SlideShare a Scribd company logo

How Smart Thermostats Have Made Us Vulnerable

Download as PPTX, PDF
Ray Potter
Ray Potter

The document discusses security vulnerabilities in smart home thermostats like the Nest Thermostat. It describes how the thermostats can be hacked by exploiting weaknesses in their hardware, software, and firmware. Specifically, it shows how accessing a device's USB port allows injecting custom code to gain full control over the thermostat and access user data and accounts. The talk urges manufacturers to implement stronger authentication of code and encryption to protect smart home devices and data.

Technology
1 of 43
#RSAC SESSION ID: Ray Potter Yier Jin Don't Touch That Dial: How Smart Thermostats Have Made Us Vulnerable HT-W04 Assistant Professor University of Central Florida @jinyier CEO SafeLogic @SafeLogic_Ray
#RSAC  The threat is real  Connected convenience comes with risk  Challenges  What’s at Stake Flow
#RSAC  Pattern recognition  Identity theft  Corporate espionage  Life What’s at Stake
#RSAC Use Cases
#RSAC  Nest Labs founded by Tony Fadell  Debuted in October 2011  Acquired by Google in January 2014 ($3.2B)  Over 40,000 sold each month Data from GigaOM as of January 2013  Available in UK in April 2014  Smart home API is released in June 2014 Nest Thermostat
#RSAC “Yes, hacking is in our thoughts. When you're talking about the home, these are very private things. We thought about what people could do if they got access to your data. We have bank-level security, we encrypt updates, and we have an internal hacker team testing the security. It's very, very private and it has to be, because it'll never take off if people don't trust it.” - Tony Fadell
#RSAC Nest Hardware
#RSAC  “Display” board  Graphics/UI, Networking  Chips:  ARM Cortex A8 app processor  USB OTG  RAM/Flash (2Gb)  ZigBee/WiFi Radios  Proximity Sensors  UART test points (silenced at bootloader) Front Plate Courtesy of iFixit
#RSAC  Hooks up to AC/Heating system. Charges battery via engineering wizardry  Chips:  Independent ARM Cortex M3  Temp and Humidity Sensor  Communications  Front to Back – UART  NEST Weave (802.15.4)  USB MSD (FW update) “Backplate” and Comms Courtesy of iFixit
#RSAC Nest Software
#RSAC  Runs on a Linux based platform  Handles interfacing between device and Nest Cloud services  Automatically handles firmware updates  Manual update available  Plug Nest into PC  Handled as a storage device  Copy firmware to drive  Reboot Nest Client Nest
#RSAC Nest Firmware  Signed firmware   Manifest.plist  Hashes contents  Manifest.p7s  Compressed but not encrypted or obfuscated  Includes – U-boot image – Linux Kernel image – File system – nlbpfirmware.plist
#RSAC  Firmware signing using PKCS7  Pinned Nest certificates for firmware verification  All critical communications (any with secrets) over HTTPS  Other less secure ones over HTTP (firmware, weather) Things Done the Right Way™
#RSAC  Firmware links downloaded using HTTP and download links do not expire  Hardware backdoor left for anyone with a USB port to use  Automatic updates Things Done the Wrong Way™
#RSAC  Log Files  Internally stored and uploaded to Nest  Contents  User Interface  Users are unaware of the contents of the log files  Users cannot turn off this option  User network credentials are stored … in plain text!  Users should be allowed to opt-out of the data collection? User Privacy
#RSAC Log Files
#RSAC Processor and boot
#RSAC  TI Sitara AM3703  ARM Cortex-A8 core  Version 7 ISA  JazelleX Java accelerator and media extensions  ARM NEON core SIMD coprocessor  DMA controller  HS USB controller  General Purpose Memory Controller to handle flash  SDRAM memory scheduler and controller  112KB on-chip ROM (boot code)  64KB on-chip SRAM  Configurable boot options Hardware Analysis
#RSAC
#RSAC Boot Process Root ROM starts execution ROM initializes basic subsystems ROM copies X-Loader to SRAM X-Loader executes X-Loader initializes SDRAM Userland loaded U-boot executes Linux kernel U-boot configures environment U-boot executes X-Loader copies U-boot to SDRAM
#RSAC Boot Process Root ROM starts execution ROM initializes basic subsystems ROM reads X-Loader from USB X-Loader executes X-Loader initializes SDRAM Userland loaded U-boot executes Linux kernel U-boot configures environment U-boot executes X-Loader copies U-boot to SDRAM
#RSAC Boot Process Root ROM starts execution ROM initializes basic subsystems ROM reads X-Loader from USB X-Loader executes X-Loader initializes SDRAM Userland loaded U-boot executes Linux kernel U-boot configures environment U-boot executes X-Loader copies U-boot to SDRAM
#RSAC Boot Process Root ROM starts execution ROM initializes basic subsystems ROM reads X-Loader from USB X-Loader executes X-Loader initializes SDRAM Userland loaded U-boot executes Linux kernel U-boot configures environment U-boot executes X-Loader copies U-boot to SDRAM
#RSAC Boot Process Root ROM starts execution ROM initializes basic subsystems ROM reads X-Loader from USB X-Loader executes X-Loader initializes SDRAM Userland loaded U-boot executes Linux kernel U-boot configures environment U-boot executes X-Loader copies U-boot to SDRAM
#RSAC Boot Process Root ROM starts execution ROM initializes basic subsystems ROM reads X-Loader from USB X-Loader executes X-Loader initializes SDRAM Userland loaded U-boot executes Linux kernel U-boot configures environment U-boot executes X-Loader copies U-boot to SDRAM
#RSAC Boot Process Root ROM starts execution ROM initializes basic subsystems ROM reads X-Loader from USB X-Loader executes X-Loader initializes SDRAM Userland loaded U-boot executes Linux kernel U-boot configures environment U-boot executes X-Loader copies U-boot to SDRAM
#RSAC Boot Process Root ROM starts execution ROM initializes basic subsystems ROM reads X-Loader from USB X-Loader executes X-Loader initializes SDRAM Userland loaded U-boot executes Linux kernel U-boot configures environment U-boot executes X-Loader copies U-boot to SDRAM
#RSAC Boot Process Root ROM starts execution ROM initializes basic subsystems ROM reads X-Loader from USB X-Loader executes X-Loader initializes SDRAM Userland loaded U-boot executes Linux kernel U-boot configures environment U-boot executes X-Loader copies U-boot to SDRAM
#RSAC  Boot Configuration read from sys_boot[5:0] Device Initialization Selected boot configurations sys_boot [5:0] First Second Third Fourth Fifth 001101 001110 001111 XIP XIPwait NAND USB DOC USB UART3 USB UART3 MMC1 UART3 MMC1 MMC1 101101 101110 101111 USB USB USB UART3 UART3 UART3 MMC1 MMC1 MMC1 XIP XIPwait NAND DOC
#RSAC  Boot configuration pins 4..0 are fixed in Nest’s hardware  sys_boot[5] is changes based on reset type  Conveiently, circuit board exposes sys_boot[5] on an unpopulated header… Device Programming
#RSAC Nest USB Device Descriptor
#RSAC TI USB Device Descriptor
#RSAC  Full control over the house  Away detection  Network credentials  Zip Code  Remote exfiltration  Pivoting to other devices Implications
#RSAC  Unauthorized ability to access Nest account  We now have the OAUTH secrets  Ability to brick the device  We can modify the NAND  Persistent malware in NAND  X-loader bootkit in NAND Control over all Nest devices
#RSAC The Attack
#RSAC  Device Reset  Press the button for 10 seconds causing sys_boot[5] = 1’b1  Inject code through the USB into memory and execute  Be quick! Attack
#RSAC  Custom X-Loader to chainload U-Boot + initrd  Custom U-Boot  Utilize existing kernel  Load our ramdisk (initrd)  Ramdisk  Mount Nest’s filesystem and write at will  Arbitrary, scriptable, code execution  Netcat already comes with the Nest Initial Attack
#RSAC  Rebuild toolchain  Cross-compile dropbear (SSH server)  Add user accounts and groups  Reset root password Refining a Backdoor
#RSAC  A custom Linux kernel  Custom logo  Debugging capabilities (kgdb)  Polling on OMAP serial ports Linux Kernel Modification
#RSAC Demo
#RSAC  Positive View  The backdoor provide legitimate users to opt-out of uploading logs files  Negative View  The backdoor may be maliciously exploited  A Relief to Nest Labs  The backdoor needs physical access to the device (although remote attack is under investigation) Double-Edged Sword
#RSAC  Code Authentication  Processor must authenticate the first stage bootloader before it is run  Use public key cryptography  Userland protection  Only execute signed binaries  Filesystem encryption  Processor-DRAM channel protection A Solution – Chain of Trust
#RSAC How to Apply This Knowledge 47  Identify whether your product shares vulnerabilities with these examples.  Build security strategy and implement NOW, don’t wait.  Explore 3rd party validation and other ways to leverage proven security measures.  Regardless of form factor, focus on the data.  And of course, as a user, quarantine WiFi access for each of your IoT devices.

