![Page 1: How Smart Thermostats Have Made Us Vulnerable](https://reader038.vdocuments.net/reader038/viewer/2022103120/55d0b728bb61eb86558b45b0/html5/thumbnails/1.jpg)
#RSAC
SESSION ID:
Ray Potter Yier Jin
Don't Touch That Dial: How Smart Thermostats Have Made Us Vulnerable
HT-W04
Assistant ProfessorUniversity of Central Florida@jinyier
CEOSafeLogic@SafeLogic_Ray
![Page 2: How Smart Thermostats Have Made Us Vulnerable](https://reader038.vdocuments.net/reader038/viewer/2022103120/55d0b728bb61eb86558b45b0/html5/thumbnails/2.jpg)
#RSAC
The threat is real
Connected convenience comes with risk
Challenges
What’s at Stake
Flow
![Page 3: How Smart Thermostats Have Made Us Vulnerable](https://reader038.vdocuments.net/reader038/viewer/2022103120/55d0b728bb61eb86558b45b0/html5/thumbnails/3.jpg)
#RSAC
Pattern recognition
Identity theft
Corporate espionage
Life
What’s at Stake
![Page 4: How Smart Thermostats Have Made Us Vulnerable](https://reader038.vdocuments.net/reader038/viewer/2022103120/55d0b728bb61eb86558b45b0/html5/thumbnails/4.jpg)
#RSAC
Use Cases
![Page 5: How Smart Thermostats Have Made Us Vulnerable](https://reader038.vdocuments.net/reader038/viewer/2022103120/55d0b728bb61eb86558b45b0/html5/thumbnails/5.jpg)
#RSAC
Nest Labs founded by Tony Fadell
Debuted in October 2011
Acquired by Google in January 2014 ($3.2B)
Over 40,000 sold each month
Data from GigaOM as of January 2013
Available in UK in April 2014
Smart home API is released in June 2014
Nest Thermostat
![Page 6: How Smart Thermostats Have Made Us Vulnerable](https://reader038.vdocuments.net/reader038/viewer/2022103120/55d0b728bb61eb86558b45b0/html5/thumbnails/6.jpg)
#RSAC
“Yes, hacking is in our thoughts. When you're talking about the home, these are very private things. We thought about what people could do if they got access to your data. We have bank-level security, we encrypt updates, and we have an internal hacker team testing the security. It's very, very private and it has to be, because it'll never take off if people don't trust it.”
- Tony Fadell
![Page 7: How Smart Thermostats Have Made Us Vulnerable](https://reader038.vdocuments.net/reader038/viewer/2022103120/55d0b728bb61eb86558b45b0/html5/thumbnails/7.jpg)
#RSAC
Nest Hardware
![Page 8: How Smart Thermostats Have Made Us Vulnerable](https://reader038.vdocuments.net/reader038/viewer/2022103120/55d0b728bb61eb86558b45b0/html5/thumbnails/8.jpg)
#RSAC
“Display” board
Graphics/UI, Networking
Chips: ARM Cortex A8 app processor USB OTG RAM/Flash (2Gb) ZigBee/WiFi Radios Proximity Sensors
UART test points (silenced at bootloader)
Front Plate
Courtesy of iFixit
![Page 9: How Smart Thermostats Have Made Us Vulnerable](https://reader038.vdocuments.net/reader038/viewer/2022103120/55d0b728bb61eb86558b45b0/html5/thumbnails/9.jpg)
#RSAC
Hooks up to AC/Heating system. Charges battery via engineering wizardry
Chips: Independent ARM Cortex M3 Temp and Humidity Sensor
Communications Front to Back – UART NEST Weave (802.15.4) USB MSD (FW update)
“Backplate” and Comms
Courtesy of iFixit
![Page 10: How Smart Thermostats Have Made Us Vulnerable](https://reader038.vdocuments.net/reader038/viewer/2022103120/55d0b728bb61eb86558b45b0/html5/thumbnails/10.jpg)
#RSAC
Nest Software
![Page 11: How Smart Thermostats Have Made Us Vulnerable](https://reader038.vdocuments.net/reader038/viewer/2022103120/55d0b728bb61eb86558b45b0/html5/thumbnails/11.jpg)
#RSAC
Runs on a Linux based platform
Handles interfacing between device and Nest Cloud services
Automatically handles firmware updates
Manual update available Plug Nest into PC Handled as a storage device Copy firmware to drive Reboot
Nest Client
Nest
![Page 12: How Smart Thermostats Have Made Us Vulnerable](https://reader038.vdocuments.net/reader038/viewer/2022103120/55d0b728bb61eb86558b45b0/html5/thumbnails/12.jpg)
#RSAC
Nest Firmware
