Blame Where Blame Is Due
Remember, Nest is operating separately from Google, they managed to cock it up all on their own. Sounds like they could do with borrowing some security auditors, though!
Google's Nest thermostat, poster-child for its Internet of Things ambitions and data collector of your home habits, gives root access to anyone with a USB drive and a quarter-minute to spare. That's the conclusion that Yier Jin, Grant Hernandez and Daniel Buentello have come to, and told the world in their presentation to …
I strongly disagree. The Internet of Things is the future. As all right thinking people know. We can leverage the synergies into a new paradign of strategisation.
Also once this is done, I'm going to be the thought-leader of the next big thing. The IoW - Internet of Weapons. There are so many advantages to this. Why have journalists on the ground, when all bombs can send their camera footage direct to the BBC. Why pay expensive intelligence analysts, when the wisdom of crowds can be leveraged to gain accurate targeting information. I have seen the future, and it's online voting to set the targets for Britain's nuclear deterent*
*Obviously it'll be Paris. Or depending on how September's vote goes, Edinburgh...
"*Obviously it'll be Paris. Or depending on how September's vote goes, Edinburgh..."
What, we nuke the Scots when they fail to vote for independence? Sounds good to me.
And then we just write to the Welsh Assembly telling them they are now independent, thanking them for the slate and wishing them good luck as a sovereign nation.
I'd not want to run such devices with some Google software which is designed to spy on me, but with a software coming from a source I trust. In fact since the task is rather simple, I'd want to be able to write my own software to get onto those devices.
It's not a security vulnerability, it's a security feature. Running your own code means that you can get rid of all the security problems the manufacturer put in there.
We must stop seeing "running your own code" as a security problem, since "code is law" and only if you can decide what code a device runs, you truly own it. Seeing more and more devices going against the will of the person who paid for it, that's a really important thing.
In a world where most people aren't developers, most people will always run someone else's code. "Run your own code" is fine for you and me, less so for my parents, my sister, my inlaws, and most of the other people who will be using these devices.
And I don't know about you, but I spend enough time doing friends'n'family tech support as it is. I don't want to be security-auditing or writing new firmware for every single new gadget they buy! I hardly have enough time to get things done as it is.
"In a world where most people aren't developers, most people will always run someone else's code."
You're completely missing the point. Of course you won't have to security audit all the code you are running yourself, but you can get code from other trusted sources. Just like people now replace their Windows XP or Windows 8 with some Linux, or replacing their manufacturer branded Android with Cyanogenmod, being able to choose what software runs on those devices is a good thing.
Just imagine Google deciding to "upgrade" the software to display ads. Or to sell off the data they collect from those devices. Just because Google doesn't do this today, they could one day get into financial troubles and be sold to a company having other ideas. In the 1990s nobody would have thought IBM would sell off their PC division.
And seriously, how is the mentioned "security hole" even a security hole. If you have 10 seconds alone with such a device, you could also simply replace it with an identically looking other device. Or you could just stick on additional hardware to it.
I agree.
So we get some code from a so-called "trusted source". This oh well and good should this be fine, however, there is always the risk that this code has already been modified and we end up with the security hole.
The other problem is most people, meaning the majority of the consumers, use the same login credentials for everything. To them a user name and password are a pain and bother rather than being an account protector. This is why we see so many security breaches due to soft passwords. How many machines have we seen where the password is a birthdate, a child's name, or something very guessable? With the end-user putting their already soft password on all their devices, and with this being the same password on their bank accounts, computers, credit card accounts, etc., this gives cyber-criminals another backdoor into their data.
When General Electric (GE) was showing the house of the future with networked devices, the first though that came to mind was this is one big security issue with everything connected to the outside world. Monitoring ones home remotely and adjusting the thermostat can still be done the old-fashioned way. Have a neighbor go in and feed the cat, water the plants, and adjust the thermostat if need be. At least in this case we'd know who was doing anything in the house, and there would be someone to point fingers at should there be a problem.
A hacker (who would have to access to my house in the first place) can control my airconditioner. How will I cope?
