Hijacking a home
Orlando Arias types furiously on his computer keyboard, white text streaming across a plain black background. It’s almost like a foreign language – computer code he’s written himself, lines and lines of commands he’s memorized.
“Here come the fireworks,” he says.
And then, magically, “Hello, Dave.” pops up on the Nest’s screen. It’s a nod to “2001: A Space Odyssey.”
Google’s Nest is a “smart” thermostat with sensors that learns your habits. When it detects you’re not home, it can change the temperature for energy and cost savings. It’s not normally known for spouting random movie quotes, certainly not those of a computer revolting against its human masters.
It’s been hacked.
UCF professor Yier Jin, UCF computer engineering students Grant Hernandez and Orlando Arias, along with independent researcher Daniel Buentello from Houston, presented their hack of the Nest, which requires physical access to the device, at the Black Hat security conference. The Nest has very secure software, but in the hardware there’s a back door, a USB plug that hackers can use to insert their own code in 15 seconds, they said.
“These ‘internet of things’ devices are becoming so advanced and smart and they have so much technology built into them, they’re not just what they’re advertised as, they’re not just thermostats, they’re not just routers, they’re full blown computers and with a full blown computer you can do nearly anything,” Hernandez said.
The team’s goal was to show how every day devices connected online, the “internet of things” such as the Nest, internet TV gadgets, routers, can be hacked and used to compromise security and access a home’s network. Sure, a hacker could use the Nest to change the temperature in your home, but they could also send spam emails through it, use it as a proxy to hide their spamming and hacking traffic so others couldn’t detect their location, or worse, they could access your computer and steal your banking information. And you’d never even know they’ve taken control of the device.
“These kinds of things are actually harder to detect, it’s not like you sit in front of your refrigerator or thermostat and you watch it work, and you say, ‘Wait this is slower than usual what’s going on here?’” Arias said.
There’s a whole hacking black market out there on the web. They sell information including social security numbers, passwords and banking information. They could also be selling information about whether you’re home or not, which a hacked Nest could communicate. That webcam you’ve got – someone could be accessing that, too. And it all starts with one compromised device.
“It’s happening now,” Jin said.
The team wants to make the public more aware of the security issues of these devices. They said consumers should research products’ security before purchasing, and they should demand that companies make security a priority. Their hacking of the Nest, a product its creators spent time and money making secure, shows how vulnerable other products are. Jin wants to get students, high school and above, interested in cyber security, too, and to create a hub for this at UCF. The security “good guys” are outnumbered right now.
“Now in this cyber world it’s a whole new territory, and the bad guys are there first,” Buentello said. “Because we don’t have enough people who learn about their craft, which is breaking into things, we can’t defend our networks.”
There’s also just the general issue of privacy. Most people don’t think about where the data collected by their smart phones, Nest, Google or Facebook even goes. Buentello said there needs to be more transparency in the industry.
“These devices are full of sensors and full of storage and they’re collecting all this data,” Buentello said. “And we don’t choose, it’s all or nothing, you want something smart, you have to give up all this and there’s no in-between with it.”
But even the hackers, those most aware of the privacy and security issues, aren’t willing to give up their useful, convenient, cool gadgets. Most of the hundreds of people they presented to said they owned a Nest. They watched it get hacked, heard the presentation, and when Buentello asked if they’d give it up, it was a quiet room.
“And none of them raised their hand, and you know what, neither am I; I have two of them still in my house working,” he said. “What does that say about us?”
The UCF team is currently working on finding vulnerabilities in other devices and determining solutions to those, which they’ll report back to the companies so they can make security changes.
To watch a demo video of the team hacking a Nest, go to http://bit.ly/1wshPdJ. UCF professor Yier Jin would like to give presentations to local high school students and teachers interested in learning about cyber security. Email Jin at [email protected] to inquire about a lecture.