How Smart Thermostats Have Made Us Vulnerable

Ray Potter
Ray PotterCEO at SafeLogic
#RSAC SESSION ID: Ray Potter Yier Jin Don't Touch That Dial: How Smart Thermostats Have Made Us Vulnerable HT-W04 Assistant Professor University of Central Florida @jinyier CEO SafeLogic @SafeLogic_Ray
#RSAC  The threat is real  Connected convenience comes with risk  Challenges  What’s at Stake Flow
#RSAC  Pattern recognition  Identity theft  Corporate espionage  Life What’s at Stake
#RSAC Use Cases
#RSAC  Nest Labs founded by Tony Fadell  Debuted in October 2011  Acquired by Google in January 2014 ($3.2B)  Over 40,000 sold each month Data from GigaOM as of January 2013  Available in UK in April 2014  Smart home API is released in June 2014 Nest Thermostat
#RSAC “Yes, hacking is in our thoughts. When you're talking about the home, these are very private things. We thought about what people could do if they got access to your data. We have bank-level security, we encrypt updates, and we have an internal hacker team testing the security. It's very, very private and it has to be, because it'll never take off if people don't trust it.” - Tony Fadell
#RSAC Nest Hardware
#RSAC  “Display” board  Graphics/UI, Networking  Chips:  ARM Cortex A8 app processor  USB OTG  RAM/Flash (2Gb)  ZigBee/WiFi Radios  Proximity Sensors  UART test points (silenced at bootloader) Front Plate Courtesy of iFixit
#RSAC  Hooks up to AC/Heating system. Charges battery via engineering wizardry  Chips:  Independent ARM Cortex M3  Temp and Humidity Sensor  Communications  Front to Back – UART  NEST Weave (802.15.4)  USB MSD (FW update) “Backplate” and Comms Courtesy of iFixit
#RSAC Nest Software
#RSAC  Runs on a Linux based platform  Handles interfacing between device and Nest Cloud services  Automatically handles firmware updates  Manual update available  Plug Nest into PC  Handled as a storage device  Copy firmware to drive  Reboot Nest Client Nest
#RSAC Nest Firmware  Signed firmware   Manifest.plist  Hashes contents  Manifest.p7s  Compressed but not encrypted or obfuscated  Includes – U-boot image – Linux Kernel image – File system – nlbpfirmware.plist
#RSAC  Firmware signing using PKCS7  Pinned Nest certificates for firmware verification  All critical communications (any with secrets) over HTTPS  Other less secure ones over HTTP (firmware, weather) Things Done the Right Way™
#RSAC  Firmware links downloaded using HTTP and download links do not expire  Hardware backdoor left for anyone with a USB port to use  Automatic updates Things Done the Wrong Way™
#RSAC  Log Files  Internally stored and uploaded to Nest  Contents  User Interface  Users are unaware of the contents of the log files  Users cannot turn off this option  User network credentials are stored … in plain text!  Users should be allowed to opt-out of the data collection? User Privacy
#RSAC Log Files
#RSAC Processor and boot
#RSAC  TI Sitara AM3703  ARM Cortex-A8 core  Version 7 ISA  JazelleX Java accelerator and media extensions  ARM NEON core SIMD coprocessor  DMA controller  HS USB controller  General Purpose Memory Controller to handle flash  SDRAM memory scheduler and controller  112KB on-chip ROM (boot code)  64KB on-chip SRAM  Configurable boot options Hardware Analysis
#RSAC
#RSAC Boot Process Root ROM starts execution ROM initializes basic subsystems ROM copies X-Loader to SRAM X-Loader executes X-Loader initializes SDRAM Userland loaded U-boot executes Linux kernel U-boot configures environment U-boot executes X-Loader copies U-boot to SDRAM
#RSAC Boot Process Root ROM starts execution ROM initializes basic subsystems ROM reads X-Loader from USB X-Loader executes X-Loader initializes SDRAM Userland loaded U-boot executes Linux kernel U-boot configures environment U-boot executes X-Loader copies U-boot to SDRAM
#RSAC Boot Process Root ROM starts execution ROM initializes basic subsystems ROM reads X-Loader from USB X-Loader executes X-Loader initializes SDRAM Userland loaded U-boot executes Linux kernel U-boot configures environment U-boot executes X-Loader copies U-boot to SDRAM
#RSAC Boot Process Root ROM starts execution ROM initializes basic subsystems ROM reads X-Loader from USB X-Loader executes X-Loader initializes SDRAM Userland loaded U-boot executes Linux kernel U-boot configures environment U-boot executes X-Loader copies U-boot to SDRAM
#RSAC Boot Process Root ROM starts execution ROM initializes basic subsystems ROM reads X-Loader from USB X-Loader executes X-Loader initializes SDRAM Userland loaded U-boot executes Linux kernel U-boot configures environment U-boot executes X-Loader copies U-boot to SDRAM
#RSAC Boot Process Root ROM starts execution ROM initializes basic subsystems ROM reads X-Loader from USB X-Loader executes X-Loader initializes SDRAM Userland loaded U-boot executes Linux kernel U-boot configures environment U-boot executes X-Loader copies U-boot to SDRAM
#RSAC Boot Process Root ROM starts execution ROM initializes basic subsystems ROM reads X-Loader from USB X-Loader executes X-Loader initializes SDRAM Userland loaded U-boot executes Linux kernel U-boot configures environment U-boot executes X-Loader copies U-boot to SDRAM
#RSAC Boot Process Root ROM starts execution ROM initializes basic subsystems ROM reads X-Loader from USB X-Loader executes X-Loader initializes SDRAM Userland loaded U-boot executes Linux kernel U-boot configures environment U-boot executes X-Loader copies U-boot to SDRAM
#RSAC Boot Process Root ROM starts execution ROM initializes basic subsystems ROM reads X-Loader from USB X-Loader executes X-Loader initializes SDRAM Userland loaded U-boot executes Linux kernel U-boot configures environment U-boot executes X-Loader copies U-boot to SDRAM
#RSAC  Boot Configuration read from sys_boot[5:0] Device Initialization Selected boot configurations sys_boot [5:0] First Second Third Fourth Fifth 001101 001110 001111 XIP XIPwait NAND USB DOC USB UART3 USB UART3 MMC1 UART3 MMC1 MMC1 101101 101110 101111 USB USB USB UART3 UART3 UART3 MMC1 MMC1 MMC1 XIP XIPwait NAND DOC
#RSAC  Boot configuration pins 4..0 are fixed in Nest’s hardware  sys_boot[5] is changes based on reset type  Conveiently, circuit board exposes sys_boot[5] on an unpopulated header… Device Programming
#RSAC Nest USB Device Descriptor
#RSAC TI USB Device Descriptor
#RSAC  Full control over the house  Away detection  Network credentials  Zip Code  Remote exfiltration  Pivoting to other devices Implications
#RSAC  Unauthorized ability to access Nest account  We now have the OAUTH secrets  Ability to brick the device  We can modify the NAND  Persistent malware in NAND  X-loader bootkit in NAND Control over all Nest devices
#RSAC The Attack
#RSAC  Device Reset  Press the button for 10 seconds causing sys_boot[5] = 1’b1  Inject code through the USB into memory and execute  Be quick! Attack
#RSAC  Custom X-Loader to chainload U-Boot + initrd  Custom U-Boot  Utilize existing kernel  Load our ramdisk (initrd)  Ramdisk  Mount Nest’s filesystem and write at will  Arbitrary, scriptable, code execution  Netcat already comes with the Nest Initial Attack
#RSAC  Rebuild toolchain  Cross-compile dropbear (SSH server)  Add user accounts and groups  Reset root password Refining a Backdoor
#RSAC  A custom Linux kernel  Custom logo  Debugging capabilities (kgdb)  Polling on OMAP serial ports Linux Kernel Modification
#RSAC Demo
#RSAC  Positive View  The backdoor provide legitimate users to opt-out of uploading logs files  Negative View  The backdoor may be maliciously exploited  A Relief to Nest Labs  The backdoor needs physical access to the device (although remote attack is under investigation) Double-Edged Sword
#RSAC  Code Authentication  Processor must authenticate the first stage bootloader before it is run  Use public key cryptography  Userland protection  Only execute signed binaries  Filesystem encryption  Processor-DRAM channel protection A Solution – Chain of Trust
#RSAC How to Apply This Knowledge 47  Identify whether your product shares vulnerabilities with these examples.  Build security strategy and implement NOW, don’t wait.  Explore 3rd party validation and other ways to leverage proven security measures.  Regardless of form factor, focus on the data.  And of course, as a user, quarantine WiFi access for each of your IoT devices.
1 of 43

