Those with Nests in their nests have a smart thermostat that learns about their behavior over time for more efficient heating and cooling; if you’re never home in the afternoons, it knows that’s a good time to switch to low energy mode. It’s become one of the most successful members of the Internet-of-Things club, leading
No one has hacked the Nest remotely but a few hackers have found ways to break into the system when they have physical access to the device. First these dudes, and now a group of researchers from the University of Central Florida led by engineering professor Yier Jin who tore the Nest apart and found that they could take control of the Nest system while it’s booting up, allowing them to secretly siphon data and install malware that could botify the Nest. “The software is obviously designed with security in mind, but the hardware has problems,” says Orlando Arias, a UCF senior. While data about people’s energy use is not super sexy spy stuff, it does reveal living patterns. They plan to present their Nest teardown at August security conference Black Hat – Nest Thermostat: A Smart Spy In Your Home -- and have also uploaded a video to YouTube of UCF student Grant Hernandez doing a "hack unboxing."
But the team says the security flaw may have a privacy upside. Like so many connected devices, Nest devices regularly report back to the Nest mothership with usage data. Over a month-long period, the researchers’ device sent 32 MB worth of information to Nest, including temperature data, at-rest settings, and self-entered information about the home, such as how big it is and the year it was built. “The Nest doesn’t give us an option to turn that off or on. They say they’re not going to use that data or share it with Google, but why don’t they give the option to turn it off?” says Jin.
Their hack is essentially a jailbreak of the device – though they hesitate to use that term – allowing for new programs to be written onto the system, so they wrote a program to prevent data from being sent back to Nest, without otherwise interfering with Nest’s functionality. After their presentation at Black Hat in Las Vegas, they plan to release the tool to Nest users who are paranoid about corporate access to their data. "Using this vulnerability, we can patch the Nest from sending that data to Nest servers. There was no performance impact whatsoever on the unit we tested this on," said Arias. In a white paper accompanying their presentation, they say the Internet of Things -- with its connected devices tying users to companies that can monitor them -- means consumers may need to "hack our own purchased devices in order to protect our own privacy and to add features manufacturers do not include."
“We’re trying to make [the Nest tool] easy to install and make it easy to turn that data collection on and off,” says Jin. “But it’s a fine line to tinker with these devices. Most manufacturers say it will void the warranty.”
Nest cofounder Matt Rogers was understandably skeptical about such a tool. He says Nest users can turn off the device’s Wi-Fi access to stop data from being sent to Nest, but they lose the ability to operate it remotely, get automatic software updates, and energy reports. “One of the advantages of being connected is that when things like Heartbleed come up, we can immediately push down a fix,” he said. “What people want to do with their hardware is up to them. But this is their heating and cooling and their smoke alarms and you want our secure software on it. Just like when you jailbreak a phone, all bets are off.”
Rogers reiterated that Nest doesn’t share data with Google, but says Nest does benefit from the company’s security expertise – expertise jailbroken devices would miss out on. Nest has its own security engineers, and undergoes external audits and has Google doing checks. “They’re the best security team in the world, but they only found a few bugs,” he said.
When devices are jailbroken, Nest can tell, says Rogers, because Nest’s software is signed. It can see when researchers are playing around with the operating systems though Rogers says only "a very small number of devices are doing weird things.”
I asked why Nest doesn’t have an option to turn off data sharing. Rogers says it hasn’t been a big request from users. “There’s a very small vocal minority who don’t want us to have that data,” he says. “We give them a lot of value from that data.” He says that the company improves its algorithms – and saves customers money – by being able to analyze behaviors from many different homes.
And there are societal benefits, he says. “With our smoke detectors, we found that there’s way more carbon monoxide in homes that anyone realized. We can take that info to regulators,” he says. “The biggest carbon monoxide survey that ever happened before was hundreds of homes; we have thousands.”
As for the vulnerability that allows someone to hack the device if they have physical access to it, Rogers was sanguine, as that’s basically the case with any computing device. If someone gets access to your smartphone or laptop, you're similarly pwned.
Jin says he was impressed with Nest’s security overall. “Nest keeps security in mind, but still, they should do more,” he said, hoping the company will take a possible security solution his team proposes -- letting only signed programs execute on the kernel and encrypting the file system -- into consideration. Of course, if Nest does, and it works, his team's "privacy-enhancing" Nest tool wouldn't work.