Recommended

Web Application Security Testing: Kali Linux Is the Way to Go
Web Application Security Testing: Kali Linux Is the Way to GoWeb Application Security Testing: Kali Linux Is the Way to Go
Web Application Security Testing: Kali Linux Is the Way to GoGene Gotimer
 
Kali Linux - CleveSec 2015
Kali Linux - CleveSec 2015Kali Linux - CleveSec 2015
Kali Linux - CleveSec 2015TGodfrey
 
Kali tools list with short description
Kali tools list with short descriptionKali tools list with short description
Kali tools list with short descriptionJose Moruno Cadima
 
[ENG] IPv6 shipworm + My little Windows domain pwnie
[ENG] IPv6 shipworm + My little Windows domain pwnie[ENG] IPv6 shipworm + My little Windows domain pwnie
[ENG] IPv6 shipworm + My little Windows domain pwnieZoltan Balazs
 
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...Zoltan Balazs
 
BackTrack5 - Linux
BackTrack5 - LinuxBackTrack5 - Linux
BackTrack5 - Linuxmariuszantal
 
" Breaking Extreme Networks WingOS: How to own millions of devices running on...
" Breaking Extreme Networks WingOS: How to own millions of devices running on..." Breaking Extreme Networks WingOS: How to own millions of devices running on...
" Breaking Extreme Networks WingOS: How to own millions of devices running on...PROIDEA
 
Backtrack os 5
Backtrack os 5Backtrack os 5
Backtrack os 5Ayush Goyal
 

Recommended

Web Application Security Testing: Kali Linux Is the Way to Go
Web Application Security Testing: Kali Linux Is the Way to GoWeb Application Security Testing: Kali Linux Is the Way to Go
Web Application Security Testing: Kali Linux Is the Way to GoGene Gotimer
 