How Smart Thermostats Have Made Us Vulnerable

Download to read offline
Technology

This is a co-speaker session, featuring Ray Potter, who spoke at RSA '14 alongside his mentor and advisor, Whit Diffie, and Yier Jin, an Assistant Professor at the University of Central Florida who has earned recognition for his work cracking the Nest thermostat. As we are seven months away from the conference, with plenty of time for additional developments, please view these talking points and flow as a living framework. Their slide deck will be fully updated in early April 2015 to address new research and timely examples in addition to the Nest research. After short biographical introductions, Potter and Jin will begin by discussing current security and privacy concerns. This segment will cover IoT and Wearable devices that are available at the time of the conference, as well as exceptional examples that are rumored, upcoming, and potentially some that have already been discontinued. (Samsung Galaxy Gear watch, I'm looking at you!) Jin will continue into his own research on the Nest learning thermostat. He will address the infrastructure of the IoT poster child, including an assessment and security analysis of the firmware and hardware. Jin will continue, speaking specifically about the boot process and device initialization. Potter will share his thoughts with the attendees, engaging Jin in dialogue on the attack vectors of the Nest and other connected endpoints. This section of the talk will include discussion of the repercussions of the device vulnerabilities - worst case scenarios, including the enablement of other criminal activity, privacy leakage, and extensive attacks via the local network due to compromised IoT devices. The session will continue with Potter sharing his expertise on compliance, security standardization and encryption. This look at the upside of benchmarked assurance will give attendees food for thought in future innovation. Jin will offer insight on enhancing the design flow for security in the constrained devices, including secure boot protocols and hardware-supported trust computation. The duo will wrap up the presentation with an outlook on the burgeoning industry of connected devices. With their appreciation for innovation and technology, tempered by their professional expertise in security, Jin and Potter share an optimistic view for the future with significant caveats for consumers who hope to achieve ideal and safe results with IoT and Wearables.

Ray Potter
Ray PotterCEO at SafeLogic

Recommended

Web Application Security Testing: Kali Linux Is the Way to Go by
Web Application Security Testing: Kali Linux Is the Way to GoWeb Application Security Testing: Kali Linux Is the Way to Go
Web Application Security Testing: Kali Linux Is the Way to GoGene Gotimer
1.4K views54 slides
Kali Linux - CleveSec 2015 by
Kali Linux - CleveSec 2015Kali Linux - CleveSec 2015
Kali Linux - CleveSec 2015TGodfrey
5.5K views155 slides
Kali tools list with short description by
Kali tools list with short descriptionKali tools list with short description
Kali tools list with short descriptionJose Moruno Cadima
21.3K views24 slides
[ENG] IPv6 shipworm + My little Windows domain pwnie by
[ENG] IPv6 shipworm + My little Windows domain pwnie[ENG] IPv6 shipworm + My little Windows domain pwnie
[ENG] IPv6 shipworm + My little Windows domain pwnieZoltan Balazs
1.6K views51 slides
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ... by
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...Zoltan Balazs
10.1K views60 slides
BackTrack5 - Linux by
BackTrack5 - LinuxBackTrack5 - Linux
BackTrack5 - Linuxmariuszantal
4.2K views35 slides

