Nest thermostat vulnerabilities: remotely ascertain whether the user is at home-vulnerability warning-the black bar safety net

ID MYHACK58:62201450329
Type myhack58
Reporter 佚名
Modified 2014-06-26T00:00:00


! Smart devices to the hackers brought the opportunity

The United States hacker organization GTVHacker this week the exposure of the Nest smart thermostat the Nest Learning Thermostat is a vulnerability. Through this vulnerability, hackers can based on the movement of the detector information, network traffic, or the room temperature is to learn whether the user is at home, without having to open the device

Through the Nest smart thermostat, the user can get many interesting intelligent functions, for example, completely replace the Nest software. However, where the vulnerability to the hack brings.

So this attack requires how to implement? And attack other mobile devices or connected home devices similar to the method, the hackers need to first get a Nest smart thermostat. So for most users, don't have to worry about hackers breaking into the home on their own equipment to be modified. GTVHacker provides a detailed video, and the team will be in this year 8 month's DEFCON conference concrete presentation of this attack.

For this message, Nest responded that the team's software“did not destroy our server and the connected security. To our knowledge, there is currently no device being remote invasion”.

According to the GTVHacker argument, this attack is the use of the Nest smart thermostat load software channel(which need to use the USB port, so a hacker must physically get the device) to run its Boot-Loader, and Root privileges to add a SSH server. This looks like a legitimate update, but left a back door, and the owner of the device or even completely not aware of the occurrence of any change.