How Smart Thermostats Have Made Us Vulnerable
Download as PPTX, PDF1 like514 views
The document discusses security vulnerabilities in smart home thermostats like the Nest Thermostat. It describes how the thermostats can be hacked by exploiting weaknesses in their hardware, software, and firmware. Specifically, it shows how accessing a device's USB port allows injecting custom code to gain full control over the thermostat and access user data and accounts. The talk urges manufacturers to implement stronger authentication of code and encryption to protect smart home devices and data.
![#RSAC
Boot Configuration read from sys_boot[5:0]
Device Initialization
Selected boot configurations
sys_boot [5:0] First Second Third Fourth Fifth
001101
001110
001111
XIP
XIPwait
NAND
USB
DOC
USB
UART3
USB
UART3
MMC1
UART3
MMC1
MMC1
101101
101110
101111
USB
USB
USB
UART3
UART3
UART3
MMC1
MMC1
MMC1
XIP
XIPwait
NAND
DOC](https://image.slidesharecdn.com/rsac2015safelogicfinal-150625160140-lva1-app6891/85/How-Smart-Thermostats-Have-Made-Us-Vulnerable-29-320.jpg)
![#RSAC
Boot configuration pins 4..0 are fixed
in Nest’s hardware
sys_boot[5] is changes based on reset type
Conveiently, circuit board exposes sys_boot[5] on an unpopulated
header…
Device Programming](https://image.slidesharecdn.com/rsac2015safelogicfinal-150625160140-lva1-app6891/85/How-Smart-Thermostats-Have-Made-Us-Vulnerable-30-320.jpg)
![#RSAC
Device Reset
Press the button for 10 seconds causing sys_boot[5] = 1’b1
Inject code through the USB into memory and execute
Be quick!
Attack](https://image.slidesharecdn.com/rsac2015safelogicfinal-150625160140-lva1-app6891/85/How-Smart-Thermostats-Have-Made-Us-Vulnerable-36-320.jpg)
How Smart Thermostats Have Made Us Vulnerable
- 1. #RSAC SESSION ID: Ray Potter Yier Jin Don't Touch That Dial: How Smart Thermostats Have Made Us Vulnerable HT-W04 Assistant Professor University of Central Florida @jinyier CEO SafeLogic @SafeLogic_Ray
- 2. #RSAC The threat is real Connected convenience comes with risk Challenges What’s at Stake Flow
- 3. #RSAC Pattern recognition Identity theft Corporate espionage Life What’s at Stake
- 5. #RSAC Nest Labs founded by Tony Fadell Debuted in October 2011 Acquired by Google in January 2014 ($3.2B) Over 40,000 sold each month Data from GigaOM as of January 2013 Available in UK in April 2014 Smart home API is released in June 2014 Nest Thermostat
- 6. #RSAC “Yes, hacking is in our thoughts. When you're talking about the home, these are very private things. We thought about what people could do if they got access to your data. We have bank-level security, we encrypt updates, and we have an internal hacker team testing the security. It's very, very private and it has to be, because it'll never take off if people don't trust it.” - Tony Fadell
- 8. #RSAC “Display” board Graphics/UI, Networking Chips: ARM Cortex A8 app processor USB OTG RAM/Flash (2Gb) ZigBee/WiFi Radios Proximity Sensors UART test points (silenced at bootloader) Front Plate Courtesy of iFixit
- 9. #RSAC Hooks up to AC/Heating system. Charges battery via engineering wizardry Chips: Independent ARM Cortex M3 Temp and Humidity Sensor Communications Front to Back – UART NEST Weave (802.15.4) USB MSD (FW update) “Backplate” and Comms Courtesy of iFixit
- 11. #RSAC Runs on a Linux based platform Handles interfacing between device and Nest Cloud services Automatically handles firmware updates Manual update available Plug Nest into PC Handled as a storage device Copy firmware to drive Reboot Nest Client Nest
- 12. #RSAC Nest Firmware Signed firmware Manifest.plist Hashes contents Manifest.p7s Compressed but not encrypted or obfuscated Includes – U-boot image – Linux Kernel image – File system – nlbpfirmware.plist