More Related Content

What's hot

Solnik secure enclaveprocessor-pacsec by
Solnik secure enclaveprocessor-pacsecSolnik secure enclaveprocessor-pacsec
Solnik secure enclaveprocessor-pacsecPacSecJP
393 views95 slides
2016 TTL Security Gap Analysis with Kali Linux by
2016 TTL Security Gap Analysis with Kali Linux2016 TTL Security Gap Analysis with Kali Linux
2016 TTL Security Gap Analysis with Kali LinuxJason Murray
1.1K views36 slides
Tools kali by
Tools kaliTools kali
Tools kaliketban0702
7.8K views668 slides
Attacking Automatic Wireless Network Selection by
Attacking Automatic Wireless Network SelectionAttacking Automatic Wireless Network Selection
Attacking Automatic Wireless Network Selectionamiable_indian
1.5K views29 slides
Backtrack by
BacktrackBacktrack
BacktrackOne97 Communications Limited
1.8K views19 slides

What's hot(20)

Solnik secure enclaveprocessor-pacsec by PacSecJP
Solnik secure enclaveprocessor-pacsecSolnik secure enclaveprocessor-pacsec
Solnik secure enclaveprocessor-pacsec
PacSecJP393 views
2016 TTL Security Gap Analysis with Kali Linux by Jason Murray
2016 TTL Security Gap Analysis with Kali Linux2016 TTL Security Gap Analysis with Kali Linux
2016 TTL Security Gap Analysis with Kali Linux
Jason Murray1.1K views
Backtrack by n|u - The Open Security Community
BacktrackBacktrack
Backtrack
n|u - The Open Security Community3K views
Tools kali by ketban0702
Tools kaliTools kali
Tools kali
ketban07027.8K views
Attacking Automatic Wireless Network Selection by amiable_indian
Attacking Automatic Wireless Network SelectionAttacking Automatic Wireless Network Selection
Attacking Automatic Wireless Network Selection
amiable_indian1.5K views
Backtrack by One97 Communications Limited
BacktrackBacktrack
Backtrack
One97 Communications Limited1.8K views
Hacking Highly Secured Enterprise Environments by Zoltan Balazs by Shakacon
Hacking Highly Secured Enterprise Environments by Zoltan BalazsHacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
Shakacon1.2K views
Breaking Vaults - Stealing Lastpass Protected Secrets by Martin Vigo by Shakacon
Breaking Vaults - Stealing Lastpass Protected Secrets by Martin VigoBreaking Vaults - Stealing Lastpass Protected Secrets by Martin Vigo
Breaking Vaults - Stealing Lastpass Protected Secrets by Martin Vigo
Shakacon2.9K views
Kasza smashing the_jars by PacSecJP
Kasza smashing the_jarsKasza smashing the_jars
Kasza smashing the_jars
PacSecJP1K views
Database Firewall with Snort by Narudom Roongsiriwong, CISSP
Database Firewall with SnortDatabase Firewall with Snort
Database Firewall with Snort
Narudom Roongsiriwong, CISSP3.9K views
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT by CanSecWest
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoTCSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CanSecWest1.4K views
Defcon 22-jesus-molina-learn-how-to-control-every-room by Priyanka Aash
Defcon 22-jesus-molina-learn-how-to-control-every-roomDefcon 22-jesus-molina-learn-how-to-control-every-room
Defcon 22-jesus-molina-learn-how-to-control-every-room
Priyanka Aash1.9K views
Snort-IPS-Tutorial by Vladimir Koychev
Snort-IPS-TutorialSnort-IPS-Tutorial
Snort-IPS-Tutorial
Vladimir Koychev1.2K views
Defcon 22-adrian-crenshaw-dropping-docs-on-darknets-how-peop by Priyanka Aash
Defcon 22-adrian-crenshaw-dropping-docs-on-darknets-how-peopDefcon 22-adrian-crenshaw-dropping-docs-on-darknets-how-peop
Defcon 22-adrian-crenshaw-dropping-docs-on-darknets-how-peop
Priyanka Aash3.3K views
Automated Malware Analysis and Cyber Security Intelligence by Jason Choi
Automated Malware Analysis and Cyber Security IntelligenceAutomated Malware Analysis and Cyber Security Intelligence
Automated Malware Analysis and Cyber Security Intelligence
Jason Choi1.1K views
Hack Attack! An Introduction to Penetration Testing by Steve Phillips
Hack Attack! An Introduction to Penetration TestingHack Attack! An Introduction to Penetration Testing
Hack Attack! An Introduction to Penetration Testing
Steve Phillips4K views
Hack wifi password using kali linux by Helder Oliveira
Hack wifi password using kali linuxHack wifi password using kali linux
Hack wifi password using kali linux
Helder Oliveira3.9K views
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ... by DefconRussia
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...
DefconRussia7.9K views
Telehack: May the Command Line Live Forever by Gregory Hanis
Telehack: May the Command Line Live ForeverTelehack: May the Command Line Live Forever
Telehack: May the Command Line Live Forever
Gregory Hanis3.7K views
Order vs. Mad Science: Analyzing Black Hat Swarm Intelligence by Priyanka Aash
Order vs. Mad Science: Analyzing Black Hat Swarm IntelligenceOrder vs. Mad Science: Analyzing Black Hat Swarm Intelligence
Order vs. Mad Science: Analyzing Black Hat Swarm Intelligence
Priyanka Aash152 views

