updated 09:38 pm EDT, Wed July 16, 2014
Nest is essentially jailbroken, uses a custom tool to end reporting back to company
A group of researchers from the University of Central Florida (UCF) discovered a way to root the Nest thermostat in the process of finding a way to hack the device to steal data and install malware. Led by engineering professor Yier Jin, the team used physical access to accomplish the hack even though it is built with security in mind. During the hacking discovery, the team came up with a way to stop the device from reporting data back to Google (or Nest).
Attempts to bypass and gain access through the software previously failed, indicating that Nest places some emphasis on outside security of the "Internet of Things" device. However, once the team found that they could gain access, it was discovered that the attack method could also be used to bring an end to a privacy concern that had circled around the device.
By taking control of the Nest during it booting sequence, the team was able to install custom firmware after rooting the device. The process is similar to jailbreaking devices such as the iPhone, but the team doesn't come out and explain it as such. The method attacks at the hardware level, bypassing the software with a USB level exploit to gain access to the Nest in less than 15 seconds.
Like many other smart electronics, the reporting issue and illusion of security are common concerns about these types of devices. While the Nest is marketed as a thermostat, it's actually much more than that. Equipped with ARM processors, Wi-Fi and Zigbee, the wall mounted unit is more like a single-purpose computer. If hackers were to gain access to it over the web, they could use it to gain access to a network and take whatever is there to be found that can be compromised.
In an article from Forbes, information from the researchers is outlined about the process, as well as some concerns about the Nest. During a month-long observation period of the device, the researchers found that the Nest reported 32MB worth of data back to the company. Information included data on temperature, settings at-rest and information based on the home. The data isn't a gem to be used for nefarious means, but could be used to tell a party when a home isn't occupied. Utilizing their workaround, this data would no longer be intercepted in transit.
"Using this vulnerability, we can patch the Nest from sending that data to Nest servers. There was no performance impact whatsoever on the unit we tested this on," said UCF senior Orlando Arias.
In a stock version of a Nest, users can stop the data reporting by turning off Wi-Fi access, but that ruins the intent of the device. By turning it off, users can no longer access the thermostat from other devices, or receive firmware updates. To compound the matter, Nest offers no other way to stop the data reporting.
"The Nest doesn't give us an option to turn that off or on. They say they're not going to use that data or share it with Google, but why don't they give the option to turn it off?" said Yier Jin.
Matt Rogers, cofounder of Nest, commented on the development, saying that consumers miss out on a lot of the security advantages of the device if they choose to hack it. Using Heartbleed as an example, he states that large security issues that come up won't be able to be fixed if the device is altered. Ultimately, he realizes that what consumers want to do with their hardware is up to them.
"Just like when you jailbreak a phone, all bets are off," said Rogers. He adds that Nest also knows if a device has been jailbroken, as the software is signed. The company has witnessed a small number of devices "doing weird things" attributed to researchers.
When reporter Kashmir Hill asked Rogers why there wasn't an option to turn off the data reporting, he stated that it wasn't a big request from Nest's user base. He said that "there's a very small vocal minority" that doesn't want the company to have the data even though Nest gives them "a lot of value" for it.
The UCF researchers plan to show off the Nest tool, as well as the hacking results, at Black Hat this August. The tool is said to be released after the conference.