A Blog by Jonathan Low

 

Jul 26, 2014

Hacking Google's Nest Thermostat and the Fight for Personal Data

"In between the dark and the light," as the Eagles once sang, "in between and wrong and the right" is precisely where Nest and its corporate daddy Google find themselves.

The debate over whether the sort of omniscient internet of things device like the Next thermostat is good or evil is still being argued.

Nest/Google argues that sending it all that information will help reduce carbon monoxide in homes, manage the cost of heating, cooling and electricity use, which saves on bills and improves the environment. Skeptics are concerned about how the 32MB of data the device sends out a month (according to the researchers who've studied it) will be used by whoever has access to it.

As the lyrics of that song imply, there is not necessarily one answer that will satisfy everyone with an opinion on the issue. But from the standpoint of corporate design, ownership and oversight, the fact that enterprising technicians are learning to hack these systems in order to give consumers added features they may want is a sign that there is a growing market not so much for privacy, but for more individual say in how these devices can and should work. JL

Kashmir Hill reports in Forbes:

Over a month-long period, the researchers’ device sent 32 MB worth of information to Nest, including temperature data, at-rest settings, and self-entered information about the home, such as how big it is and the year it was built
Those with Nests in their nests have a smart thermostat that learns about their behavior over time for more efficient heating and cooling; if you’re never home in the afternoons, it knows that’s a good time to switch to low energy mode. It’s become one of the most successful members of the Internet-of-Things club, leading Google to pay $3.2 billion in cash to acquire the company earlier this year, and leading security researchers to poke around to see how hackable the device is. “When you have a big install base, you have a target on you,” says co-founder Matt Rogers.
No one has hacked the Nest remotely but a few hackers have found ways to break into the system when they have physical access to the device. First these dudes, and now a group of researchers from the University of Central Florida led by engineering professor Yier Jin who tore the Nest apart and found that they could take control of the Nest system while it’s booting up, allowing them to secretly siphon data and install malware that could botify the Nest. “The software is obviously designed with security in mind, but the hardware has problems,” says Orlando Arias, a UCF senior. While data about people’s energy use is not super sexy spy stuff, it does reveal living patterns.  They plan to present their Nest teardown at August security conference Black Hat – Nest Thermostat: A Smart Spy In Your Home — and have also uploaded a video to YouTube of UCF student Grant Hernandez doing a “hack unboxing.”
But the team says the security flaw may have a privacy upside. Like so many connected devices, Nest devices regularly report back to the Nest mothership with usage data. Over a month-long period, the researchers’ device sent 32 MB worth of information to Nest, including temperature data, at-rest settings, and self-entered information about the home, such as how big it is and the year it was built. “The Nest doesn’t give us an option to turn that off or on. They say they’re not going to use that data or share it with Google, but why don’t they give the option to turn it off?” says Jin.
Their hack is essentially a jailbreak of the device – though they hesitate to use that term – allowing for new programs to be written onto the system, so they wrote a program to prevent data from being sent back to Nest, without otherwise interfering with Nest’s functionality. After their presentation at Black Hat in Las Vegas, they plan to release the tool to Nest users who are paranoid about corporate access to their data. “Using this vulnerability, we can patch the Nest from sending that data to Nest servers. There was no performance impact whatsoever on the unit we tested this on,” said Arias. In a white paper accompanying their presentation, they say the Internet of Things — with its connected devices tying users to companies that can monitor them — means consumers may need to “hack our own purchased devices in order to protect our own privacy and to add features manufacturers do not include.”
“We’re trying to make [the Nest tool] easy to install and make it easy to turn that data collection on and off,” says Jin. “But it’s a fine line to tinker with these devices. Most manufacturers say it will void the warranty.”
Nest cofounder Matt Rogers was understandably skeptical about such a tool. He says Nest users can turn off the device’s Wi-Fi access to stop data from being sent to Nest, but they lose the ability to operate it remotely, get automatic software updates, and energy reports. “One of the advantages of being connected is that when things like Heartbleed come up, we can immediately push down a fix,” he said. “What people want to do with their hardware is up to them. But this is their heating and cooling and their smoke alarms and you want our secure software on it. Just like when you jailbreak a phone, all bets are off.”
Rogers reiterated that Nest doesn’t share data with Google, but says Nest does benefit from the company’s security expertise – expertise jailbroken devices would miss out on. Nest has its own security engineers, and undergoes external audits and has Google doing checks.  “They’re the best security team in the world, but they only found a few bugs,” he said.
When devices are jailbroken, Nest can tell, says Rogers, because Nest’s software is signed. It can see when researchers are playing around with the operating systems though Rogers says only “a very small number of devices are doing weird things.”
I asked why Nest doesn’t have an option to turn off data sharing. Rogers says it hasn’t been a big request from users. “There’s a very small vocal minority who don’t want us to have that data,” he says. “We give them a lot of value from that data.” He says that the company improves its algorithms – and saves customers money – by being able to analyze behaviors from many different homes.
And there are societal benefits, he says. “With our smoke detectors, we found that there’s way more carbon monoxide in homes that anyone realized. We can take that info to regulators,” he says. “The biggest carbon monoxide survey that ever happened before was hundreds of homes; we have thousands.”
As for the vulnerability that allows someone to hack the device if they have physical access to it, Rogers was sanguine, as that’s basically the case with any computing device. If someone gets access to your smartphone or laptop, you’re similarly pwned.
Jin says he was impressed with Nest’s security overall. “Nest keeps security in mind, but still, they should do more,” he said, hoping the company will take a possible security solution his team proposes — letting only signed programs execute on the kernel and encrypting the file system — into consideration. Of course, if Nest does, and it works, his team’s “privacy-enhancing” Nest tool wouldn’t work.