Viewers also liked

IoT_Ethics by
IoT_EthicsIoT_Ethics
IoT_EthicsBrandon Walston
274 views10 slides
CurrentRegs by
CurrentRegsCurrentRegs
CurrentRegsDavid Day
123 views21 slides
Naming, Search and Discovery in IoT: Issues and proposed solutions in the FP7... by
Naming, Search and Discovery in IoT: Issues and proposed solutions in the FP7...Naming, Search and Discovery in IoT: Issues and proposed solutions in the FP7...
Naming, Search and Discovery in IoT: Issues and proposed solutions in the FP7...iotest
615 views12 slides
An introduction to Digital Security - Rishabh Dangwal by
An introduction to Digital Security - Rishabh DangwalAn introduction to Digital Security - Rishabh Dangwal
An introduction to Digital Security - Rishabh DangwalRishabh Dangwal
1.5K views20 slides
Tesla iot case study by
Tesla iot case studyTesla iot case study
Tesla iot case studyJohn Mathon
8.4K views18 slides
Internet of Things (IOT) - Demo - Part I by
Internet of Things (IOT) - Demo - Part IInternet of Things (IOT) - Demo - Part I
Internet of Things (IOT) - Demo - Part IEmertxe Information Technologies Pvt Ltd
1.2K views13 slides

Viewers also liked(16)

IoT_Ethics by Brandon Walston
IoT_EthicsIoT_Ethics
IoT_Ethics
Brandon Walston274 views
CurrentRegs by David Day
CurrentRegsCurrentRegs
CurrentRegs
David Day123 views
Naming, Search and Discovery in IoT: Issues and proposed solutions in the FP7... by iotest
Naming, Search and Discovery in IoT: Issues and proposed solutions in the FP7...Naming, Search and Discovery in IoT: Issues and proposed solutions in the FP7...
Naming, Search and Discovery in IoT: Issues and proposed solutions in the FP7...
iotest615 views
An introduction to Digital Security - Rishabh Dangwal by Rishabh Dangwal
An introduction to Digital Security - Rishabh DangwalAn introduction to Digital Security - Rishabh Dangwal
An introduction to Digital Security - Rishabh Dangwal
Rishabh Dangwal1.5K views
Tesla iot case study by John Mathon
Tesla iot case studyTesla iot case study
Tesla iot case study
John Mathon8.4K views
Internet of Things (IOT) - Demo - Part I by Emertxe Information Technologies Pvt Ltd
Internet of Things (IOT) - Demo - Part IInternet of Things (IOT) - Demo - Part I
Internet of Things (IOT) - Demo - Part I
Emertxe Information Technologies Pvt Ltd1.2K views
Design challenges in IoT by Emertxe Information Technologies Pvt Ltd
Design challenges in IoT Design challenges in IoT
Design challenges in IoT
Emertxe Information Technologies Pvt Ltd10.9K views
IoT Security: Cases and Methods by Leonardo De Moura Rocha Lima
IoT Security: Cases and MethodsIoT Security: Cases and Methods
IoT Security: Cases and Methods
Leonardo De Moura Rocha Lima504 views
Cybesecurity of the IoT by Altoros
Cybesecurity of the IoTCybesecurity of the IoT
Cybesecurity of the IoT
Altoros1.7K views
The Internet of Things: Privacy and Security Issues by European Union Agency for Network and Information Security (ENISA)
The Internet of Things: Privacy and Security IssuesThe Internet of Things: Privacy and Security Issues
The Internet of Things: Privacy and Security Issues
European Union Agency for Network and Information Security (ENISA)11.4K views
Overview of IoT and Security issues by Anastasios Economides
Overview of IoT and Security issuesOverview of IoT and Security issues
Overview of IoT and Security issues
Anastasios Economides16.7K views
IoT security (Internet of Things) by Sanjay Kumar (Seeking options outside India)
IoT security (Internet of Things)IoT security (Internet of Things)
IoT security (Internet of Things)
Sanjay Kumar (Seeking options outside India)14.8K views
IoT Security Imperative: Stop your Fridge from Sending you Spam by Amit Rohatgi
IoT Security Imperative: Stop your Fridge from Sending you SpamIoT Security Imperative: Stop your Fridge from Sending you Spam
IoT Security Imperative: Stop your Fridge from Sending you Spam
Amit Rohatgi2.5K views
Internet-of-things- (IOT) - a-seminar - ppt - by- mohan-kumar-g by Mohan Kumar G
Internet-of-things- (IOT) - a-seminar - ppt - by- mohan-kumar-gInternet-of-things- (IOT) - a-seminar - ppt - by- mohan-kumar-g
Internet-of-things- (IOT) - a-seminar - ppt - by- mohan-kumar-g
Mohan Kumar G622.2K views
Internet of Things and its applications by Pasquale Puzio
Internet of Things and its applicationsInternet of Things and its applications
Internet of Things and its applications
Pasquale Puzio299.5K views
IoT - IT 423 ppt by Mhae Lyn
IoT - IT 423 pptIoT - IT 423 ppt
IoT - IT 423 ppt
Mhae Lyn246.1K views

Similar to How Smart Thermostats Have Made Us Vulnerable

OSX Pirrit : Why you should care about malicious mac adware by
OSX Pirrit : Why you should care about malicious mac adwareOSX Pirrit : Why you should care about malicious mac adware
OSX Pirrit : Why you should care about malicious mac adwarePriyanka Aash
585 views60 slides
RSA APJ Velociraptor Lab by
RSA APJ Velociraptor LabRSA APJ Velociraptor Lab
RSA APJ Velociraptor LabVelocidex Enterprises
122 views80 slides
Hacking Exposed: The Mac Attack by
Hacking Exposed: The Mac AttackHacking Exposed: The Mac Attack
Hacking Exposed: The Mac AttackPriyanka Aash
357 views26 slides
Hacking Exposed: The Mac Attack by
Hacking Exposed: The Mac AttackHacking Exposed: The Mac Attack
Hacking Exposed: The Mac AttackPriyanka Aash
824 views26 slides
Attacking Embedded Devices (No Axe Required) by
Attacking Embedded Devices (No Axe Required)Attacking Embedded Devices (No Axe Required)
Attacking Embedded Devices (No Axe Required)Security Weekly
3.2K views39 slides
DevOOPS: Attacks and Defenses for DevOps Toolchains by
DevOOPS: Attacks and Defenses for DevOps ToolchainsDevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps ToolchainsChris Gates
4.6K views145 slides

