Nest Thermostat Security Risk Disclosed at Black Hat

A researcher finds possible security risks with Nest thermostats, though Nest Labs itself is downplaying the risk.

Nest thermostat

LAS VEGAS—Among the most well-known Internet of things (IoT) devices in the consumer market is the Nest Learning Thermostat. According to research discussed at the Black Hat USA security conference here, there is also potential security risk with the thermostat that could enable a backdoor attack.

In an interview with eWEEK, researcher Yier Jin from the University of Central Florida explained that he is particularly interested in the hardware security of IoT devices. His research team started by looking at the boot process for the Nest thermostat, which is where he found what he considers to be a backdoor.

According to Jin, the backdoor his team found can bypass verification and enable an attacker to install a customized kernel that could run arbitrary code. The researchers found the backdoor on just the thermostat and not on the Nest Protect smoke detector. Nest Labs currently has just two products: the thermostat and the smoke detector. Nest itself was recently acquired by Google for $3.2 billion.

On the Nest thermostat, Jin and his team were able to load their own firmware because there is no secure boot mechanism on the device. With secure boot, a device first checks the authenticity and integrity of a boot image before it is loaded.

The only time Nest performs firmware verification is when a new software image is updated from the Nest Labs site for the user's device. Nest Thermostat updates are cryptographically signed and if the signature is not valid, the software won't boot.

"Since our attack controls the boot process, we can bypass the Nest software stack and do whatever we want to do," Jin said.

From a technical perspective, Jin and his team didn't actually replace the on-device Nest firmware. The thermostat has two partitions for running a software kernel, and there is also space for a different root filesystem.

For its part, Nest Labs stressed that that security research conducted by Jin and his team requires physical access to the device. In a statement sent by Nest Labs to eWEEK, the company noted that Jin's research is a physical jailbreak requiring physical access to the Nest Learning Thermostat.

"It doesn't compromise the security of our servers or the connections to them and to the best of our knowledge, no devices have been accessed and compromised remotely," Nest stated.

Even though physical access is required, there are some interesting things that can be done to the Nest thermostat.

Jin said what his team has done at the preliminary stage is to just include additional functionality rather than remove any existing capabilities. Potentially it is possible to modify the code such that the device will not be able to connect directly to Nest Labs to get an update. It's also a possibility that log files and data from the Nest can be obtained from the device.

Looking at the Nest log files, Jin said that a lot of different information is collected. Running the Nest thermostat for one month, Jin was able to generate a 32MB log file. Log file information can include device setup information as well, which will include the location of the device and the type of house it is installed in.

"They [Nest] probably know everything that is going on with a device, perhaps more than what we want Nest to know," Jin said.

One of the capabilities that Jin's team can add to its custom Nest firmware is to actually block logs from being sent back to Nest Labs.

Another item that is stored in the Nest thermostat is the local WiFi network's access credentials. As such, if someone is able to gain access to the internals of the device, they might possibly be able to pivot to gain access to other parts of the same network.

Jin has a simple suggestion on how to limit the risk of an internal network pivot—simply put the Nest thermostat on its own network. He explained that the Nest uses HTTP and a secure tunnel to send information back to Nest and it uses NTP (Network Time Protocol) for internal time.

"If you can isolate the thermostat on the network, it's probably a good idea." Jin said.

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.