Categories: Breaking NewsHacking

Hacking home networks by compromising a Nest thermostat

A group of researchers  from TrapX Security demonstrated how to infiltrate home networks by compromising a Nest thermostat.

We already discussed in the past of the risks related to cyber attacks against IoT devices, these smart objects are everywhere, including our homes, so they represent a privileged target for hackers.

Security experts from TrapX Security demonstrated how to hack an internet-connected thermostat produced by Nest, a firm controlled by Google. The researchers made much more, by hacking the Nest thermostat they gained control of other devices sharing the same home network.

The hack is not simple to implement because the attack chain starts with a physical access to the device. The TrapX experts started from a research released last year by a group of researchers at the University of Central Florida led by engineering professor Yier Jin. The team of researchers explained that it is possible get control of the Nest thermostat by jailbreaking its Linux operating system by using the device’s USB port. The experts loaded their custom software onto the thermostat that would stop your thermostat data from being sent back to Nest’s servers. According the researchers the problem resides in the hardware itself, for this reason, it is hard to fix.

“The problem is with the way the hardware is built,” said Jin in a phone interview on Thursday. “That’s why after we released this hack almost one year ago and there’s still no fix yet. Nest can’t repair that.”

The experts at TrapX made the same by loading their software onto the Nest’s ARM7 processor chip. In this way they accessed to various information managed by the thermostat, including WiFi password for local network and data related to the presence of users at home. Data stored on the Nest isn’t encrypted while data sent to the servers over the air are encrypted. By exploiting the ARP protocol, the researchers forced other devices in the same network to exchange data with the compromised Nest device. In testing, TrapX was able to go through the compromised thermostat to exploit known software vulnerabilities found in devices like baby monitors and even a PC with an older, unpatched operating system to gain control of them.

“In testing, TrapX was able to go through the compromised thermostat to exploit known software vulnerabilities found in devices like baby monitors and even a PC with an older, unpatched operating system to gain control of them.” reported Forbes in a blog post.

“Once we’re inside the network, it’s quite trivial to escalate,” said Carl Wright, executive vice president and general manager at TrapX. “There’s a lot of devices in the home we’re able to jump off of and compromise.”

Another limit to the attack is that it will fail in presence of ARP spoofing detection software.

”All hardware devices–from laptops to smartphones–are susceptible to hacking with physical access. This is sometimes called a jailbreak or rooting–and describes the kind of hack TrapX performed. A jailbreak doesn’t compromise the security of our servers or the connections between our devices and our servers. To the best of our knowledge, no Nest device has ever been compromised remotely. That said, we are constantly working to improve the security of our devices and safeguard our customers.” commented a Nest spokesperson.

Despite there is no evidence that a Nest device has ever been compromised in the wild, the case presented highlights once again the need of security by design for IoT devices.

Pierluigi Paganini

(Security Affairs –  IoT, Nest)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

3 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

15 hours ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

19 hours ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

1 day ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

1 day ago

Finnish police linked APT31 to the 2021 parliament attack

The Finnish Police attributed the attack against the parliament that occurred in March 2021 to…

1 day ago

This website uses cookies.