Researchers at Black Hat USA demonstrated how they were able to compromise a popular smart thermostat.
Consumers are being bombarded by the Internet of Things (IoT) -- everyday embedded devices and appliances in your home that connect to the Internet. Those same devices are quickly becoming the targets of security researchers looking to show the dangers of such connectivity and the ill effects on owners' privacy. Last week at Black Hat USA 2014 in Las Vegas, the Nest Learning Thermostat was the latest IoT device to come under fire by University of Central Florida researchers Grant Hernandez and Yier Jin, and independent researcher Daniel Buentello.
The three researchers demonstrated the ease with which a Nest thermostat can be compromised if an attacker has physical access to the device. In less than 15 seconds, an attacker can remove the Nest from its mount, plug in a micro USB cable, and backdoor the device without the owner knowing anything has changed. The compromised Nest can then be used to spy on its owner, attack other devices on the network, steal wireless network credentials, and more.
What does this hack mean to current and future Nest owners? Not much at this point. As we saw with the recent DropCam hack, the attack requires physical access and if a bad guy breaks into your house, it's typically for something much more serious than backdooring your thermostat. However, the researchers laid out several scenarios where Nests could be purchased, backdoored, and returned to the store, or sold on Craigslist in order target specific communities.
The biggest concern here is that the owner would never know if his or her device had been hacked. Antivirus is not available to run on it and look for malicious code. Essentially, the only way to know without dumping memory and analyzing the firmware from the device would be to monitor network traffic and hope to see anomalous behavior -- something that's unlikely to happen in the majority of home networks.
(Source: Dark Readking/Sarah Sawyer)
Meanwhile, the researchers gave Nest props for a well-designed product. To date, efforts to exploit the device are limited to physically plugging in USB cable, but the researchers are busy...
Click here to continue reading this article on EE Times' sister site Dark Reading.