Important News:SafeLogic's CryptoComply Achieves FIPS 140-3 Validation and Receives FIPS 140-3 certificate #4781! Read the blog post!

The SafeLogic Blog

Nest: Hacked or Just Jailbroken?

August 7, 2014 Walt Paley

It is here, somewhere in the middle of the desert, among the inexplicably massive resort hotels that have risen from the sand over the years, that the experts have gathered.  First it‘s Black Hat, then it will be ITexpo.  Right now is the lull between the storms.
blackhat72412
Not much of a lull, though, to be honest.  After Yier Jin, a researcher and assistant professor at the University of Central Florida (go Knights!), blew the doors off of the poster child for the Internet of Things at Black Hat, the hype machine has grabbed hold of the discussion and we’re in full swing.

One camp points to the discovered vulnerability in the Nest thermostat as proof positive of our future destruction.  The other takes it with a grain of salt, reassured by Nest Labs’ assertion that the unauthorized control requires physical access and should be considered a ‘jailbreak’, not a true hack.

CrackedNestThermostat

I would fall somewhere in between the two schools of thought.  The latter doesn’t take the hack seriously enough, while the former is just a bit too convincing as Chicken Little.  But let’s take a closer look at the situation.

Sean Michael Kerner’s article at eWeek quotes Nest Labs’ statement.  “It doesn’t compromise the security of our servers or the connections to them and to the best of our knowledge, no devices have been accessed and compromised remotely.

Jin, the researcher, didn’t claim to hack Nest’s servers or control any remote devices… what he did say is that he could theoretically interfere with future firmware updates, rendering a particular thermostat helpless to potential bugs, hacks and loopholes that will doubtless be discovered later.  In addition, Jin points out that by forcing his way onto the device, he would have access to network credentials.  Now we’re talking about a clear and present threat.

So perhaps the bigger problem here is not the hack of the thermostat – it’s that the network credentials are accessible from the device.  As Seth Rosenblatt points out at CNET, Black Hat has pivoted this year to a true discussion of security, leaving the topic of privacy for another time.  Jin clearly uncovered a distinct security issue, and I’m excited to see how the industry responds.  In the meantime, we’ll see what ITexpo brings to town.
itexpo-logo-2014
In the immortal words of Hunter S. Thompson, "Buy the ticket, take the ride."  IoT is here, and we are all along for the ride.  Let's make the most of it.  Drop me a note if you're here in Las Vegas for the conferences, I'd love to hear your opinions.

Walt Paley

Walt Paley

Walter Paley is the VP of Communications for SafeLogic. He is responsible for strategy, content, marketing, and outreach. Walt has worked with a series of start-ups and companies in growth stages, including Nukona (acquired by Symantec), Qubole, Bitzer Mobile (acquired by Oracle), and TigerText, among others. An Alumnus of the psychology program at UC San Diego, Walt lives in Southern California with his wife, kids, and their black lab, Echo.

Share This:

Back to posts

Popular Posts

Search for posts

Tags

See all