14 comments:

Elizabeth said...

I was so anxiuos to know what my husband was always doing late outside the house so i started contacting hackers and was scamed severly until i almost gave up then i contacted this one hacker and he delivered a good job showing evidences i needed from the apps on his phone like whatsapp,facebook,instagram and others and i went ahead to file my divorce papers with the evidences i got,He also went ahead to get me back some of my lost money i sent to those other fake hackers,every dollar i spent on these jobs was worth it.Contact him so he also help you.
mail: premiumhackservices@gmail.com
text or call +1 4016006790

Craig Scott said...


I thank God who has given me the strength to be able to communicate with Everyone again through this site. I have no doubt that you are the rightful person that God has designed to hear my testimonial out my last experiences in wrong investment (wizardbrixton@gmail.com) I lost a huge amount of money to the wrong investment company which cause me a heart attack and I was admitted to the hospitals and were unable to feel myself, thank to Dr. Stevenson who treated me and was given me word of encouragement and later introduce me to this great hacker Wizard Brixton who listen to my problem and bring solutions to it at first I didn't believe such a miracle will ever happen but he promises me to give him time and valid information about the company to my great surprise he hacked into the company Emails and show me how I make payment to the company and from the email he was able to get there account details where I paid in money into less than 4hours he was able o give me the right details I want and he asked me if I want to recover my money back from the scammed company I told him yes then we proceed less than 24hours I recover my 358,000 USD and he asks me if I want to take the remaining money from the account but his job is to help me recover my main amount so I was relief from thinking and heart attack I felt joy inside me you guy should contact him great hacker WIZARDBRIXTON(AT) GMAIL (DOT) COM Contact him on WhatsApp with (+1- /807-23 ) 4-0428 ;)

SOPHY ANNE said...

These set of superior Cyber terrorist Known as WhitehatstechAtgmailDotcom have been in service for more than a decade and they have set an extremely impressive records that no Hacker can break,  they have the best hacking tools any one can ever imagine. I prefer to let their work speak for itself if interested in getting your credit score increased, erasing DUI, breaking into credit bureaus, clearing bankrupcies, student loans, credit cards loans, phone hack or spy and many more! The WHITECOLLARS are the best in what they do and I am happy they are here to help the world. Email them or communicate with them via WhitehatstechATgmailDOTcom or WhatApp +18189256165 and thank me later

Arsbane Miller said...

