Google’s Nest Smart Thermostat Can Be Hacked to Spy on Owners
LAS VEGAS — Google’s Nest “smart” thermostats may be the most secure devices in the “Internet of Things,” but can still easily be hacked into, three researchers showed today (Aug. 7) at the BlackHat security conference here.
Yier Jin and Grant Hernandez of the University of Central Florida, along with independent researcher Daniel Buentello, demonstrated that by holding down the power button on a Nest device for 10 seconds, then plugging in a USB flash drive, one can inject malicious software that can take over the device.
Normally, the Nest will accept only firmware updates “signed” with the company’s cryptographic code. But pressing the power button while plugging in a USB device overrides the security, allowing anyone to upload custom firmware.
So what’s the big deal about hacking a thermostat? Well, the researchers explained, the Nest is much more than just a thermostat. It’s actually a full-fledged Linux computer with 2 gigabytes of flash memory, Wi-Fi networking and proximity sensors.
The Nest can tell when you’re home or not, knows your postal code, knows your Wi-Fi network name and password (and stores them in plain text and can communicate with other nearby Nest devices using the company’s custom implementation of the Zigbee mesh-networking protocol.
The Nest routinely uses the Internet to communicate with the Nest cloud, but can be modified to contact any other device on the Internet. As such, mass compromising of Nest devices could be used to create a malicious botnet to pump out spam or malware — or sell information about homeowners’ habits to burglars.
“How the hell are you ever going to know your thermostat is infected?” Buentello wondered. “You won’t!”
Take home message:
This burglar risk applies to smart meters that control electricity to your home. GCHQ and privacy activists both agree – DO NOT INSTALL a smart meter.
Burglars can access both the smart meter and the Google thermostat to detect when you are away from home. A burglar can monitor the “pattern” of your habits.. know that you go out early on a Sunday.. or stay out late on a Saturday… either way, it provides an attack vector against you. Now.. will insurance companies pay out on a burglary where your devices transmit your movements? Surely the next stage will be that insurance premiums will rise if you use a smart meter, or some companies may refuse to insure you. Either way, you should prepare for discrimination and social profiling that increases your premiums.