Hundreds of pages could be written about the security state of the Internet of Things (IoT); the tricky thing about embedded devices is that security often seems to be an afterthought. The recent Black Hat conference in Las Vegas touched on IoT security and DEF CON broached the subject as well. In addition to the potential for harm caused by a breach of the device — a malfunctioning security alarm or smoke detector — these devices collect data in order to function, much of it sensitive. According to an HP Research Study on the IoT, 90% of these devices collect at least one piece of personal information. Though necessary for some of the useful abilities of these products, the aggregate data, if stored or found improperly, can be devastating. And with potentially billions of these devices in the near future, securing them is no trivial matter.
Unfortunately, many IoT companies are not paying enough attention to security — at DEF CON, a talk called “Hack All the Things” went over 20 devices, some IoT, that had recently been hacked by the group. With an explosion of IoT security services and even an initiative to help smaller IoT companies with security, the [world] is starting to wake up to the severity of this issue. But the best security starts from the beginning, with the design of the product. Nest and its founder Tony Fadell understand this has been very careful about security concerns even when designing Nest products. Though he doesn’t even want to call Nest an IoT product, he appreciates the [integral nature] of security to his project. Ironically enough, Nest’s parent company Google itself has had serious security issues with its own devices, but Nest has not — for the most part — fallen into this trap.
Nest’s security is, for the most part, quite impressive. (Un)fortunately, researchers from the University of Florida took to one of the biggest stages at Black Hat to expose a way to compromise the Nest using a hardware feature – namely, a USB port that, combined with reset, allows you to put the device in developer mode. The USB port can only be used if the adversary forces the Nest into a global reset by holding down the power button for ten seconds. With some pretty priceless 2001: A Space Odyssey references and computer generated graphics, the hour-long talk got the point across — by no means is the Nest thermostat unexploitable. The Nest thermostat still cannot be taken advantage of remotely without access, at some point in the process, to the physical device. But physical vulnerabilities should not be a surprise: the recent HP report on the IoT even recommended that companies should be “reviewing the need of physical ports such as USB,” the exact weakness in Nest’s system. With access to the Nest device, an adversary could control other Nest thermostats in the network, collect valuable data on the victim (knowing when a person isn’t home can be surprisingly useful for robberies), and manipulate the various devices the Nest controls.
Though the team has not yet found a way that the Nest can be exploited remotely, even a physical exploit could prove to be seriously problematic. Zeljka Zorn of HNS points out that “good social engineering can convince you to allow strangers into your house” and allow an adversary to bring the Nest under his control. Additionally, the researchers expressed their worry that clever criminals could resell hacked Nests on Ebay or Amazon, getting them into homes that way.
The Nest is not the only major technology with a USB achilles heel: Caroline Hall of FierceMobile IT recently reported an iPhone vulnerability using the USB port: unsigned code could be pushed onto the device using the USB. A number of years ago, Wall of Sheep even installed a USB charging station at DEF CON, showing that though for years we’ve known that USB connectivity can be a major security flaw, the general public is simply not educated enough on the potential dangers of USB ports….or they simply don’t care.
However, security issues like this do not spell the end of IoT devices, nor of Nest. When the researchers asked how many in the audience had Nest devices, about half raised their hands. When they then asked how many would give up the product even with the potential hack, none (from my vantage point) suggested that they would. It was even spun as a potential upside – the ability to jailbreak a device collecting vast amounts of personal information that is automatically sent to Nest could potentially let advanced users disable minimize privacy concerns.