Similar to How Smart Thermostats Have Made Us Vulnerable(20)

OSX Pirrit : Why you should care about malicious mac adware by Priyanka Aash
OSX Pirrit : Why you should care about malicious mac adwareOSX Pirrit : Why you should care about malicious mac adware
OSX Pirrit : Why you should care about malicious mac adware
Priyanka Aash585 views
RSA APJ Velociraptor Lab by Velocidex Enterprises
RSA APJ Velociraptor LabRSA APJ Velociraptor Lab
RSA APJ Velociraptor Lab
Velocidex Enterprises122 views
Hacking Exposed: The Mac Attack by Priyanka Aash
Hacking Exposed: The Mac AttackHacking Exposed: The Mac Attack
Hacking Exposed: The Mac Attack
Priyanka Aash357 views
Hacking Exposed: The Mac Attack by Priyanka Aash
Hacking Exposed: The Mac AttackHacking Exposed: The Mac Attack
Hacking Exposed: The Mac Attack
Priyanka Aash824 views
Attacking Embedded Devices (No Axe Required) by Security Weekly
Attacking Embedded Devices (No Axe Required)Attacking Embedded Devices (No Axe Required)
Attacking Embedded Devices (No Axe Required)
Security Weekly3.2K views
DevOOPS: Attacks and Defenses for DevOps Toolchains by Chris Gates
DevOOPS: Attacks and Defenses for DevOps ToolchainsDevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps Toolchains
Chris Gates4.6K views
RAT - Repurposing Adversarial Tradecraft by ⭕Alexander Rymdeko-Harvey
RAT - Repurposing Adversarial TradecraftRAT - Repurposing Adversarial Tradecraft
RAT - Repurposing Adversarial Tradecraft
⭕Alexander Rymdeko-Harvey2.9K views
SREcon Europe 2016 - Full-mesh IPsec network at Hosted Graphite by HostedGraphite
SREcon Europe 2016 - Full-mesh IPsec network at Hosted GraphiteSREcon Europe 2016 - Full-mesh IPsec network at Hosted Graphite
SREcon Europe 2016 - Full-mesh IPsec network at Hosted Graphite
HostedGraphite803 views
Dns rebinding by AlaJebnoun
Dns rebindingDns rebinding
Dns rebinding
AlaJebnoun113 views
D1 t1 t. yunusov k. nesterov - bootkit via sms by qqlan
D1 t1 t. yunusov k. nesterov - bootkit via smsD1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via sms
qqlan4.8K views
Offline attacks-and-hard-disk-encription by malvvv
Offline attacks-and-hard-disk-encriptionOffline attacks-and-hard-disk-encription
Offline attacks-and-hard-disk-encription
malvvv556 views
Timings of Init : Android Ramdisks for the Practical Hacker by Stacy Devino
Timings of Init : Android Ramdisks for the Practical HackerTimings of Init : Android Ramdisks for the Practical Hacker
Timings of Init : Android Ramdisks for the Practical Hacker
Stacy Devino10.7K views
Docker, Linux Containers (LXC), and security by Jérôme Petazzoni
Docker, Linux Containers (LXC), and securityDocker, Linux Containers (LXC), and security
Docker, Linux Containers (LXC), and security
Jérôme Petazzoni51.7K views
Security & ethical hacking p2 by ratnalajaggu
Security & ethical hacking p2Security & ethical hacking p2
Security & ethical hacking p2
ratnalajaggu975 views
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli by Priyanka Aash
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteliDefcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Priyanka Aash3.5K views
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand... by Sergey Gordeychik
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
Sergey Gordeychik514 views
Stop Passing the Bug: IoT Supply Chain Security by Synopsys Software Integrity Group
Stop Passing the Bug: IoT Supply Chain SecurityStop Passing the Bug: IoT Supply Chain Security
Stop Passing the Bug: IoT Supply Chain Security
Synopsys Software Integrity Group380 views
Docker, Linux Containers, and Security: Does It Add Up? by Jérôme Petazzoni
Docker, Linux Containers, and Security: Does It Add Up?Docker, Linux Containers, and Security: Does It Add Up?
Docker, Linux Containers, and Security: Does It Add Up?
Jérôme Petazzoni9.3K views
Teensy Programming for Everyone by Nikhil Mittal
Teensy Programming for EveryoneTeensy Programming for Everyone
Teensy Programming for Everyone
Nikhil Mittal3.8K views
Software security by Akshay Surve
Software securitySoftware security
Software security
Akshay Surve398 views