Signed firmware Manifest.plist
Hashes contents
Manifest.p7s
Compressed but not encrypted or obfuscated
Includes– U-boot image– Linux Kernel image– File system– nlbpfirmware.plist
![Page 13: How Smart Thermostats Have Made Us Vulnerable](https://reader038.vdocuments.net/reader038/viewer/2022103120/55d0b728bb61eb86558b45b0/html5/thumbnails/13.jpg)
#RSAC
Firmware signing using PKCS7
Pinned Nest certificates for firmware verification
All critical communications (any with secrets) over HTTPS Other less secure ones over HTTP (firmware, weather)
Things Done the Right Way™
![Page 14: How Smart Thermostats Have Made Us Vulnerable](https://reader038.vdocuments.net/reader038/viewer/2022103120/55d0b728bb61eb86558b45b0/html5/thumbnails/14.jpg)
#RSAC
Firmware links downloaded using HTTP and download links do not expire
Hardware backdoor left for anyone with a USB port to use
Automatic updates
Things Done the Wrong Way™
![Page 15: How Smart Thermostats Have Made Us Vulnerable](https://reader038.vdocuments.net/reader038/viewer/2022103120/55d0b728bb61eb86558b45b0/html5/thumbnails/15.jpg)
#RSAC
Log Files Internally stored and uploaded to Nest Contents
User Interface Users are unaware of the contents of the log files Users cannot turn off this option
User network credentials are stored … in plain text!
Users should be allowed to opt-out of the data collection?
User Privacy
![Page 16: How Smart Thermostats Have Made Us Vulnerable](https://reader038.vdocuments.net/reader038/viewer/2022103120/55d0b728bb61eb86558b45b0/html5/thumbnails/16.jpg)
#RSAC
Log Files
![Page 17: How Smart Thermostats Have Made Us Vulnerable](https://reader038.vdocuments.net/reader038/viewer/2022103120/55d0b728bb61eb86558b45b0/html5/thumbnails/17.jpg)
#RSAC
Processor and boot
![Page 18: How Smart Thermostats Have Made Us Vulnerable](https://reader038.vdocuments.net/reader038/viewer/2022103120/55d0b728bb61eb86558b45b0/html5/thumbnails/18.jpg)
#RSAC
TI Sitara AM3703 ARM Cortex-A8 core
Version 7 ISA JazelleX Java accelerator and media extensions ARM NEON core SIMD coprocessor
DMA controller HS USB controller General Purpose Memory Controller to handle flash SDRAM memory scheduler and controller 112KB on-chip ROM (boot code) 64KB on-chip SRAM Configurable boot options
Hardware Analysis
![Page 19: How Smart Thermostats Have Made Us Vulnerable](https://reader038.vdocuments.net/reader038/viewer/2022103120/55d0b728bb61eb86558b45b0/html5/thumbnails/19.jpg)
#RSAC
![Page 20: How Smart Thermostats Have Made Us Vulnerable](https://reader038.vdocuments.net/reader038/viewer/2022103120/55d0b728bb61eb86558b45b0/html5/thumbnails/20.jpg)
#RSAC
Boot Process
Root ROM starts execution
ROM initializes basic
subsystems
ROM copies X-Loader to
SRAM
X-Loader executes
X-Loader initializes SDRAM
Userland loaded
U-boot executes
Linux kernel
U-boot configures
environment
U-boot executes
X-Loader copies U-boot to SDRAM
![Page 21: How Smart Thermostats Have Made Us Vulnerable](https://reader038.vdocuments.net/reader038/viewer/2022103120/55d0b728bb61eb86558b45b0/html5/thumbnails/21.jpg)
#RSAC
Boot Process
Root ROM starts execution
ROM initializes basic
subsystems
ROM reads X-Loader from
USB
X-Loader executes
X-Loader initializes SDRAM
Userland loaded
U-boot executes
Linux kernel
U-boot configures
environment
U-boot executes
X-Loader copies U-boot to SDRAM
![Page 22: How Smart Thermostats Have Made Us Vulnerable](https://reader038.vdocuments.net/reader038/viewer/2022103120/55d0b728bb61eb86558b45b0/html5/thumbnails/22.jpg)
#RSAC
Boot Process
Root ROM starts execution
ROM initializes basic
subsystems
ROM reads X-Loader from
USB
X-Loader executes
X-Loader initializes SDRAM
Userland loaded
U-boot executes
Linux kernel
U-boot configures
environment
U-boot executes
X-Loader copies U-boot to SDRAM
