BlackHat takes on IoT and NEST

BlackHat has been a buzz with IoT conversations and warnings

So, yeah, the Nest was hacked… BUT… what isn’t in the head lines is a very important point:

While I won’t say that this isn’t worry some for Nest owners, I really don’t think this is as big of a deal as it’s being made out to be. Like the guy said, if someone has broken into your home I think you’d have bigger problems than worrying about your Nest being hacked.

1 Like

They would steal the Nest before they tried to hack it.

1 Like

Something like this normally wouldn’t bother me. However, his analogy with laptops and smartphones if flawed. Nest is fully under Nests control. I would think it would be easy for them to determine when it was tampered with. They could at the least shoot you an alarm that it was tampered with. After all, it is connected to the cloud and they should be able to stay on top of this.

Nest doesn’t seem to have all their bases covered, so to speak. I realized this with my Nest Protect when the OAuth expired in my device. My smoke alarm was totally non-functional for months. Didn’t make me feel real secure.

These things should not happen with such a high priced item and from a company purchased for billions of dollars.

It is five days and the best thing they can come up with is to buy a Dropcam Pro? Do you get another Dropcam to monitor the other?

To me this is NOT taking security seriously.

I dunno @beckwith, I agree and disagree with you. Yeah, ideally there would be some warning… something to indicate it isn’t running standard or at least a very easy way to test it. I’m not terrible familiar with NEST, is it cloud based? If so it should be easy (I’d think) for Nest to ping the device and check the firmware.

One potential danger area would be for someone to buy a bunch of Nest, through on a firmware that looks and feels quite normal, but has a script on it where it’s sharing all details with an outside source. Then just sell them as “gently” used items and start mining the data that comes in.

But, on the other hand I do consider the analogy to be someone valid. We expect our devices to be reasonable secure as long as we’re not telling others have physical access to them. I don’t expect my car to be an armored truck… but I do expect it to be secure enough as long as I lock the doors and keep the windows up.

I expect my laptop to be reasonably secure… I password protect it, I’ve got virus scanners running on it… but I also know that if it’s stolen that someone who is reasonably competent will be able to hack into it.

This is the first rule of SysAdmin 101, physical access is the weakest link in security. This “news” is not surprising at all.

OK. Let’s say this was your product. After this happened, wouldn’t you get your engineers together and come up with a solution? Instead, they suggest buying a Dropcam?

People are thinking they are buying a thermostat, not a general purpose computer. It is not like we are installing apps or saving documents. It is NOT the same as a smart phone or Laptop. They have total control!

To me they have too many strikes against them. Nest protect doesn’t sense flame, wave feature flawed, my own personal OAuth experience. Now here is an opportunity for them to add a simple checksum and make the issue moot and show the advantage of the cloud. Instead, you have to spend $200 more to watch your thermostat with a Dropcam.

Give me a break.

1 Like

[quote=“beckwith, post:7, topic:4197, full:true”]
OK. Let’s say this was your product. After this happened, wouldn’t you get your engineers together and come up with a solution? Instead, they suggest buying a Dropcam?[/quote]
I don’t disagree with this. They’re not wrong in saying that this is a physical hack and therefore isn’t as much of a concern as perhaps some are making it to be, but to not say that they are addressing the avenue of attack isn’t smart.

Knock, Knock…

Hello, I’m with Google / Nest security team. We need to install a physical upgrade to your Nest… It only takes a few minutes.

(pulls Nest off wall, plugs in usb stick, holds power button down, waits for flash, pulls usb stick, puts back on wall)

Thanks, and thanks for being a loyal google / Nest customer.


Seriously, who would be stupid enough to fall for this, let alone the person wanting to execute this “social hack” would have to know I have a Nest…

However, I would highly suggest avoiding buying a used Nest until Google / Nest allow flashing of firmware via the usb port…

And now back to our scheduled programming…

I dont think its quite the significance of this hack itself but that IoT is heavily on the radar of the community.

Agreed. I just think they handled the response wrong.

Historically, your local device security (as well as LAN) has been secured physically. It is inevitable with IoT that this will have to be buttoned up. For Nest to use this history as an excuse shows me they are not a leader in this niche.