Kali Linux - CleveSec 2015
Kali Linux - CleveSec 2015Kali Linux - CleveSec 2015
Kali Linux - CleveSec 2015TGodfrey
 
Kali tools list with short description
Kali tools list with short descriptionKali tools list with short description
Kali tools list with short descriptionJose Moruno Cadima
 
[ENG] IPv6 shipworm + My little Windows domain pwnie
[ENG] IPv6 shipworm + My little Windows domain pwnie[ENG] IPv6 shipworm + My little Windows domain pwnie
[ENG] IPv6 shipworm + My little Windows domain pwnieZoltan Balazs
 
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...Zoltan Balazs
 
BackTrack5 - Linux
BackTrack5 - LinuxBackTrack5 - Linux
BackTrack5 - Linuxmariuszantal
 
" Breaking Extreme Networks WingOS: How to own millions of devices running on...
" Breaking Extreme Networks WingOS: How to own millions of devices running on..." Breaking Extreme Networks WingOS: How to own millions of devices running on...
" Breaking Extreme Networks WingOS: How to own millions of devices running on...PROIDEA
 
Backtrack os 5
Backtrack os 5Backtrack os 5
Backtrack os 5Ayush Goyal
 
Solnik secure enclaveprocessor-pacsec
Solnik secure enclaveprocessor-pacsecSolnik secure enclaveprocessor-pacsec
Solnik secure enclaveprocessor-pacsecPacSecJP
 
2016 TTL Security Gap Analysis with Kali Linux
2016 TTL Security Gap Analysis with Kali Linux2016 TTL Security Gap Analysis with Kali Linux
2016 TTL Security Gap Analysis with Kali LinuxJason Murray
 
Backtrack
BacktrackBacktrack
Backtrackn|u - The Open Security Community
 
Tools kali
Tools kaliTools kali
Tools kaliketban0702
 
Attacking Automatic Wireless Network Selection
Attacking Automatic Wireless Network SelectionAttacking Automatic Wireless Network Selection
Attacking Automatic Wireless Network Selectionamiable_indian
 
Backtrack
BacktrackBacktrack
BacktrackOne97 Communications Limited
 
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan BalazsHacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan BalazsShakacon
 
Breaking Vaults - Stealing Lastpass Protected Secrets by Martin Vigo
Breaking Vaults - Stealing Lastpass Protected Secrets by Martin VigoBreaking Vaults - Stealing Lastpass Protected Secrets by Martin Vigo
Breaking Vaults - Stealing Lastpass Protected Secrets by Martin VigoShakacon
 
Kasza smashing the_jars
Kasza smashing the_jarsKasza smashing the_jars
Kasza smashing the_jarsPacSecJP
 
Database Firewall with Snort
Database Firewall with SnortDatabase Firewall with Snort
Database Firewall with SnortNarudom Roongsiriwong, CISSP
 
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoTCSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoTCanSecWest
 
Defcon 22-jesus-molina-learn-how-to-control-every-room
Defcon 22-jesus-molina-learn-how-to-control-every-roomDefcon 22-jesus-molina-learn-how-to-control-every-room
Defcon 22-jesus-molina-learn-how-to-control-every-roomPriyanka Aash
 
Snort-IPS-Tutorial
Snort-IPS-TutorialSnort-IPS-Tutorial
Snort-IPS-TutorialVladimir Koychev
 
Defcon 22-adrian-crenshaw-dropping-docs-on-darknets-how-peop
Defcon 22-adrian-crenshaw-dropping-docs-on-darknets-how-peopDefcon 22-adrian-crenshaw-dropping-docs-on-darknets-how-peop
Defcon 22-adrian-crenshaw-dropping-docs-on-darknets-how-peopPriyanka Aash
 
Automated Malware Analysis and Cyber Security Intelligence
Automated Malware Analysis and Cyber Security IntelligenceAutomated Malware Analysis and Cyber Security Intelligence
Automated Malware Analysis and Cyber Security IntelligenceJason Choi
 
Hack Attack! An Introduction to Penetration Testing
Hack Attack! An Introduction to Penetration TestingHack Attack! An Introduction to Penetration Testing
Hack Attack! An Introduction to Penetration TestingSteve Phillips
 
Hack wifi password using kali linux
Hack wifi password using kali linuxHack wifi password using kali linux
Hack wifi password using kali linuxHelder Oliveira
 
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...DefconRussia
 
Telehack: May the Command Line Live Forever
Telehack: May the Command Line Live ForeverTelehack: May the Command Line Live Forever
Telehack: May the Command Line Live ForeverGregory Hanis
 
Order vs. Mad Science: Analyzing Black Hat Swarm Intelligence
Order vs. Mad Science: Analyzing Black Hat Swarm IntelligenceOrder vs. Mad Science: Analyzing Black Hat Swarm Intelligence
Order vs. Mad Science: Analyzing Black Hat Swarm IntelligencePriyanka Aash
 
IoT_Ethics
IoT_EthicsIoT_Ethics
IoT_EthicsBrandon Walston
 
CurrentRegs
CurrentRegsCurrentRegs
CurrentRegsDavid Day
 

More Related Content

What's hot

Solnik secure enclaveprocessor-pacsec
Solnik secure enclaveprocessor-pacsecSolnik secure enclaveprocessor-pacsec
Solnik secure enclaveprocessor-pacsecPacSecJP
 