![Page 23: How Smart Thermostats Have Made Us Vulnerable](https://reader038.vdocuments.net/reader038/viewer/2022103120/55d0b728bb61eb86558b45b0/html5/thumbnails/23.jpg)
#RSAC
Boot Process
Root ROM starts execution
ROM initializes basic
subsystems
ROM reads X-Loader from
USB
X-Loader executes
X-Loader initializes SDRAM
Userland loaded
U-boot executes
Linux kernel
U-boot configures
environment
U-boot executes
X-Loader copies U-boot to SDRAM
![Page 24: How Smart Thermostats Have Made Us Vulnerable](https://reader038.vdocuments.net/reader038/viewer/2022103120/55d0b728bb61eb86558b45b0/html5/thumbnails/24.jpg)
#RSAC
Boot Process
Root ROM starts execution
ROM initializes basic
subsystems
ROM reads X-Loader from
USB
X-Loader executes
X-Loader initializes SDRAM
Userland loaded
U-boot executes
Linux kernel
U-boot configures
environment
U-boot executes
X-Loader copies U-boot to SDRAM
![Page 25: How Smart Thermostats Have Made Us Vulnerable](https://reader038.vdocuments.net/reader038/viewer/2022103120/55d0b728bb61eb86558b45b0/html5/thumbnails/25.jpg)
#RSAC
Boot Process
Root ROM starts execution
ROM initializes basic
subsystems
ROM reads X-Loader from
USB
X-Loader executes
X-Loader initializes SDRAM
Userland loaded
U-boot executes
Linux kernel
U-boot configures
environment
U-boot executes
X-Loader copies U-boot to SDRAM
![Page 26: How Smart Thermostats Have Made Us Vulnerable](https://reader038.vdocuments.net/reader038/viewer/2022103120/55d0b728bb61eb86558b45b0/html5/thumbnails/26.jpg)
#RSAC
Boot Process
Root ROM starts execution
ROM initializes basic
subsystems
ROM reads X-Loader from
USB
X-Loader executes
X-Loader initializes SDRAM
Userland loaded
U-boot executes
Linux kernel
U-boot configures
environment
U-boot executes
X-Loader copies U-boot to SDRAM
![Page 27: How Smart Thermostats Have Made Us Vulnerable](https://reader038.vdocuments.net/reader038/viewer/2022103120/55d0b728bb61eb86558b45b0/html5/thumbnails/27.jpg)
#RSAC
Boot Process
Root ROM starts execution
ROM initializes basic
subsystems
ROM reads X-Loader from
USB
X-Loader executes
X-Loader initializes SDRAM
Userland loaded
U-boot executes
Linux kernel
U-boot configures
environment
U-boot executes
X-Loader copies U-boot to SDRAM
![Page 28: How Smart Thermostats Have Made Us Vulnerable](https://reader038.vdocuments.net/reader038/viewer/2022103120/55d0b728bb61eb86558b45b0/html5/thumbnails/28.jpg)
#RSAC
Boot Process
Root ROM starts execution
ROM initializes basic
subsystems
ROM reads X-Loader from
USB
X-Loader executes
X-Loader initializes SDRAM
Userland loaded
U-boot executes
Linux kernel
U-boot configures
environment
U-boot executes
X-Loader copies U-boot to SDRAM
![Page 29: How Smart Thermostats Have Made Us Vulnerable](https://reader038.vdocuments.net/reader038/viewer/2022103120/55d0b728bb61eb86558b45b0/html5/thumbnails/29.jpg)
#RSAC
Boot Configuration read from sys_boot[5:0]
Device Initialization
Selected boot configurations
sys_boot [5:0] First Second Third Fourth Fifth
001101001110001111
XIPXIPwaitNAND
USBDOCUSB
UART3USB
UART3
MMC1UART3MMC1
MMC1
101101101110101111
USBUSBUSB
UART3UART3UART3
MMC1MMC1MMC1
XIPXIPwaitNAND
DOC
![Page 30: How Smart Thermostats Have Made Us Vulnerable](https://reader038.vdocuments.net/reader038/viewer/2022103120/55d0b728bb61eb86558b45b0/html5/thumbnails/30.jpg)
#RSAC
Boot configuration pins 4..0 are fixed in Nest’s hardware
sys_boot[5] is changes based on reset type
Conveiently, circuit board exposes sys_boot[5] on an unpopulated header…
Device Programming
![Page 31: How Smart Thermostats Have Made Us Vulnerable](https://reader038.vdocuments.net/reader038/viewer/2022103120/55d0b728bb61eb86558b45b0/html5/thumbnails/31.jpg)
#RSAC
Nest USB Device Descriptor
![Page 32: How Smart Thermostats Have Made Us Vulnerable](https://reader038.vdocuments.net/reader038/viewer/2022103120/55d0b728bb61eb86558b45b0/html5/thumbnails/32.jpg)
#RSAC