Recently uploaded

State of the Union - Rohit Yadav - Apache CloudStack by
State of the Union - Rohit Yadav - Apache CloudStackState of the Union - Rohit Yadav - Apache CloudStack
State of the Union - Rohit Yadav - Apache CloudStackShapeBlue
145 views53 slides
KVM Security Groups Under the Hood - Wido den Hollander - Your.Online by
KVM Security Groups Under the Hood - Wido den Hollander - Your.OnlineKVM Security Groups Under the Hood - Wido den Hollander - Your.Online
KVM Security Groups Under the Hood - Wido den Hollander - Your.OnlineShapeBlue
102 views19 slides
PharoJS - Zürich Smalltalk Group Meetup November 2023 by
PharoJS - Zürich Smalltalk Group Meetup November 2023PharoJS - Zürich Smalltalk Group Meetup November 2023
PharoJS - Zürich Smalltalk Group Meetup November 2023Noury Bouraqadi
141 views17 slides
Microsoft Power Platform.pptx by
Microsoft Power Platform.pptxMicrosoft Power Platform.pptx
Microsoft Power Platform.pptxUni Systems S.M.S.A.
67 views38 slides
TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f... by
TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f...TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f...
TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f...TrustArc
77 views29 slides
Zero to Cloud Hero: Crafting a Private Cloud from Scratch with XCP-ng, Xen Or... by
Zero to Cloud Hero: Crafting a Private Cloud from Scratch with XCP-ng, Xen Or...Zero to Cloud Hero: Crafting a Private Cloud from Scratch with XCP-ng, Xen Or...
Zero to Cloud Hero: Crafting a Private Cloud from Scratch with XCP-ng, Xen Or...ShapeBlue
88 views20 slides

Recently uploaded(20)

State of the Union - Rohit Yadav - Apache CloudStack by ShapeBlue
State of the Union - Rohit Yadav - Apache CloudStackState of the Union - Rohit Yadav - Apache CloudStack
State of the Union - Rohit Yadav - Apache CloudStack
ShapeBlue145 views
KVM Security Groups Under the Hood - Wido den Hollander - Your.Online by ShapeBlue
KVM Security Groups Under the Hood - Wido den Hollander - Your.OnlineKVM Security Groups Under the Hood - Wido den Hollander - Your.Online
KVM Security Groups Under the Hood - Wido den Hollander - Your.Online
ShapeBlue102 views
PharoJS - Zürich Smalltalk Group Meetup November 2023 by Noury Bouraqadi
PharoJS - Zürich Smalltalk Group Meetup November 2023PharoJS - Zürich Smalltalk Group Meetup November 2023
PharoJS - Zürich Smalltalk Group Meetup November 2023
Noury Bouraqadi141 views
Microsoft Power Platform.pptx by Uni Systems S.M.S.A.
Microsoft Power Platform.pptxMicrosoft Power Platform.pptx
Microsoft Power Platform.pptx
Uni Systems S.M.S.A.67 views
TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f... by TrustArc
TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f...TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f...
TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f...
TrustArc77 views
Zero to Cloud Hero: Crafting a Private Cloud from Scratch with XCP-ng, Xen Or... by ShapeBlue
Zero to Cloud Hero: Crafting a Private Cloud from Scratch with XCP-ng, Xen Or...Zero to Cloud Hero: Crafting a Private Cloud from Scratch with XCP-ng, Xen Or...
Zero to Cloud Hero: Crafting a Private Cloud from Scratch with XCP-ng, Xen Or...
ShapeBlue88 views
iSAQB Software Architecture Gathering 2023: How Process Orchestration Increas... by Bernd Ruecker
iSAQB Software Architecture Gathering 2023: How Process Orchestration Increas...iSAQB Software Architecture Gathering 2023: How Process Orchestration Increas...
iSAQB Software Architecture Gathering 2023: How Process Orchestration Increas...
Bernd Ruecker50 views
MVP and prioritization.pdf by rahuldharwal141
MVP and prioritization.pdfMVP and prioritization.pdf
MVP and prioritization.pdf
rahuldharwal14138 views
HTTP headers that make your website go faster - devs.gent November 2023 by Thijs Feryn
HTTP headers that make your website go faster - devs.gent November 2023HTTP headers that make your website go faster - devs.gent November 2023
HTTP headers that make your website go faster - devs.gent November 2023
Thijs Feryn28 views
Backroll, News and Demo - Pierre Charton, Matthias Dhellin, Ousmane Diarra - ... by ShapeBlue
Backroll, News and Demo - Pierre Charton, Matthias Dhellin, Ousmane Diarra - ...Backroll, News and Demo - Pierre Charton, Matthias Dhellin, Ousmane Diarra - ...
Backroll, News and Demo - Pierre Charton, Matthias Dhellin, Ousmane Diarra - ...
ShapeBlue83 views
Five Things You SHOULD Know About Postman by Postman
Five Things You SHOULD Know About PostmanFive Things You SHOULD Know About Postman
Five Things You SHOULD Know About Postman
Postman40 views
"Surviving highload with Node.js", Andrii Shumada by Fwdays
"Surviving highload with Node.js", Andrii Shumada "Surviving highload with Node.js", Andrii Shumada
"Surviving highload with Node.js", Andrii Shumada
Fwdays40 views
Igniting Next Level Productivity with AI-Infused Data Integration Workflows by Safe Software
Igniting Next Level Productivity with AI-Infused Data Integration Workflows Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Safe Software344 views
Why and How CloudStack at weSystems - Stephan Bienek - weSystems by ShapeBlue
Why and How CloudStack at weSystems - Stephan Bienek - weSystemsWhy and How CloudStack at weSystems - Stephan Bienek - weSystems
Why and How CloudStack at weSystems - Stephan Bienek - weSystems
ShapeBlue111 views
GDG Cloud Southlake 28 Brad Taylor and Shawn Augenstein Old Problems in the N... by James Anderson
GDG Cloud Southlake 28 Brad Taylor and Shawn Augenstein Old Problems in the N...GDG Cloud Southlake 28 Brad Taylor and Shawn Augenstein Old Problems in the N...
GDG Cloud Southlake 28 Brad Taylor and Shawn Augenstein Old Problems in the N...
James Anderson133 views
NTGapps NTG LowCode Platform by Mustafa Kuğu
NTGapps NTG LowCode Platform NTGapps NTG LowCode Platform
NTGapps NTG LowCode Platform
Mustafa Kuğu141 views
Ransomware is Knocking your Door_Final.pdf by Security Bootcamp
Ransomware is Knocking your Door_Final.pdfRansomware is Knocking your Door_Final.pdf
Ransomware is Knocking your Door_Final.pdf
Security Bootcamp76 views
Developments to CloudStack’s SDN ecosystem: Integration with VMWare NSX 4 - P... by ShapeBlue
Developments to CloudStack’s SDN ecosystem: Integration with VMWare NSX 4 - P...Developments to CloudStack’s SDN ecosystem: Integration with VMWare NSX 4 - P...
Developments to CloudStack’s SDN ecosystem: Integration with VMWare NSX 4 - P...
ShapeBlue82 views
Mitigating Common CloudStack Instance Deployment Failures - Jithin Raju - Sha... by ShapeBlue
Mitigating Common CloudStack Instance Deployment Failures - Jithin Raju - Sha...Mitigating Common CloudStack Instance Deployment Failures - Jithin Raju - Sha...
Mitigating Common CloudStack Instance Deployment Failures - Jithin Raju - Sha...
ShapeBlue74 views
Migrating VMware Infra to KVM Using CloudStack - Nicolas Vazquez - ShapeBlue by ShapeBlue
Migrating VMware Infra to KVM Using CloudStack - Nicolas Vazquez - ShapeBlueMigrating VMware Infra to KVM Using CloudStack - Nicolas Vazquez - ShapeBlue
Migrating VMware Infra to KVM Using CloudStack - Nicolas Vazquez - ShapeBlue
ShapeBlue96 views