2016 TTL Security Gap Analysis with Kali Linux
2016 TTL Security Gap Analysis with Kali Linux2016 TTL Security Gap Analysis with Kali Linux
2016 TTL Security Gap Analysis with Kali LinuxJason Murray
 
Attacking Automatic Wireless Network Selection
Attacking Automatic Wireless Network SelectionAttacking Automatic Wireless Network Selection
Attacking Automatic Wireless Network Selectionamiable_indian
 
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan BalazsHacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan BalazsShakacon
 
Breaking Vaults - Stealing Lastpass Protected Secrets by Martin Vigo
Breaking Vaults - Stealing Lastpass Protected Secrets by Martin VigoBreaking Vaults - Stealing Lastpass Protected Secrets by Martin Vigo
Breaking Vaults - Stealing Lastpass Protected Secrets by Martin VigoShakacon
 
Kasza smashing the_jars
Kasza smashing the_jarsKasza smashing the_jars
Kasza smashing the_jarsPacSecJP
 
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoTCSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoTCanSecWest
 
Defcon 22-jesus-molina-learn-how-to-control-every-room
Defcon 22-jesus-molina-learn-how-to-control-every-roomDefcon 22-jesus-molina-learn-how-to-control-every-room
Defcon 22-jesus-molina-learn-how-to-control-every-roomPriyanka Aash
 
Defcon 22-adrian-crenshaw-dropping-docs-on-darknets-how-peop
Defcon 22-adrian-crenshaw-dropping-docs-on-darknets-how-peopDefcon 22-adrian-crenshaw-dropping-docs-on-darknets-how-peop
Defcon 22-adrian-crenshaw-dropping-docs-on-darknets-how-peopPriyanka Aash
 
Automated Malware Analysis and Cyber Security Intelligence
Automated Malware Analysis and Cyber Security IntelligenceAutomated Malware Analysis and Cyber Security Intelligence
Automated Malware Analysis and Cyber Security IntelligenceJason Choi
 
Hack Attack! An Introduction to Penetration Testing
Hack Attack! An Introduction to Penetration TestingHack Attack! An Introduction to Penetration Testing
Hack Attack! An Introduction to Penetration TestingSteve Phillips
 
Hack wifi password using kali linux
Hack wifi password using kali linuxHack wifi password using kali linux
Hack wifi password using kali linuxHelder Oliveira
 
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...DefconRussia
 
Telehack: May the Command Line Live Forever
Telehack: May the Command Line Live ForeverTelehack: May the Command Line Live Forever
Telehack: May the Command Line Live ForeverGregory Hanis
 
Order vs. Mad Science: Analyzing Black Hat Swarm Intelligence
Order vs. Mad Science: Analyzing Black Hat Swarm IntelligenceOrder vs. Mad Science: Analyzing Black Hat Swarm Intelligence
Order vs. Mad Science: Analyzing Black Hat Swarm IntelligencePriyanka Aash
 

What's hot (20)

Solnik secure enclaveprocessor-pacsec
Solnik secure enclaveprocessor-pacsecSolnik secure enclaveprocessor-pacsec
Solnik secure enclaveprocessor-pacsec
 
2016 TTL Security Gap Analysis with Kali Linux
2016 TTL Security Gap Analysis with Kali Linux2016 TTL Security Gap Analysis with Kali Linux
2016 TTL Security Gap Analysis with Kali Linux
 
Backtrack
BacktrackBacktrack
Backtrack
 
Tools kali
Tools kaliTools kali
Tools kali
 
Attacking Automatic Wireless Network Selection
Attacking Automatic Wireless Network SelectionAttacking Automatic Wireless Network Selection
Attacking Automatic Wireless Network Selection
 
Backtrack
BacktrackBacktrack
Backtrack
 
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan BalazsHacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
 
Breaking Vaults - Stealing Lastpass Protected Secrets by Martin Vigo
Breaking Vaults - Stealing Lastpass Protected Secrets by Martin VigoBreaking Vaults - Stealing Lastpass Protected Secrets by Martin Vigo
Breaking Vaults - Stealing Lastpass Protected Secrets by Martin Vigo
 
Kasza smashing the_jars
Kasza smashing the_jarsKasza smashing the_jars
Kasza smashing the_jars
 
Database Firewall with Snort
Database Firewall with SnortDatabase Firewall with Snort
Database Firewall with Snort
 
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoTCSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
 
Defcon 22-jesus-molina-learn-how-to-control-every-room
Defcon 22-jesus-molina-learn-how-to-control-every-roomDefcon 22-jesus-molina-learn-how-to-control-every-room
Defcon 22-jesus-molina-learn-how-to-control-every-room
 
Snort-IPS-Tutorial
Snort-IPS-TutorialSnort-IPS-Tutorial
Snort-IPS-Tutorial
 
Defcon 22-adrian-crenshaw-dropping-docs-on-darknets-how-peop
Defcon 22-adrian-crenshaw-dropping-docs-on-darknets-how-peopDefcon 22-adrian-crenshaw-dropping-docs-on-darknets-how-peop
Defcon 22-adrian-crenshaw-dropping-docs-on-darknets-how-peop
 
Automated Malware Analysis and Cyber Security Intelligence
Automated Malware Analysis and Cyber Security IntelligenceAutomated Malware Analysis and Cyber Security Intelligence
Automated Malware Analysis and Cyber Security Intelligence
 
Hack Attack! An Introduction to Penetration Testing
Hack Attack! An Introduction to Penetration TestingHack Attack! An Introduction to Penetration Testing
Hack Attack! An Introduction to Penetration Testing
 
Hack wifi password using kali linux
Hack wifi password using kali linuxHack wifi password using kali linux
Hack wifi password using kali linux
 
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...
 