Maybe they'll set the temperature to high and we'll feel the house is a little too warm, or maybe too low and it'll feel cold. And if I work out that the Nest is compromised - what shall I do (other than run out to Lowes and pick up a $19 thermostat to replace it)?
End of the world stuff folks.
Or if someone feels particularly inventive with a job lot of them, they could root the device, install a keylogger and modified sign up page in before selling it to you, asking for your
email address (that you use everywhere),
password (that you use everywhere),
mothers maiden name (that you use everywhere),
and street address (hurrah, now we can take a loan out in your name!).
Whether it works after all that is irrelevant - at that point your details are snarfed and unless you know what it's done - which most consumers won't, and setting it up to capture the original relevant set up data and pass that through so that the device is functional afterwards can't be impossible - they might not know that their details have been snarfed till they get debt collectors at their door.
So yeah, a bit more than just tweeking your thermostat for the LULZ.
to install a tracker to work out when someone is away from their house, so you can break in, you first need to break in, find out if they have a nest, and then install a firmware on it, that behaves exactly like the original, but includes a backdoor that reports when your victim isn't home...
OK then.... Makes me wonder why they have BlackHat conferences if this is the best they can come up with.
… Lock down your networkable gadget and keep it OFF the Internet. Thousands of TIOT gadgets have already been botted and implicated in DDOS bot attacks, spam spewing, etc.
IOW: Do Not Expect TIOT devices to have viable security at this time. Instead, expect them to be hacked, bottted, zombied, surveilled and generally unsafe if networked.
Personally, I feel this is a feature rather than a security defect. I like the fact that the hardware is yours to own and hack if you want to. Devices need to be firmware upgradable and to be honest if someone has got into your house and has time to attach a USB stick to your Nest then you've vulnerable anyway. I can easily hack your PC if given time with it and a bootable DVD or USB stick.
What would improve things is making sure the end user is aware of this feature and perhaps having a way to disable it - or perhaps enable it if disabled by default.
I'm not a Nest owner by the way, I'm very happy with my Tado. Incidentally they can be upgraded remotely as I discovered when they fixed a bug I found that stopped it working with Sky Broadband.
I've just found you can do this with practically any computer or laptop!
All you need is an uber dangerous hacker tool called a 'boot disk' and you can load your own software onto the computer without loggingin in!!!
Remember, these are real computers with important things like accounts, porn and world of warcraft characters stored on them.
But, shh, keep it to yourselves guys, I might present this at next year's defcon.
But seriously, this actually makes it more likely that I will buy one. I was interested in Nest when it first came out but was instantly turned off by it's reliance on 'the cloud'. If I can mod the software on these to only talk to my servers, I could be interested.
I like home automation, as long as all that data stays within my security domain.
No computer/device is secure given physical access. As others have said, this is not a vulnerability, it's standard functionality like a Windows boot disk, or booting Linux into single-user mode.
A true vulnerability would be via remote access, either via the net or some remotely-attached device.
Because you're a) a new user, and so subject to manual pre-moderation on all posts, and b) you're directly criticising El Reg, which is not permitted hereabouts. Read the comment guidelines to learn more: http://www.theregister.co.uk/2012/02/01/register_comments_guidelines/
Ever since Snowden thing I've been pretty much moving away from online/connected services, and towards encryption of everything in sight. But what about that really dumb London underground ad campaign? Trying to see thermostats at the hight of summer when it was 40 degrees down in the tunnels!
flash a Nexus phone left on a window-sill to the do same...
Perhaps Google/Nest should digitally sign all firmware and lock all bootloaders, that will fix it. But we all know it won't Then Google will be evil for restricting what people can do with their devices then OWN...
Come one people, be consistent for Christs sake...
Is it a coincidence that we are getting close to the launch of a new batch of iDevices? The number of Android bashing stories seems to have increased in the past few days, all of them focusing on device security.
It's hard to imagine a scenario where this would either happen or be a serious problem. This could be the plot for a new Austin Powers movie, where Dr Evil threatens to turn up everyone's thermostat by one degree to make them slightly uncomfortable unless they pay him 'One Million Dollars'.