Securing the Nest Thermostat

A group of hackers are using a vulnerability in the Nest thermostat to secure it against Nest's remote data collection.

Posted on July 22, 2014 at 10:06 AM • 17 Comments

Comments

Out of the Nest into the Next titleJuly 22, 2014 10:46 AM

Is it the Nest thermostat as in the title or the Next thermostat?

Homer J.July 22, 2014 12:44 PM

That hack is really valuable, I'm glad they plan to make it available. I wish Nest would drop the claim that only a small subset care about data leakage from the devices. Clearly it's in the best interest of the consumer to have the ability to disable data collection. This isn't a free product that requires monetization to make it viable. If the consumer pays good money for a product they should not also have to submit to data collection.

At this point I see the only practical way of securing connected products for the home is outbound firewall filtering. It will work with many devices, but hopefully they don't make a habit of making the data streams of data collection and the remote user features indistinguishable. It can always be temporarily disabled for firmware update. The time is coming when outbound content filtering and DNS black-holing will have to be made accessible to the consumer without advanced knowledge on the part of the user. Business wants an internet-of-things, but if consumers want protection it would be better to have an intranet-of-things with minimal external access.

x11794AJuly 22, 2014 2:23 PM

@HomerJ:


I wish Nest would drop the claim that only a small subset care about data leakage from the devices.

Why would it matter what fraction of people cares about data leakage? It's not like it's hard to bury an "off" switch deep in the configuration if you were worried people would turn it off by accident resulting in... something bad?

Mike the goat (horn equipped)July 22, 2014 3:28 PM

X117: even where remote activation isn't a concern - just having the thermal logs online is a *bad* thing as you can, for example, infer when people are at home in cold climates by heating use.

Jason R.July 22, 2014 4:11 PM

@Mike the Goat:

Bububut we have THE BEST SECURITY on our totally unnecessary information transaction.

This is fundamentally an industry problem of forgetting about opsec because you have sigsec. Opsec trumps sigsec always because if you don't have the information, nobody can take it from you.

mj12July 22, 2014 4:43 PM

@Homer J.


This isn't a free product that requires monetization to make it viable.

That is just the extension of the "if you are not paying for it you are the product" mindset. It states "you can be paying [insert sum here] for it and still be the product."

@x11794A
Even if they do implement the switch, there's a chance it would have no actual influence. Like in the case with LG's smart TVs. No matter what you choose, #&*@ you! We are taking the data anyway.

TomS.July 22, 2014 6:56 PM

I suppose one could isolate IoT objects on a vLAN with no gateway assigned in the DHCP scope for that subnet.
Use reservations to assign gateways to some trusted devices.
Proxy those.
Block and alert for IoT subnet traffic at firewall.
Watch out for autoconfiguration conveniences that would leak gateway info to the isolated subnet.

Something to try if I ever run into a useful "connected device".

Meanwhile, I keep seeing my neighbor's new thermostat in my wireless logs. I can't believe that's going to have a happy ending. Didn't Best Buy get compromised via HP inkjets with wireless on by default? Injected traffic to LAN via default wifi which is bridged with LAN? Somebody'll just start tunnelling into home LANs therough the thermostat.
//TomS.

name.withheld.for.obvious.reasonsJuly 22, 2014 8:39 PM

@ MTG-HE
for example, infer when people are at home in cold climates by heating use.
I'd add that this applies to summertime climea as well.

name.withheld.for.obvious.reasonsJuly 22, 2014 9:21 PM

This subject points to a legal bias that exists (implicitly) and is in serious need of redress. ECPA, SOPA, and CISPA/CISA are not anywhere near useful and has resulted in the serious abuse of the US citizenry (even if they don't know it). To be clear, persons like Aaron Swartz understood the unbalanced control and possession of information and how we, the average citizen, are disaffected and reduced to serfs in an "information" age. I'd warn those that believe "their" version of the truth is just that--they don't have access to the truth (my version of "A few good men"). If you want to get real, petitioning and starting conversations in your community about our future as a society needs your attention. Otherwise, I'm sure many already hold in disregard, will set in motion, and law, a social framework that will not advance the interest of individuals, communities, or democratic governance.

It is long past time that we, and I hold those of us in the know more accountable, make ourselves heard and directly address the issue of our times. There is no greater threat to our individual and collective good--this strikes at the heart of what Thomas Jefferson understood as both "enlightened self interest" and a knowledgable citizenry. Without a concerted effort, the experiment in self-rule will be lost to history. Before our time, individuals pledged their lives and property to make what we've had a reality. What are you willing to pledge?

Yes, I'm not naive about our history (we are an ugly lot) but try to make an impact in a society where you are a "subject". Try reform in Sauda Arabia or Indonesia--and to the idiots with the "love it or leave it" attitude I have a suggestion--look in the mirror.

DavidJuly 22, 2014 10:41 PM

The research is interesting, but the tool seems pointless. People who are knowledgeable enough to be aware of and care about data collection wouldn't buy this device in the first place.

Coyne TibbetsJuly 23, 2014 12:41 AM

I wonder where Nest sells the collected data. You can bet if they go to the trouble to collect it, they're monetizing it somehow.

NameJuly 23, 2014 6:34 AM

@David

It would greatly impact existing Nest owners that are not happy with the Google purchase. The only alternative is to block outbound access, which removes the ability to remotely control the thermostat. Its nice coming home from a business trip to a cool house.

x11794AJuly 23, 2014 10:34 AM

@mj12: Even if they do implement the switch, there's a chance it would have no actual influence.

Agreed that we basically can't trust them (you could partially verify that it works by running a packet sniffer, I guess), but what I was saying was that their argument doesn't even make sense on its face because it's a non-sequitur. The truth value of the statement "most users don't care" has no bearing on whether or not you add in a switch to turn the behavior on or off by itself, because it costs users nothing for that option to exist, but it gives a benefit to anyone who does happen to want it.

Additionally, the argument they're presenting is that "most users don't care", not "most users prefer it to be on", so it's an even more specious argument. Basically, user apathy is an equally good argument for leaving it off by default - the lack of a user preference provides equal weight to both sides of the scales, so if "most users don't care", then those users should be discarded from consideration and only the people who do care should be considered. Consider a situation where 95% of all people don't care, 4% of people want it off and 1% of all people want it on. If you leave it on, 96% of people are happy with the product. If you leave it off, 99% of people are happy with the product. The 95% who are happy either way is erroneous information.

Anyway, it's interesting that they are willing to say that sort of thing publicly, because it's clear from a logical analysis of the statement that what it means is, "We like it when this happens and we can get away with it, so we're going to do it even if it means making our product worse." I don't think most companies would be willing to say that directly, or that most people would be too happy if you applied it in nearly any other context ("most people don't notice if you take small bills out of their wallet, so we at Coat Check Services always scrounge around for loose change and money in the coats checked with us.").

aboniksJuly 23, 2014 12:26 PM

“With our smoke detectors, we found that there’s way more carbon monoxide in homes that anyone realized. We can take that info to regulators,” he says. “The biggest carbon monoxide survey that ever happened before was hundreds of homes; we have thousands.”

In other words, "You can look forward to relaxed carbon monoxide emission regulations coming to an industry near you."

So, just to be clear, the selling point here is that customer data can be given to government employees?

Sign me RIGHT UP!

BRammerJuly 23, 2014 8:06 PM

Excellent. Now, how about a hack for my smart TV so Samsung doesn't know how often I watch the amazing race...

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient Systems, Inc.