Hacking Nest Thermostat

TrapX confirmed the design flaws discovered in the Nest Learning Thermostat. They validated the attack vector presented at the Black Hat 2014 conference by compromising the device and an entire home network.

“While the Nest Learning Thermostat has relatively robust security compared to most IoT devices, the attack vectors presented at Black Hat enabled our lab to completely compromise the device within our Advanced Test Bed Facility (ATBF),” said Carl Wright, general manager of TrapX. “For real-world validation, the lab then took the compromised device outside of the ATBF and installed it in a participant’s home network.”

Once the Nest Learning Thermostat was installed, TrapX Labs used it as an initial point of attack and was easily able to compromise an entire home network. Once the network was under the lab’s control, researchers were able to track the user’s Internet surfing activity and get access to their private credentials as well as data collected by the Nest Learning Thermostat, such as whether anyone was at home.

“We took the Nest Learning Thermostat apart and did a complete analysis of the operating system and potential entry points,” said Moshe Ben Simon, general manager of TrapX Labs. “During our analysis, we found an ARM processor that was running under a hardened Linux operating system. We gained root access and then were able to control the Nest Learning Thermostat from our attacking server. Make no mistake, the Nest Learning Thermostat is a well-designed and relatively secure IoT device. The problem is that the hackers are moving faster, with more intensity and more funding,” Simon concluded.

Looking beyond the Nest Learning Thermostat, which is relatively secure, there is a serious concern that the manufacturers of IoT devices at all points in the supply chain do not seem to have the economic incentives to provide initial cybersecurity support or ongoing support, including the regular integration of software and/or hardware updates. At every level of manufacturing and design, the manufacturers involved with IoT are obsessed with cost cutting and minimal design footprints.

The design chain for electronic components such as IoT usually includes two or even three manufacturing tiers, each integrating their products with the products of their suppliers. Unless their customer specifies it or unless the regulatory environment requires it for compliance, additional features for cybersecurity will not go into the product.

Key steps to improve IoT device security:

  • Perform a complete design review of all OEM components, especially those manufactured overseas. This is essential for anyone in the defense industry and highly desirable for most manufacturers that integrate electronic components and chips.
  • Consider a strategy to rapidly integrate and deploy software fixes and/or hardware fixes to your end-user customer base, especially when there is a two- or three-tier supply chain.
  • Do not allow any production versions of these devices to be bootable from a USB port.
  • Sign the software – this is a mathematical technique used to validate the authenticity of the software.
  • Use an outside penetration-testing firm to run security tests to discover vulnerabilities and help with the design review of OEM components.
  • Implement firewalls on every device to resist hacker attacks and allow only specified IP addresses in or out.
  • Protect the management channel interface from attackers and only allow limited access to the management server.