How Smart Thermostats Have Made Us Vulnerable

  • 1. #RSAC SESSION ID: Ray Potter Yier Jin Don't Touch That Dial: How Smart Thermostats Have Made Us Vulnerable HT-W04 Assistant Professor University of Central Florida @jinyier CEO SafeLogic @SafeLogic_Ray
  • 2. #RSAC  The threat is real  Connected convenience comes with risk  Challenges  What’s at Stake Flow
  • 3. #RSAC  Pattern recognition  Identity theft  Corporate espionage  Life What’s at Stake
  • 5. #RSAC  Nest Labs founded by Tony Fadell  Debuted in October 2011  Acquired by Google in January 2014 ($3.2B)  Over 40,000 sold each month Data from GigaOM as of January 2013  Available in UK in April 2014  Smart home API is released in June 2014 Nest Thermostat
  • 6. #RSAC “Yes, hacking is in our thoughts. When you're talking about the home, these are very private things. We thought about what people could do if they got access to your data. We have bank-level security, we encrypt updates, and we have an internal hacker team testing the security. It's very, very private and it has to be, because it'll never take off if people don't trust it.” - Tony Fadell
  • 8. #RSAC  “Display” board  Graphics/UI, Networking  Chips:  ARM Cortex A8 app processor  USB OTG  RAM/Flash (2Gb)  ZigBee/WiFi Radios  Proximity Sensors  UART test points (silenced at bootloader) Front Plate Courtesy of iFixit
  • 9. #RSAC  Hooks up to AC/Heating system. Charges battery via engineering wizardry  Chips:  Independent ARM Cortex M3  Temp and Humidity Sensor  Communications  Front to Back – UART  NEST Weave (802.15.4)  USB MSD (FW update) “Backplate” and Comms Courtesy of iFixit
  • 11. #RSAC  Runs on a Linux based platform  Handles interfacing between device and Nest Cloud services  Automatically handles firmware updates  Manual update available  Plug Nest into PC  Handled as a storage device  Copy firmware to drive  Reboot Nest Client Nest
  • 12. #RSAC Nest Firmware  Signed firmware   Manifest.plist  Hashes contents  Manifest.p7s  Compressed but not encrypted or obfuscated  Includes – U-boot image – Linux Kernel image – File system – nlbpfirmware.plist
  • 13. #RSAC  Firmware signing using PKCS7  Pinned Nest certificates for firmware verification  All critical communications (any with secrets) over HTTPS  Other less secure ones over HTTP (firmware, weather) Things Done the Right Way™
  • 14. #RSAC  Firmware links downloaded using HTTP and download links do not expire  Hardware backdoor left for anyone with a USB port to use  Automatic updates Things Done the Wrong Way™
  • 15. #RSAC  Log Files  Internally stored and uploaded to Nest  Contents  User Interface  Users are unaware of the contents of the log files  Users cannot turn off this option  User network credentials are stored … in plain text!  Users should be allowed to opt-out of the data collection? User Privacy
  • 18. #RSAC  TI Sitara AM3703  ARM Cortex-A8 core  Version 7 ISA  JazelleX Java accelerator and media extensions  ARM NEON core SIMD coprocessor  DMA controller  HS USB controller  General Purpose Memory Controller to handle flash  SDRAM memory scheduler and controller  112KB on-chip ROM (boot code)  64KB on-chip SRAM  Configurable boot options Hardware Analysis
  • 19. #RSAC
  • 20. #RSAC Boot Process Root ROM starts execution ROM initializes basic subsystems ROM copies X-Loader to SRAM X-Loader executes X-Loader initializes SDRAM Userland loaded U-boot executes Linux kernel U-boot configures environment U-boot executes X-Loader copies U-boot to SDRAM
  • 21. #RSAC Boot Process Root ROM starts execution ROM initializes basic subsystems ROM reads X-Loader from USB X-Loader executes X-Loader initializes SDRAM Userland loaded U-boot executes Linux kernel U-boot configures environment U-boot executes X-Loader copies U-boot to SDRAM
  • 22. #RSAC Boot Process Root ROM starts execution ROM initializes basic subsystems ROM reads X-Loader from USB X-Loader executes X-Loader initializes SDRAM Userland loaded U-boot executes Linux kernel U-boot configures environment U-boot executes X-Loader copies U-boot to SDRAM
  • 23. #RSAC Boot Process Root ROM starts execution ROM initializes basic subsystems ROM reads X-Loader from USB X-Loader executes X-Loader initializes SDRAM Userland loaded U-boot executes Linux kernel U-boot configures environment U-boot executes X-Loader copies U-boot to SDRAM
  • 24. #RSAC Boot Process Root ROM starts execution ROM initializes basic subsystems ROM reads X-Loader from USB X-Loader executes X-Loader initializes SDRAM Userland loaded U-boot executes Linux kernel U-boot configures environment U-boot executes X-Loader copies U-boot to SDRAM
  • 25. #RSAC Boot Process Root ROM starts execution ROM initializes basic subsystems ROM reads X-Loader from USB X-Loader executes X-Loader initializes SDRAM Userland loaded U-boot executes Linux kernel U-boot configures environment U-boot executes X-Loader copies U-boot to SDRAM
