The document discusses security vulnerabilities in smart home thermostats like the Nest Thermostat. It describes how the thermostats can be hacked by exploiting weaknesses in their hardware, software, and firmware. Specifically, it shows how accessing a device's USB port allows injecting custom code to gain full control over the thermostat and access user data and accounts. The talk urges manufacturers to implement stronger authentication of code and encryption to protect smart home devices and data.
Nell’iperspazio con Rocket: il Framework Web di Rust!
How Smart Thermostats Have Made Us Vulnerable
1. #RSAC
SESSION ID:
Ray Potter Yier Jin
Don't Touch That Dial: How Smart
Thermostats Have Made Us
Vulnerable
HT-W04
Assistant Professor
University of Central Florida
@jinyier
CEO
SafeLogic
@SafeLogic_Ray
2. #RSAC
The threat is real
Connected convenience comes with risk
Challenges
What’s at Stake
Flow
5. #RSAC
Nest Labs founded by Tony Fadell
Debuted in October 2011
Acquired by Google in January 2014 ($3.2B)
Over 40,000 sold each month
Data from GigaOM as of January 2013
Available in UK in April 2014
Smart home API is released in June 2014
Nest Thermostat
6. #RSAC
“Yes, hacking is in our thoughts. When you're talking
about the home, these are very private things. We
thought about what people could do if they got access to
your data. We have bank-level security, we encrypt
updates, and we have an internal hacker team testing the
security. It's very, very private and it has to be, because
it'll never take off if people don't trust it.”
- Tony Fadell
8. #RSAC
“Display” board
Graphics/UI, Networking
Chips:
ARM Cortex A8 app processor
USB OTG
RAM/Flash (2Gb)
ZigBee/WiFi Radios
Proximity Sensors
UART test points (silenced at bootloader)
Front Plate
Courtesy of iFixit
9. #RSAC
Hooks up to AC/Heating system. Charges battery via engineering
wizardry
Chips:
Independent ARM Cortex M3
Temp and Humidity Sensor
Communications
Front to Back – UART
NEST Weave (802.15.4)
USB MSD (FW update)
“Backplate” and Comms
Courtesy of iFixit
11. #RSAC
Runs on a Linux based platform
Handles interfacing between device
and Nest Cloud services
Automatically handles firmware
updates
Manual update available
Plug Nest into PC
Handled as a storage device
Copy firmware to drive
Reboot
Nest Client
Nest
12. #RSAC
Nest Firmware
Signed firmware
Manifest.plist
Hashes contents
Manifest.p7s
Compressed but not encrypted or obfuscated
Includes
– U-boot image
– Linux Kernel image
– File system
– nlbpfirmware.plist
13. #RSAC
Firmware signing using PKCS7
Pinned Nest certificates for firmware verification
All critical communications (any with secrets) over HTTPS
Other less secure ones over HTTP (firmware, weather)
Things Done the Right Way™
14. #RSAC
Firmware links downloaded using HTTP and download links do not
expire
Hardware backdoor left for anyone with a USB port to use
Automatic updates
Things Done the Wrong Way™
15. #RSAC
Log Files
Internally stored and uploaded to Nest
Contents
User Interface
Users are unaware of the contents of the log files
Users cannot turn off this option
User network credentials are stored … in plain text!
Users should be allowed to opt-out of the data collection?
User Privacy
20. #RSAC
Boot Process
Root ROM
starts execution
ROM initializes
basic
subsystems
ROM copies
X-Loader to
SRAM
X-Loader
executes
X-Loader
initializes
SDRAM
Userland
loaded
U-boot
executes
Linux kernel
U-boot
configures
environment
U-boot
executes
X-Loader copies
U-boot to
SDRAM
21. #RSAC
Boot Process
Root ROM
starts execution
ROM initializes
basic
subsystems
ROM reads
X-Loader from
USB
X-Loader
executes
X-Loader
initializes
SDRAM
Userland
loaded
U-boot
executes
Linux kernel
U-boot
configures
environment
U-boot
executes
X-Loader copies
U-boot to
SDRAM
22. #RSAC
Boot Process
Root ROM
starts execution
ROM initializes
basic
subsystems
ROM reads
X-Loader from
USB
X-Loader
executes
X-Loader
initializes
SDRAM
Userland
loaded
U-boot
executes
Linux kernel
U-boot
configures
environment
U-boot
executes
X-Loader copies
U-boot to
SDRAM
23. #RSAC
Boot Process
Root ROM
starts execution
ROM initializes
basic
subsystems
ROM reads
X-Loader from
USB
X-Loader
executes
X-Loader
initializes
SDRAM
Userland
loaded
U-boot
executes
Linux kernel
U-boot
configures
environment
U-boot
executes
X-Loader copies
U-boot to
SDRAM
24. #RSAC
Boot Process
Root ROM
starts execution
ROM initializes
basic
subsystems
ROM reads
X-Loader from
USB
X-Loader
executes
X-Loader
initializes
