of four presenters who talked about hacking the smart device. “This is a computer that the user can’t put an antivirus on. Worse yet, there’s a secret back door that a bad person could use and stay there forever. It’s a literal fly on the wall.”
Nest uses your home’s sensors to tell when you are home, and it adjusts the temperature to your liking. If you are not home in the afternoon, Nest will put the heater or air conditioner into low-energy mode. It works so well that Google paid $3.2 billion to acquire the company earlier this year.
“If I were a bad guy, I would tunnel all of your traffic through me, sniffing for any kind of credentials like credit cards,” Buentello said. “That’s horrible because if you have a computer, it crashes and you take it to Best Buy. How the hell will you know your thermostat is infected? You won’t.”
The thing has a silver rim and black display. Buentello and the team — Orlando Arias, Grant Hernandez, and Yier Jin (engineering professor) — put an image of HAL 9000, the rogue computer from 2001: A Space Odyssey, in its center to show that they could take over the machine live on stage. A second screen showed the dialogue from the film, “I know that you and Frank were planning to disconnect me, and I am afraid that is something I cannot allow to happen.”
In a statement, Zoz Cuccias of Nest said, “All hardware devices – from laptops to smartphones – are susceptible to jailbreaking; this is not a unique problem. This is a physical jailbreak requiring physical access to the Nest Learning Thermostat. If someone managed to get in your home and had their choice, chances are they would install their own devices, or take the jewelry. This jailbreak doesn’t compromise the security of our servers or the connections to them and to the best of our knowledge, no devices have been accessed and compromised remotely. Customer security is very important to us, and our highest priority is on remote vulnerabilities. One of your best defenses is to buy a Dropcam Pro so you can monitor your home when you’re not there.”
Nest has Wi-Fi access so that data can be sent to it from various sensors and get automatic updates and energy usage reports. The device can store two gigabytes of data. It has a rechargeable battery and an ARM Cortex M3 processor from Texas Instruments. It also has two motion sensors that can detect whether you are moving through the house.
Buentello plugged a universal serial bus (USB) into the device to put it into developer mode. When you do that, you can upload your own custom code into the device. It has configurable boot options, and the hackers use that to load their own software, so long as they know the correct boot pin configuration. There is no “chain of trust” security procedure, and Jin said that for future internet of things devices, he recommends such precautions be implemented.
“It was not so difficult and target the device,” Hernandez said in the talk.
That allows you to compromise the existing code, then put your own in. Then you reboot it. Hernandez said he could program the device to send data to him as well as the customer actually using the device. The hackers can gain full root access to the device, or pretty much do anything they want with it.
The hackers didn’t show they could hack the device remotely. Rather, they needed the physical access to the device. But that might not be that hard to do. You could buy devices, compromise them, and then put them up on eBay for resale.
They were able to send data to the device such as temperature data, rest settings, and other data.
Hacking the device can have severe consequences. You could compromise one Nest and use it to corrupt other Nest devices in the larger network, Buentello said. It also shows the way that you live, and that could be useful to a spy. The hackers are releasing a a tool for Nest users s that they can patch the device.
“This has a lot more implications than a normal thermostat,” Hernandez said. “It’s a node on your network which you control on your phone. You can then use normal attacks against the network to gain access to other devices.”
Hackers said they could also “brick” the device, or disable it.
Buentello said, “We are giving up our privacy to this device, and we don’t know anything about it.”
In comments to other publications, Google said a very small number of devices have been actually compromised, as it tracks changes to the devices. Jin said the possibility of a “remote attack” is still under investigation.
“This thing always reminded me of HAL 9000,” Hernandez said.