Telehack: May the Command Line Live Forever
Telehack: May the Command Line Live ForeverTelehack: May the Command Line Live Forever
Telehack: May the Command Line Live Forever
 
Order vs. Mad Science: Analyzing Black Hat Swarm Intelligence
Order vs. Mad Science: Analyzing Black Hat Swarm IntelligenceOrder vs. Mad Science: Analyzing Black Hat Swarm Intelligence
Order vs. Mad Science: Analyzing Black Hat Swarm Intelligence
 

Viewers also liked

Naming, Search and Discovery in IoT: Issues and proposed solutions in the FP7...
Naming, Search and Discovery in IoT: Issues and proposed solutions in the FP7...Naming, Search and Discovery in IoT: Issues and proposed solutions in the FP7...
Naming, Search and Discovery in IoT: Issues and proposed solutions in the FP7...iotest
 
An introduction to Digital Security - Rishabh Dangwal
An introduction to Digital Security - Rishabh DangwalAn introduction to Digital Security - Rishabh Dangwal
An introduction to Digital Security - Rishabh DangwalRishabh Dangwal
 
Tesla iot case study
Tesla iot case studyTesla iot case study
Tesla iot case studyJohn Mathon
 
Cybesecurity of the IoT
Cybesecurity of the IoTCybesecurity of the IoT
Cybesecurity of the IoTAltoros
 
IoT Security Imperative: Stop your Fridge from Sending you Spam
IoT Security Imperative: Stop your Fridge from Sending you SpamIoT Security Imperative: Stop your Fridge from Sending you Spam
IoT Security Imperative: Stop your Fridge from Sending you SpamAmit Rohatgi
 
Internet-of-things- (IOT) - a-seminar - ppt - by- mohan-kumar-g
Internet-of-things- (IOT) - a-seminar - ppt - by- mohan-kumar-gInternet-of-things- (IOT) - a-seminar - ppt - by- mohan-kumar-g
Internet-of-things- (IOT) - a-seminar - ppt - by- mohan-kumar-gMohan Kumar G
 
Internet of Things and its applications
Internet of Things and its applicationsInternet of Things and its applications
Internet of Things and its applicationsPasquale Puzio
 
IoT - IT 423 ppt
IoT - IT 423 pptIoT - IT 423 ppt
IoT - IT 423 pptMhae Lyn
 

Viewers also liked (16)

IoT_Ethics
IoT_EthicsIoT_Ethics
IoT_Ethics
 
CurrentRegs
CurrentRegsCurrentRegs
CurrentRegs
 
Naming, Search and Discovery in IoT: Issues and proposed solutions in the FP7...
Naming, Search and Discovery in IoT: Issues and proposed solutions in the FP7...Naming, Search and Discovery in IoT: Issues and proposed solutions in the FP7...
Naming, Search and Discovery in IoT: Issues and proposed solutions in the FP7...
 
An introduction to Digital Security - Rishabh Dangwal
An introduction to Digital Security - Rishabh DangwalAn introduction to Digital Security - Rishabh Dangwal
An introduction to Digital Security - Rishabh Dangwal
 
Tesla iot case study
Tesla iot case studyTesla iot case study
Tesla iot case study
 
Internet of Things (IOT) - Demo - Part I
Internet of Things (IOT) - Demo - Part IInternet of Things (IOT) - Demo - Part I
Internet of Things (IOT) - Demo - Part I
 
Design challenges in IoT
Design challenges in IoT Design challenges in IoT
Design challenges in IoT
 
IoT Security: Cases and Methods
IoT Security: Cases and MethodsIoT Security: Cases and Methods
IoT Security: Cases and Methods
 
Cybesecurity of the IoT
Cybesecurity of the IoTCybesecurity of the IoT
Cybesecurity of the IoT
 
The Internet of Things: Privacy and Security Issues
The Internet of Things: Privacy and Security IssuesThe Internet of Things: Privacy and Security Issues
The Internet of Things: Privacy and Security Issues
 
Overview of IoT and Security issues
Overview of IoT and Security issuesOverview of IoT and Security issues
Overview of IoT and Security issues
 
IoT security (Internet of Things)
IoT security (Internet of Things)IoT security (Internet of Things)
IoT security (Internet of Things)
 
IoT Security Imperative: Stop your Fridge from Sending you Spam
IoT Security Imperative: Stop your Fridge from Sending you SpamIoT Security Imperative: Stop your Fridge from Sending you Spam
IoT Security Imperative: Stop your Fridge from Sending you Spam
 
Internet-of-things- (IOT) - a-seminar - ppt - by- mohan-kumar-g
Internet-of-things- (IOT) - a-seminar - ppt - by- mohan-kumar-gInternet-of-things- (IOT) - a-seminar - ppt - by- mohan-kumar-g
Internet-of-things- (IOT) - a-seminar - ppt - by- mohan-kumar-g
 
Internet of Things and its applications
Internet of Things and its applicationsInternet of Things and its applications
Internet of Things and its applications
 
IoT - IT 423 ppt
IoT - IT 423 pptIoT - IT 423 ppt
IoT - IT 423 ppt
 

Similar to How Smart Thermostats Have Made Us Vulnerable

OSX Pirrit : Why you should care about malicious mac adware
OSX Pirrit : Why you should care about malicious mac adwareOSX Pirrit : Why you should care about malicious mac adware
OSX Pirrit : Why you should care about malicious mac adwarePriyanka Aash
 