SDRAM
Userland
loaded
U-boot
executes
Linux kernel
U-boot
configures
environment
U-boot
executes
X-Loader copies
U-boot to
SDRAM
25. #RSAC
Boot Process
Root ROM
starts execution
ROM initializes
basic
subsystems
ROM reads
X-Loader from
USB
X-Loader
executes
X-Loader
initializes
SDRAM
Userland
loaded
U-boot
executes
Linux kernel
U-boot
configures
environment
U-boot
executes
X-Loader copies
U-boot to
SDRAM
26. #RSAC
Boot Process
Root ROM
starts execution
ROM initializes
basic
subsystems
ROM reads
X-Loader from
USB
X-Loader
executes
X-Loader
initializes
SDRAM
Userland
loaded
U-boot
executes
Linux kernel
U-boot
configures
environment
U-boot
executes
X-Loader copies
U-boot to
SDRAM
27. #RSAC
Boot Process
Root ROM
starts execution
ROM initializes
basic
subsystems
ROM reads
X-Loader from
USB
X-Loader
executes
X-Loader
initializes
SDRAM
Userland
loaded
U-boot
executes
Linux kernel
U-boot
configures
environment
U-boot
executes
X-Loader copies
U-boot to
SDRAM
28. #RSAC
Boot Process
Root ROM
starts execution
ROM initializes
basic
subsystems
ROM reads
X-Loader from
USB
X-Loader
executes
X-Loader
initializes
SDRAM
Userland
loaded
U-boot
executes
Linux kernel
U-boot
configures
environment
U-boot
executes
X-Loader copies
U-boot to
SDRAM
29. #RSAC
Boot Configuration read from sys_boot[5:0]
Device Initialization
Selected boot configurations
sys_boot [5:0] First Second Third Fourth Fifth
001101
001110
001111
XIP
XIPwait
NAND
USB
DOC
USB
UART3
USB
UART3
MMC1
UART3
MMC1
MMC1
101101
101110
101111
USB
USB
USB
UART3
UART3
UART3
MMC1
MMC1
MMC1
XIP
XIPwait
NAND
DOC
30. #RSAC
Boot configuration pins 4..0 are fixed
in Nest’s hardware
sys_boot[5] is changes based on reset type
Conveiently, circuit board exposes sys_boot[5] on an unpopulated
header…
Device Programming
33. #RSAC
Full control over the house
Away detection
Network credentials
Zip Code
Remote exfiltration
Pivoting to other devices
Implications
34. #RSAC
Unauthorized ability to access Nest account
We now have the OAUTH secrets
Ability to brick the device
We can modify the NAND
Persistent malware in NAND
X-loader bootkit in NAND
Control over all Nest devices
36. #RSAC
Device Reset
Press the button for 10 seconds causing sys_boot[5] = 1’b1
Inject code through the USB into memory and execute
Be quick!
Attack
37. #RSAC
Custom X-Loader to chainload U-Boot + initrd
Custom U-Boot
Utilize existing kernel
Load our ramdisk (initrd)
Ramdisk
Mount Nest’s filesystem and write at will
Arbitrary, scriptable, code execution
Netcat already comes with the Nest
Initial Attack
38. #RSAC
Rebuild toolchain
Cross-compile dropbear (SSH server)
Add user accounts and groups
Reset root password
Refining a Backdoor
39. #RSAC
A custom Linux kernel
Custom logo
Debugging capabilities (kgdb)
Polling on OMAP serial ports
Linux Kernel Modification
41. #RSAC
Positive View
The backdoor provide legitimate users to opt-out of uploading logs
files
Negative View
The backdoor may be maliciously exploited
A Relief to Nest Labs
The backdoor needs physical access to the device (although remote
attack is under investigation)
Double-Edged Sword
42. #RSAC
Code Authentication
Processor must authenticate the first stage bootloader before it is run
Use public key cryptography
Userland protection
Only execute signed binaries
Filesystem encryption
Processor-DRAM channel protection
A Solution – Chain of Trust
43. #RSAC
How to Apply This Knowledge
47
Identify whether your product shares vulnerabilities with these
examples.
Build security strategy and implement NOW, don’t wait.
Explore 3rd party validation and other ways to leverage proven
security measures.
Regardless of form factor, focus on the data.
And of course, as a user, quarantine WiFi access for each of your
IoT devices.
Editor's Notes
Sales data according to
Sales data according to
Health
Corporate
Manufacturing
Retail
Transportation
Utilities
Consumer
Sales data according to
Mention that Nest Labs definitely takes security seriously. Let this talk show that even the best of the designers can make mistakes.
Front plate uses ttyO2 to talk to the back plate. Show live hardware and demonstrate some of its functions.
This smart device may be too smart for its own good. Firmware does everything for the user. Attacking the firmware will result in greater damages to the user.
Nlbpfirmware.plist is an XML document which contains among other things base64 encoded data (firmware image for backplate). Tool to flash firmware is included in the device’s filesystem.