Google's Nest thermostat hacked with Linux -- backdoor enabled on device
Sometimes it feels like the whole world went and got crazy. It's true, with every passing day, all types of newfangled gadgets, doodads and wild ideas are released. Google is at the forefront, with Google Glass, self-driving cars and Nest internet-connected thermostats. Truth be told, I'm hardly a Luddite, but I am wary of having a computer and camera strapped to my head or having my home connected to the internet.
I am not scared of the technology, but of the hackers. You see, anything connected to the internet has the capability of being hacked or exploited. This makes me hesitant to embrace the connected home. Think I'm crazy? Think again. Today, popular Google TV hacking site GTV Hacker, announces it has hacked the device to enable the booting of unsigned code. If you own a Nest, hackers could have a backdoor into your home.
"This device, although seemingly useful, if not well protected can allow an attacker the ability to remotely monitor user's habits or network traffic. Below, we will go into a method of attacking Nest brand thermostats by leveraging the device's DFU mode to boot unsigned code at the boot-loader level. What this means in layman's terms is that we are able to hijack the device’s code flow very early on, allowing us to make changes without ANY restrictions", says GTV Hacker.
The site further explains, "our attack on the Nest thermostat is simple, we use the device's recovery mode to run our own modified boot-loader (stage one and two). We then use our loaded boot-loaders to initiate a Linux kernel that is used to modify the file system on the Nest. We then add a SSH server running as root as well as functionality to create a reverse SSH tunnel to a specified host using the Nest's virtual drive".
Below, you can see a chart detailing the exploit:
You can see video of the exploit being done on a Linux machine below:
As you can see this is a very serious issue not only for Nest owners, but Google too. So far, the Nest acquisition seems to be more trouble than it is worth. Sales of the company's Smoke and Carbon Monoxide detector had to be halted for safety concerns and now the thermostat is exploited. Google is a company that deals with a lot of sensitive user data and something like this is a huge blemish on its reputation. Even though the search-giant did not create this product, it is now a Google product and they must bear the burden of negative press -- it can't only reap the kudos.
If you are a Nest user, I probably wouldn't panic yet. It seems the hacker would need physical access to the device, which limits the risk. However, a devious person could exploit it while in your home and then control it remotely later. Hopefully Google can release an update to make the thermostat more secure and block the exploit.
If you have been considering buying a Nest, I would caution to hold off for now and watch everything unfold before making a decision. In the mean time, try getting up from your chair and controlling your home's temperature -- crazy concept, I know.