TI USB Device Descriptor
![Page 33: How Smart Thermostats Have Made Us Vulnerable](https://reader038.vdocuments.net/reader038/viewer/2022103120/55d0b728bb61eb86558b45b0/html5/thumbnails/33.jpg)
#RSAC
Full control over the house Away detection Network credentials Zip Code Remote exfiltration Pivoting to other devices
Implications
![Page 34: How Smart Thermostats Have Made Us Vulnerable](https://reader038.vdocuments.net/reader038/viewer/2022103120/55d0b728bb61eb86558b45b0/html5/thumbnails/34.jpg)
#RSAC
Unauthorized ability to access Nest account We now have the OAUTH secrets
Ability to brick the device We can modify the NAND
Persistent malware in NAND X-loader bootkit in NAND
Control over all Nest devices
![Page 35: How Smart Thermostats Have Made Us Vulnerable](https://reader038.vdocuments.net/reader038/viewer/2022103120/55d0b728bb61eb86558b45b0/html5/thumbnails/35.jpg)
#RSAC
The Attack
![Page 36: How Smart Thermostats Have Made Us Vulnerable](https://reader038.vdocuments.net/reader038/viewer/2022103120/55d0b728bb61eb86558b45b0/html5/thumbnails/36.jpg)
#RSAC
Device Reset Press the button for 10 seconds causing sys_boot[5] = 1’b1
Inject code through the USB into memory and execute Be quick!
Attack
![Page 37: How Smart Thermostats Have Made Us Vulnerable](https://reader038.vdocuments.net/reader038/viewer/2022103120/55d0b728bb61eb86558b45b0/html5/thumbnails/37.jpg)
#RSAC
Custom X-Loader to chainload U-Boot + initrd
Custom U-Boot Utilize existing kernel Load our ramdisk (initrd)
Ramdisk Mount Nest’s filesystem and write at will Arbitrary, scriptable, code execution
Netcat already comes with the Nest
Initial Attack
![Page 38: How Smart Thermostats Have Made Us Vulnerable](https://reader038.vdocuments.net/reader038/viewer/2022103120/55d0b728bb61eb86558b45b0/html5/thumbnails/38.jpg)
#RSAC
Rebuild toolchain
Cross-compile dropbear (SSH server)
Add user accounts and groups
Reset root password
Refining a Backdoor
![Page 39: How Smart Thermostats Have Made Us Vulnerable](https://reader038.vdocuments.net/reader038/viewer/2022103120/55d0b728bb61eb86558b45b0/html5/thumbnails/39.jpg)
#RSAC
A custom Linux kernel
Custom logo
Debugging capabilities (kgdb)
Polling on OMAP serial ports
Linux Kernel Modification
![Page 40: How Smart Thermostats Have Made Us Vulnerable](https://reader038.vdocuments.net/reader038/viewer/2022103120/55d0b728bb61eb86558b45b0/html5/thumbnails/40.jpg)
#RSAC
Demo
![Page 41: How Smart Thermostats Have Made Us Vulnerable](https://reader038.vdocuments.net/reader038/viewer/2022103120/55d0b728bb61eb86558b45b0/html5/thumbnails/41.jpg)
#RSAC
Positive View The backdoor provide legitimate users to opt-out of uploading logs files
Negative View The backdoor may be maliciously exploited
A Relief to Nest Labs The backdoor needs physical access to the device (although remote
attack is under investigation)
Double-Edged Sword
![Page 42: How Smart Thermostats Have Made Us Vulnerable](https://reader038.vdocuments.net/reader038/viewer/2022103120/55d0b728bb61eb86558b45b0/html5/thumbnails/42.jpg)
#RSAC
Code Authentication Processor must authenticate the first stage bootloader before it is run
Use public key cryptography Userland protection
Only execute signed binaries Filesystem encryption
Processor-DRAM channel protection
A Solution – Chain of Trust
![Page 43: How Smart Thermostats Have Made Us Vulnerable](https://reader038.vdocuments.net/reader038/viewer/2022103120/55d0b728bb61eb86558b45b0/html5/thumbnails/43.jpg)
#RSAC
47
How to Apply This Knowledge
Identify whether your product shares vulnerabilities with these examples.
Build security strategy and implement NOW, don’t wait.
Explore 3rd party validation and other ways to leverage proven security measures.
Regardless of form factor, focus on the data.
And of course, as a user, quarantine WiFi access for each of your IoT devices.