Google-owned Nest can be the starting pointv for gaining control of other devices in your home.
For this hack to happen, the attacker has to first get physical access to the device. Possible.
That drastically reduces the likelihood of this hack ever taking place in the real world–but TrapX speculates that this scenario might take place if someone buys a used Nest off of Craigslist or eBay.
Nest’s is using a Linux operating system and during the device boots up and load custom software onto it–basically jailbreaking the device–by going through the device’s USB port.
The problem is with the way the hardware is built since this hack exist almost one year and there’s still no fix yet. Nest can’t repair that obviously.
The hac is going through the USB and loading custom software onto the Nest’s ARM7 processor chip made by Texas Instruments. Once in, you can first obtain the password for the WiFi network that the Nest is hooked up to. The attacker also begins receiving information like whether or not you’re home. Data stored on the Nest isn’t encrypted–while Nest data sent over the air is encrypted.
Then, using an ARP (Address Resolution Protocol) tool that essentially tricks other devices to talk with the compromised Nest, the attacker can begin receiving data coming off other devices connected to the WiFi network. In testing, hackers were able to go through the compromised thermostat to exploit known software vulnerabilities found in devices like baby monitors and even a PC with an older, unpatched operating system to gain control of them.
Security issues are big for Nest as the company is positioning itself to become a major platform for the growing smart home ecosystem. Its “Works With Nest” program lets other smart gadget makers to integrate their products with Nest in the cloud. Devices such as lightbulbs or washing machines can sync up with Nest’s thermostat or smoke detector.
It’s also worth noting that infecting a computer or smartphone would be a lot more effective means of launching an attack on a home network. But as we continue to introduce more internet-connected devices into our lives, securing these devices will become more of a pressing concern.
Established Internet of Things devices aren’t encrypting data on their devices because it’s very intensive,
Up until now, they’ve chosen not to include strong security because it impacts cost.