Hacking Exposed: The Mac Attack
Hacking Exposed: The Mac AttackHacking Exposed: The Mac Attack
Hacking Exposed: The Mac AttackPriyanka Aash
 
Hacking Exposed: The Mac Attack
Hacking Exposed: The Mac AttackHacking Exposed: The Mac Attack
Hacking Exposed: The Mac AttackPriyanka Aash
 
Attacking Embedded Devices (No Axe Required)
Attacking Embedded Devices (No Axe Required)Attacking Embedded Devices (No Axe Required)
Attacking Embedded Devices (No Axe Required)Security Weekly
 
DevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps ToolchainsDevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps ToolchainsChris Gates
 
SREcon Europe 2016 - Full-mesh IPsec network at Hosted Graphite
SREcon Europe 2016 - Full-mesh IPsec network at Hosted GraphiteSREcon Europe 2016 - Full-mesh IPsec network at Hosted Graphite
SREcon Europe 2016 - Full-mesh IPsec network at Hosted GraphiteHostedGraphite
 
D1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via smsD1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via smsqqlan
 
Offline attacks-and-hard-disk-encription
Offline attacks-and-hard-disk-encriptionOffline attacks-and-hard-disk-encription
Offline attacks-and-hard-disk-encriptionmalvvv
 
Timings of Init : Android Ramdisks for the Practical Hacker
Timings of Init : Android Ramdisks for the Practical HackerTimings of Init : Android Ramdisks for the Practical Hacker
Timings of Init : Android Ramdisks for the Practical HackerStacy Devino
 
Docker, Linux Containers (LXC), and security
Docker, Linux Containers (LXC), and securityDocker, Linux Containers (LXC), and security
Docker, Linux Containers (LXC), and securityJérôme Petazzoni
 
Security & ethical hacking p2
Security & ethical hacking p2Security & ethical hacking p2
Security & ethical hacking p2ratnalajaggu
 
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteliDefcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteliPriyanka Aash
 
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...Sergey Gordeychik
 
Docker, Linux Containers, and Security: Does It Add Up?
Docker, Linux Containers, and Security: Does It Add Up?Docker, Linux Containers, and Security: Does It Add Up?
Docker, Linux Containers, and Security: Does It Add Up?Jérôme Petazzoni
 
Teensy Programming for Everyone
Teensy Programming for EveryoneTeensy Programming for Everyone
Teensy Programming for EveryoneNikhil Mittal
 

Similar to How Smart Thermostats Have Made Us Vulnerable (20)

OSX Pirrit : Why you should care about malicious mac adware
OSX Pirrit : Why you should care about malicious mac adwareOSX Pirrit : Why you should care about malicious mac adware
OSX Pirrit : Why you should care about malicious mac adware
 
RSA APJ Velociraptor Lab
RSA APJ Velociraptor LabRSA APJ Velociraptor Lab
RSA APJ Velociraptor Lab
 
Hacking Exposed: The Mac Attack
Hacking Exposed: The Mac AttackHacking Exposed: The Mac Attack
Hacking Exposed: The Mac Attack
 
Hacking Exposed: The Mac Attack
Hacking Exposed: The Mac AttackHacking Exposed: The Mac Attack
Hacking Exposed: The Mac Attack
 
Attacking Embedded Devices (No Axe Required)
Attacking Embedded Devices (No Axe Required)Attacking Embedded Devices (No Axe Required)
Attacking Embedded Devices (No Axe Required)
 
DevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps ToolchainsDevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps Toolchains
 
RAT - Repurposing Adversarial Tradecraft
RAT - Repurposing Adversarial TradecraftRAT - Repurposing Adversarial Tradecraft
RAT - Repurposing Adversarial Tradecraft
 
SREcon Europe 2016 - Full-mesh IPsec network at Hosted Graphite
SREcon Europe 2016 - Full-mesh IPsec network at Hosted GraphiteSREcon Europe 2016 - Full-mesh IPsec network at Hosted Graphite
SREcon Europe 2016 - Full-mesh IPsec network at Hosted Graphite
 
Dns rebinding
Dns rebindingDns rebinding
Dns rebinding
 
D1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via smsD1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via sms
 
Offline attacks-and-hard-disk-encription
Offline attacks-and-hard-disk-encriptionOffline attacks-and-hard-disk-encription
Offline attacks-and-hard-disk-encription
 
Timings of Init : Android Ramdisks for the Practical Hacker
Timings of Init : Android Ramdisks for the Practical HackerTimings of Init : Android Ramdisks for the Practical Hacker
Timings of Init : Android Ramdisks for the Practical Hacker
 
Docker, Linux Containers (LXC), and security
Docker, Linux Containers (LXC), and securityDocker, Linux Containers (LXC), and security
Docker, Linux Containers (LXC), and security
 
Security & ethical hacking p2
Security & ethical hacking p2Security & ethical hacking p2
Security & ethical hacking p2
 
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteliDefcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
 
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
 
Stop Passing the Bug: IoT Supply Chain Security
Stop Passing the Bug: IoT Supply Chain SecurityStop Passing the Bug: IoT Supply Chain Security
Stop Passing the Bug: IoT Supply Chain Security
 
Docker, Linux Containers, and Security: Does It Add Up?
Docker, Linux Containers, and Security: Does It Add Up?Docker, Linux Containers, and Security: Does It Add Up?
Docker, Linux Containers, and Security: Does It Add Up?
 
