Hacking home networks by compromising a Nest thermostat

A group of researchers  from TrapX Security demonstrated how to infiltrate home networks by compromising a Nest thermostat.

We already discussed in the past of the risks related to cyber attacks against IoT devices, these smart objects are everywhere, including our homes, so they represent a privileged target for hackers.

Security experts from TrapX Security demonstrated how to hack an internet-connected thermostat produced by Nest, a firm controlled by Google. The researchers made much more, by hacking the Nest thermostat they gained control of other devices sharing the same home network.

The hack is not simple to implement because the attack chain starts with a physical access to the device. The TrapX experts started from a research released last year by a group of researchers at the University of Central Florida led by engineering professor Yier Jin. The team of researchers explained that it is possible get control of the Nest thermostat by jailbreaking its Linux operating system by using the device’s USB port. The experts loaded their custom software onto the thermostat that would stop your thermostat data from being sent back to Nest’s servers. According the researchers the problem resides in the hardware itself, for this reason, it is hard to fix.

“The problem is with the way the hardware is built,” said Jin in a phone interview on Thursday. “That’s why after we released this hack almost one year ago and there’s still no fix yet. Nest can’t repair that.”

The experts at TrapX made the same by loading their software onto the Nest’s ARM7 processor chip. In this way they accessed to various information managed by the thermostat, including WiFi password for local network and data related to the presence of users at home. Data stored on the Nest isn’t encrypted while data sent to the servers over the air are encrypted. By exploiting the ARP protocol, the researchers forced other devices in the same network to exchange data with the compromised Nest device. In testing, TrapX was able to go through the compromised thermostat to exploit known software vulnerabilities found in devices like baby monitors and even a PC with an older, unpatched operating system to gain control of them.

“In testing, TrapX was able to go through the compromised thermostat to exploit known software vulnerabilities found in devices like baby monitors and even a PC with an older, unpatched operating system to gain control of them.” reported Forbes in a blog post.

“Once we’re inside the network, it’s quite trivial to escalate,” said Carl Wright, executive vice president and general manager at TrapX. “There’s a lot of devices in the home we’re able to jump off of and compromise.”

Another limit to the attack is that it will fail in presence of ARP spoofing detection software.

”All hardware devices–from laptops to smartphones–are susceptible to hacking with physical access. This is sometimes called a jailbreak or rooting–and describes the kind of hack TrapX performed. A jailbreak doesn’t compromise the security of our servers or the connections between our devices and our servers. To the best of our knowledge, no Nest device has ever been compromised remotely. That said, we are constantly working to improve the security of our devices and safeguard our customers.” commented a Nest spokesperson.

Despite there is no evidence that a Nest device has ever been compromised in the wild, the case presented highlights once again the need of security by design for IoT devices.

Pierluigi Paganini

(Security Affairs –  IoT, Nest)