  • 26. #RSAC Boot Process Root ROM starts execution ROM initializes basic subsystems ROM reads X-Loader from USB X-Loader executes X-Loader initializes SDRAM Userland loaded U-boot executes Linux kernel U-boot configures environment U-boot executes X-Loader copies U-boot to SDRAM
  • 27. #RSAC Boot Process Root ROM starts execution ROM initializes basic subsystems ROM reads X-Loader from USB X-Loader executes X-Loader initializes SDRAM Userland loaded U-boot executes Linux kernel U-boot configures environment U-boot executes X-Loader copies U-boot to SDRAM
  • 28. #RSAC Boot Process Root ROM starts execution ROM initializes basic subsystems ROM reads X-Loader from USB X-Loader executes X-Loader initializes SDRAM Userland loaded U-boot executes Linux kernel U-boot configures environment U-boot executes X-Loader copies U-boot to SDRAM
  • 29. #RSAC  Boot Configuration read from sys_boot[5:0] Device Initialization Selected boot configurations sys_boot [5:0] First Second Third Fourth Fifth 001101 001110 001111 XIP XIPwait NAND USB DOC USB UART3 USB UART3 MMC1 UART3 MMC1 MMC1 101101 101110 101111 USB USB USB UART3 UART3 UART3 MMC1 MMC1 MMC1 XIP XIPwait NAND DOC
  • 30. #RSAC  Boot configuration pins 4..0 are fixed in Nest’s hardware  sys_boot[5] is changes based on reset type  Conveiently, circuit board exposes sys_boot[5] on an unpopulated header… Device Programming
  • 31. #RSAC Nest USB Device Descriptor
  • 32. #RSAC TI USB Device Descriptor
  • 33. #RSAC  Full control over the house  Away detection  Network credentials  Zip Code  Remote exfiltration  Pivoting to other devices Implications
  • 34. #RSAC  Unauthorized ability to access Nest account  We now have the OAUTH secrets  Ability to brick the device  We can modify the NAND  Persistent malware in NAND  X-loader bootkit in NAND Control over all Nest devices
  • 36. #RSAC  Device Reset  Press the button for 10 seconds causing sys_boot[5] = 1’b1  Inject code through the USB into memory and execute  Be quick! Attack
  • 37. #RSAC  Custom X-Loader to chainload U-Boot + initrd  Custom U-Boot  Utilize existing kernel  Load our ramdisk (initrd)  Ramdisk  Mount Nest’s filesystem and write at will  Arbitrary, scriptable, code execution  Netcat already comes with the Nest Initial Attack
  • 38. #RSAC  Rebuild toolchain  Cross-compile dropbear (SSH server)  Add user accounts and groups  Reset root password Refining a Backdoor
  • 39. #RSAC  A custom Linux kernel  Custom logo  Debugging capabilities (kgdb)  Polling on OMAP serial ports Linux Kernel Modification
  • 41. #RSAC  Positive View  The backdoor provide legitimate users to opt-out of uploading logs files  Negative View  The backdoor may be maliciously exploited  A Relief to Nest Labs  The backdoor needs physical access to the device (although remote attack is under investigation) Double-Edged Sword
  • 42. #RSAC  Code Authentication  Processor must authenticate the first stage bootloader before it is run  Use public key cryptography  Userland protection  Only execute signed binaries  Filesystem encryption  Processor-DRAM channel protection A Solution – Chain of Trust
  • 43. #RSAC How to Apply This Knowledge 47  Identify whether your product shares vulnerabilities with these examples.  Build security strategy and implement NOW, don’t wait.  Explore 3rd party validation and other ways to leverage proven security measures.  Regardless of form factor, focus on the data.  And of course, as a user, quarantine WiFi access for each of your IoT devices.

Editor's Notes

  1. Sales data according to
  2. Sales data according to
  3. Health Corporate Manufacturing Retail Transportation Utilities Consumer
  4. Sales data according to
  5. Mention that Nest Labs definitely takes security seriously. Let this talk show that even the best of the designers can make mistakes.
  6. Front plate uses ttyO2 to talk to the back plate. Show live hardware and demonstrate some of its functions.
  7. This smart device may be too smart for its own good. Firmware does everything for the user. Attacking the firmware will result in greater damages to the user.
  8. Nlbpfirmware.plist is an XML document which contains among other things base64 encoded data (firmware image for backplate). Tool to flash firmware is included in the device’s filesystem.
  9. Firmware is downloaded using HTTP
  10. Usage statistics System logs Nest software logs (Zip Code, device settings, wired option)
  11. Boot configurations are read by ROM code and latched into CONTROL.CONTROL_STATUS register. Pins can be used for anything afterwards.
  12. Other findings: Nest attempts to start a secure shell server of its own, no binaries found. SSH server keys are on device and unique to each unit.
  13. Boot device, use netcat as payload. Have small shell to target computer.