Teensy Programming for Everyone
Teensy Programming for EveryoneTeensy Programming for Everyone
Teensy Programming for Everyone
 
Software security
Software securitySoftware security
Software security
 

Recently uploaded

Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rick Flair
 
What is Artificial Intelligence?????????
What is Artificial Intelligence?????????What is Artificial Intelligence?????????
What is Artificial Intelligence?????????blackmambaettijean
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demoHarshalMandlekar2
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 

Recently uploaded (20)

Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...
 
What is Artificial Intelligence?????????
What is Artificial Intelligence?????????What is Artificial Intelligence?????????
What is Artificial Intelligence?????????
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demo
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 

How Smart Thermostats Have Made Us Vulnerable

  • 1. #RSAC SESSION ID: Ray Potter Yier Jin Don't Touch That Dial: How Smart Thermostats Have Made Us Vulnerable HT-W04 Assistant Professor University of Central Florida @jinyier CEO SafeLogic @SafeLogic_Ray
  • 2. #RSAC  The threat is real  Connected convenience comes with risk  Challenges  What’s at Stake Flow
  • 3. #RSAC  Pattern recognition  Identity theft  Corporate espionage  Life What’s at Stake
  • 5. #RSAC  Nest Labs founded by Tony Fadell  Debuted in October 2011  Acquired by Google in January 2014 ($3.2B)  Over 40,000 sold each month Data from GigaOM as of January 2013  Available in UK in April 2014  Smart home API is released in June 2014 Nest Thermostat
  • 6. #RSAC “Yes, hacking is in our thoughts. When you're talking about the home, these are very private things. We thought about what people could do if they got access to your data. We have bank-level security, we encrypt updates, and we have an internal hacker team testing the security. It's very, very private and it has to be, because it'll never take off if people don't trust it.” - Tony Fadell
  • 8. #RSAC  “Display” board  Graphics/UI, Networking  Chips:  ARM Cortex A8 app processor  USB OTG  RAM/Flash (2Gb)  ZigBee/WiFi Radios  Proximity Sensors  UART test points (silenced at bootloader) Front Plate Courtesy of iFixit
  • 9. #RSAC  Hooks up to AC/Heating system. Charges battery via engineering wizardry  Chips:  Independent ARM Cortex M3  Temp and Humidity Sensor  Communications  Front to Back – UART  NEST Weave (802.15.4)  USB MSD (FW update) “Backplate” and Comms Courtesy of iFixit
  • 11. #RSAC  Runs on a Linux based platform  Handles interfacing between device and Nest Cloud services  Automatically handles firmware updates  Manual update available  Plug Nest into PC  Handled as a storage device  Copy firmware to drive  Reboot Nest Client Nest
  • 12. #RSAC Nest Firmware  Signed firmware   Manifest.plist  Hashes contents  Manifest.p7s  Compressed but not encrypted or obfuscated  Includes – U-boot image – Linux Kernel image – File system – nlbpfirmware.plist
  • 13. #RSAC  Firmware signing using PKCS7  Pinned Nest certificates for firmware verification  All critical communications (any with secrets) over HTTPS  Other less secure ones over HTTP (firmware, weather) Things Done the Right Way™
  • 14. #RSAC  Firmware links downloaded using HTTP and download links do not expire  Hardware backdoor left for anyone with a USB port to use  Automatic updates Things Done the Wrong Way™
  • 15. #RSAC  Log Files  Internally stored and uploaded to Nest  Contents  User Interface  Users are unaware of the contents of the log files  Users cannot turn off this option  User network credentials are stored … in plain text!  Users should be allowed to opt-out of the data collection? User Privacy
  • 18. #RSAC  TI Sitara AM3703  ARM Cortex-A8 core  Version 7 ISA  JazelleX Java accelerator and media extensions  ARM NEON core SIMD coprocessor  DMA controller  HS USB controller  General Purpose Memory Controller to handle flash  SDRAM memory scheduler and controller  112KB on-chip ROM (boot code)  64KB on-chip SRAM  Configurable boot options Hardware Analysis
  • 19. #RSAC
  • 20. #RSAC Boot Process Root ROM starts execution ROM initializes basic subsystems ROM copies X-Loader to SRAM X-Loader executes X-Loader initializes SDRAM Userland loaded U-boot executes Linux kernel U-boot configures environment U-boot executes X-Loader copies U-boot to SDRAM
  • 21. #RSAC Boot Process Root ROM starts execution ROM initializes basic subsystems ROM reads X-Loader from USB X-Loader executes X-Loader initializes SDRAM Userland loaded U-boot executes Linux kernel U-boot configures environment U-boot executes X-Loader copies U-boot to SDRAM
  • 22. #RSAC Boot Process Root ROM starts execution ROM initializes basic subsystems ROM reads X-Loader from USB X-Loader executes X-Loader initializes SDRAM Userland loaded U-boot executes Linux kernel U-boot configures environment U-boot executes X-Loader copies U-boot to SDRAM
  • 23. #RSAC Boot Process Root ROM starts execution ROM initializes basic subsystems ROM reads X-Loader from USB X-Loader executes X-Loader initializes SDRAM Userland loaded U-boot executes Linux kernel U-boot configures environment U-boot executes X-Loader copies U-boot to SDRAM