Stop being scammed by fake hackers. Hire a Ethical Hacking group who are professional and real. You might be curious that what hacking group services can provide? .. If you hire a hacker, you always have worried of losing your money. We won't keep a cent if can't do our job. 100% refund if job is not completed. Hacking Services that you will find here at:wizardwilsonsoftware (@) Yahoo.com are custom to fit your hacking needs... A professional and experienced hacker providing hacking services for a variety of client needs. Specialize in many different Hacking Services some of my most popular hacking services are, Hack INTO ANY BANK WEBSITE Hack into any COMPANY WEBSITE HACK INTO ANY GOVERNMENT AGENCY WEBSITE HACK INTO SECURITY AGENCY WEBSITE AND ERASE CRIMINAL RECORDS Hack into CRAIGSLIST AND REMOVE FLAGGING HACK INTO ANY DATABASE SYSTEM HACK PAYPAL ACCOUNT HACK WORD-PRESS Blogs SERVER CRASHED hack HACK INTO ANY SCHOOL DATABASE AND CHANGE UNIVERSITY GRADES, no matter how secured HACK INTO CREDIT BUREAU DATABASE AND INCREASE YOUR CREDIT SCORE HACK ANY EMAIL OR SOCIAL NETWORK AND KNOW IF YOUR PARTNER IS CHEATING ON YOU HACK INTO YOUR PARTNER'S PHONE PICS, TEXT MESSAGE AND LISTEN TO CALLS TO KNOW IF HE IS CHEATING UNTRACEABLE INTERNET PROTOCOL HAVE YOU OR YOUR CHILD BEEN BULLIED ONLINE BEFORE AND WANT TO GET BACK AT THE PERSON, WE CAN HELP YOU TRACE THE ACTUAL LOCATION OF THE PERSON AND DO WHATEVER YOU REQUEST TO THE PERSONS COMPUTER IS ANYONE BLACKMAILING YOU ONLINE AND YOU WANT US TO GET INTO THEIR COMPUTER AND DESTROY DATA AND EVIDENCES AGAINST YOU? If you need a hacking service that is not listed, feel free to contact me at wizardwilsonsoftware@Yahoo.com my whatsapp number +1(321) 621_1089

Unknown said...

As a novice in the crypto world, I had a wrong transaction and got ripped off by a scammer through an investment scam, I lost about 0.7 btc and 1.5 eth to him. I spoke to a friend who's a crypto expert and he referred me CLEVERHACKER.HACK@GMAIL.COM, in less than 48 hours after following due procedures by him I got my btc and Eth back, he's a life saver. You can also text him at (803)814-5462

Unknown said...

CYBERCREDITGURU has been amazing to work with! They have creative, knowledgeable professional h a c k e r s that make the entire process a great experience. I am a widow with 3 children. I started working with CYBERCREDITGURU two years ago when I had a very poor credit score of 403, with negatives, late payments and evictions. I couldn’t afford a loan to even pay off my basic bills for the up keep of my children. Life was so terrible then. I came across a highly rated reviews about them online and I contacted them on CYBERCREDITGURU (AT) GMAIL DOT COM and phone/text: +1 (650) 439 0624. Lo and behold they got my FICO score raised to 805 and every other negative item cleared within 6 days after following all instructions. Last week I contacted them again for my daughter’s school grade and they got it upgraded excellently within 3 days. I recommend CYBERCREDITGURU to all who have h a c k I n g related issues. They are the BEST!

tom said...


I know of a group of professional private investigators who can help with any hacking problems I am a testifier but my job is best kept private, They can help with your bitcoin issues,low credit score,phone hack,clear criminal record,recover stolen or lost files etc and they leave there clients happy doing business with them and this is their website https://wavedrive.tech

Craig Scott said...