  • 24. #RSAC Boot Process Root ROM starts execution ROM initializes basic subsystems ROM reads X-Loader from USB X-Loader executes X-Loader initializes SDRAM Userland loaded U-boot executes Linux kernel U-boot configures environment U-boot executes X-Loader copies U-boot to SDRAM
  • 25. #RSAC Boot Process Root ROM starts execution ROM initializes basic subsystems ROM reads X-Loader from USB X-Loader executes X-Loader initializes SDRAM Userland loaded U-boot executes Linux kernel U-boot configures environment U-boot executes X-Loader copies U-boot to SDRAM
  • 26. #RSAC Boot Process Root ROM starts execution ROM initializes basic subsystems ROM reads X-Loader from USB X-Loader executes X-Loader initializes SDRAM Userland loaded U-boot executes Linux kernel U-boot configures environment U-boot executes X-Loader copies U-boot to SDRAM
  • 27. #RSAC Boot Process Root ROM starts execution ROM initializes basic subsystems ROM reads X-Loader from USB X-Loader executes X-Loader initializes SDRAM Userland loaded U-boot executes Linux kernel U-boot configures environment U-boot executes X-Loader copies U-boot to SDRAM
  • 28. #RSAC Boot Process Root ROM starts execution ROM initializes basic subsystems ROM reads X-Loader from USB X-Loader executes X-Loader initializes SDRAM Userland loaded U-boot executes Linux kernel U-boot configures environment U-boot executes X-Loader copies U-boot to SDRAM
  • 29. #RSAC  Boot Configuration read from sys_boot[5:0] Device Initialization Selected boot configurations sys_boot [5:0] First Second Third Fourth Fifth 001101 001110 001111 XIP XIPwait NAND USB DOC USB UART3 USB UART3 MMC1 UART3 MMC1 MMC1 101101 101110 101111 USB USB USB UART3 UART3 UART3 MMC1 MMC1 MMC1 XIP XIPwait NAND DOC
  • 30. #RSAC  Boot configuration pins 4..0 are fixed in Nest’s hardware  sys_boot[5] is changes based on reset type  Conveiently, circuit board exposes sys_boot[5] on an unpopulated header… Device Programming
  • 31. #RSAC Nest USB Device Descriptor
  • 32. #RSAC TI USB Device Descriptor
  • 33. #RSAC  Full control over the house  Away detection  Network credentials  Zip Code  Remote exfiltration  Pivoting to other devices Implications
  • 34. #RSAC  Unauthorized ability to access Nest account  We now have the OAUTH secrets  Ability to brick the device  We can modify the NAND  Persistent malware in NAND  X-loader bootkit in NAND Control over all Nest devices
  • 36. #RSAC  Device Reset  Press the button for 10 seconds causing sys_boot[5] = 1’b1  Inject code through the USB into memory and execute  Be quick! Attack
  • 37. #RSAC  Custom X-Loader to chainload U-Boot + initrd  Custom U-Boot  Utilize existing kernel  Load our ramdisk (initrd)  Ramdisk  Mount Nest’s filesystem and write at will  Arbitrary, scriptable, code execution  Netcat already comes with the Nest Initial Attack
  • 38. #RSAC  Rebuild toolchain  Cross-compile dropbear (SSH server)  Add user accounts and groups  Reset root password Refining a Backdoor
  • 39. #RSAC  A custom Linux kernel  Custom logo  Debugging capabilities (kgdb)  Polling on OMAP serial ports Linux Kernel Modification
  • 41. #RSAC  Positive View  The backdoor provide legitimate users to opt-out of uploading logs files  Negative View  The backdoor may be maliciously exploited  A Relief to Nest Labs  The backdoor needs physical access to the device (although remote attack is under investigation) Double-Edged Sword
  • 42. #RSAC  Code Authentication  Processor must authenticate the first stage bootloader before it is run  Use public key cryptography  Userland protection  Only execute signed binaries  Filesystem encryption  Processor-DRAM channel protection A Solution – Chain of Trust
  • 43. #RSAC How to Apply This Knowledge 47  Identify whether your product shares vulnerabilities with these examples.  Build security strategy and implement NOW, don’t wait.  Explore 3rd party validation and other ways to leverage proven security measures.  Regardless of form factor, focus on the data.  And of course, as a user, quarantine WiFi access for each of your IoT devices.

Editor's Notes

  1. Sales data according to
  2. Sales data according to
  3. Health Corporate Manufacturing Retail Transportation Utilities Consumer
  4. Sales data according to
  5. Mention that Nest Labs definitely takes security seriously. Let this talk show that even the best of the designers can make mistakes.
  6. Front plate uses ttyO2 to talk to the back plate. Show live hardware and demonstrate some of its functions.
  7. This smart device may be too smart for its own good. Firmware does everything for the user. Attacking the firmware will result in greater damages to the user.
  8. Nlbpfirmware.plist is an XML document which contains among other things base64 encoded data (firmware image for backplate). Tool to flash firmware is included in the device’s filesystem.
  9. Firmware is downloaded using HTTP
  10. Usage statistics System logs Nest software logs (Zip Code, device settings, wired option)
  11. Boot configurations are read by ROM code and latched into CONTROL.CONTROL_STATUS register. Pins can be used for anything afterwards.
  12. Other findings: Nest attempts to start a secure shell server of its own, no binaries found. SSH server keys are on device and unique to each unit.
  13. Boot device, use netcat as payload. Have small shell to target computer.