I bring you all the good news... it’s really a testimony for me...I never knew my partner was cheating on me until I came across an online Wizard who help me hack his phone got me access to it without any physical contact with his phone... I could access his chats text messages and all.. from there I know another woman got pregnant for him.. he even got the woman a house where he goes to sleep whenever he told me he’s on night duty... after that I confronted him.. he wanted to lie so I show him all the proof which he can not deny... big thanks to. WIZARD BRIXTON WIZARDBRIXTON AT GMAIL DOT COM though it wasn’t easy cause it’s heartbreak but I thank god I'm able to know and find out the truth. God bless America. God bless women out here … contact him for a HACKING JOB: WIZARDBRIXTON AT GMAIL DOT COM, WHAT-APP : (+) 1807234 0428

Unknown said...

➡️BE NOT TROUBLED anymore. you’re at the right place. Nothing like having trustworthy hackers. have you lost money before or bitcoins and are looking for a hacker to get your money back? You should contact us right away. It's very affordable and we give guarantees to our clients. Our hacking services are as follows:
Email:Creditcards.atm@gmail.com
➡️-hack into any kind of phone
➡️_Increase Credit Scores
➡️_western union, bitcoin and money gram hacking
➡️_criminal records deletion_BLANK ATM/CREDIT CARDS
➡️_Hacking of phones(that of your spouse, boss, friends, and seeing whatever is being discussed behind your back)
➡️_Security system hacking...and so much more. Contact THEM now and get whatever you want at
Email:Creditcards.atm@gmail.com

➡️★ OUR SPECIAL SERVICES WE OFFER ARE:
➡️* RECOVERY OF LOST FUNDS ON BINARY OPTIONS

➡️* Credit Cards Loading {Any country}

➡️* BANK Account Loading {Any country}

➡️★ You can also contact us for other Cyber Attacks And Hijackings, we do All ★

➡️★ CONTACTS:
➡️* For Binary Options Recovery,feel free to contact (Creditcards.atm@gmail.com)for a wonderful job well done,stay safe.

james said...

Waow this is unbelievable, it is my first time to be carried away by such a high profile article, I will immediately contact you directly and also to take the advantage to share some latest information about FAKE MALAYSIAN PASSPORT

Ian Martin said...

Are you looking for ways to hit the lottery jackpot? Search no more for Dr Amber can help you win the lottery you want with his powerful lottery spell. Visit: amberlottotemple.com or WhatsApp +1 318 306 5044 or email: amberlottotemple@yahoo.com for his spells are real & genuine.

66number said...

CONTACT US FOR ALL KINDS OF HACKING JOBs @ We offer professional hacking services,we offer the following services;
-University grades changing
-Bank accounts hack
-Erase criminal records hack
-Facebook hack
-Twitters hack
-email accounts hack
-Grade Changes hack
Contact us on whatsapp + 1 681 532 3704
Email- n17833408@gmail.com

Warren said...

Yes it is possible to retrieve your stolen bitcoins. I never believed in bitcoin recovery because I was made to understand that it is not possible. But sometime in February I fell for a binary options scam which promised a higher return and I lost close to $55,000. I read an article on here (reddit) as regards to a recovery expert and genius so I reached out to GHOSTCHAMPIONWIZARD, and share my problem with him how a fake binary scammer have made me lose money to my surprise he was so nice and explained to me what we should do and i thought he was just given me hope like other fake hacker but rather he was serious with the services of recovering my funds from this binary but to the best he did all thing possible and I got all bitcoins recovered within 42hours frame. I don’t know if I’m allowed to share the links here but you can contact him if you are finding it very difficult to withdraw your funds from all this crypto investment scheme to recover your funds and your lost Btc or crypto currency . CONTACT them on their website for quick reply : https://championhacker0.wixsite.com
Email : GHOSTCHAMPIONWIZARD@GMAIL.COM

TYRA EDWARDS said...

I Got my ATM Card from Digital Card Hacker's Can't just appreciate ☝☝you enough,, digital Card Hacker has been a good help to me and I am doing great right now i order ATM Card of $50,000 which where deliver to me in my country with the password, i use the ATM CARD withdraw it's work for me like magic You can also contact them for the service below * Western Union/MoneyGram Transfer Hack * Bank Transfer Hack * PayPal / Skrill Transfer Hack * Crypto Mining Hack *** CashApp Transfer Hack Email: digitacardhacker@gmail.com Text & Call or WhatsApp: +1(321)779-7817

Post a Comment