- 13. #RSAC Firmware signing using PKCS7 Pinned Nest certificates for firmware verification All critical communications (any with secrets) over HTTPS Other less secure ones over HTTP (firmware, weather) Things Done the Right Way™
- 14. #RSAC Firmware links downloaded using HTTP and download links do not expire Hardware backdoor left for anyone with a USB port to use Automatic updates Things Done the Wrong Way™
- 15. #RSAC Log Files Internally stored and uploaded to Nest Contents User Interface Users are unaware of the contents of the log files Users cannot turn off this option User network credentials are stored … in plain text! Users should be allowed to opt-out of the data collection? User Privacy
- 16. #RSAC Log Files
- 18. #RSAC TI Sitara AM3703 ARM Cortex-A8 core Version 7 ISA JazelleX Java accelerator and media extensions ARM NEON core SIMD coprocessor DMA controller HS USB controller General Purpose Memory Controller to handle flash SDRAM memory scheduler and controller 112KB on-chip ROM (boot code) 64KB on-chip SRAM Configurable boot options Hardware Analysis
- 19. #RSAC
- 20. #RSAC Boot Process Root ROM starts execution ROM initializes basic subsystems ROM copies X-Loader to SRAM X-Loader executes X-Loader initializes SDRAM Userland loaded U-boot executes Linux kernel U-boot configures environment U-boot executes X-Loader copies U-boot to SDRAM
- 21. #RSAC Boot Process Root ROM starts execution ROM initializes basic subsystems ROM reads X-Loader from USB X-Loader executes X-Loader initializes SDRAM Userland loaded U-boot executes Linux kernel U-boot configures environment U-boot executes X-Loader copies U-boot to SDRAM
- 22. #RSAC Boot Process Root ROM starts execution ROM initializes basic subsystems ROM reads X-Loader from USB X-Loader executes X-Loader initializes SDRAM Userland loaded U-boot executes Linux kernel U-boot configures environment U-boot executes X-Loader copies U-boot to SDRAM
- 23. #RSAC Boot Process Root ROM starts execution ROM initializes basic subsystems ROM reads X-Loader from USB X-Loader executes X-Loader initializes SDRAM Userland loaded U-boot executes Linux kernel U-boot configures environment U-boot executes X-Loader copies U-boot to SDRAM
- 24. #RSAC Boot Process Root ROM starts execution ROM initializes basic subsystems ROM reads X-Loader from USB X-Loader executes X-Loader initializes SDRAM Userland loaded U-boot executes Linux kernel U-boot configures environment U-boot executes X-Loader copies U-boot to SDRAM
- 25. #RSAC Boot Process Root ROM starts execution ROM initializes basic subsystems ROM reads X-Loader from USB X-Loader executes X-Loader initializes SDRAM Userland loaded U-boot executes Linux kernel U-boot configures environment U-boot executes X-Loader copies U-boot to SDRAM
- 26. #RSAC Boot Process Root ROM starts execution ROM initializes basic subsystems ROM reads X-Loader from USB X-Loader executes X-Loader initializes SDRAM Userland loaded U-boot executes Linux kernel U-boot configures environment U-boot executes X-Loader copies U-boot to SDRAM
- 27. #RSAC Boot Process Root ROM starts execution ROM initializes basic subsystems ROM reads X-Loader from USB X-Loader executes X-Loader initializes SDRAM Userland loaded U-boot executes Linux kernel U-boot configures environment U-boot executes X-Loader copies U-boot to SDRAM
- 28. #RSAC Boot Process Root ROM starts execution ROM initializes basic subsystems ROM reads X-Loader from USB X-Loader executes X-Loader initializes SDRAM Userland loaded U-boot executes Linux kernel U-boot configures environment U-boot executes X-Loader copies U-boot to SDRAM
- 29. #RSAC Boot Configuration read from sys_boot[5:0] Device Initialization Selected boot configurations sys_boot [5:0] First Second Third Fourth Fifth 001101 001110 001111 XIP XIPwait NAND USB DOC USB UART3 USB UART3 MMC1 UART3 MMC1 MMC1 101101 101110 101111 USB USB USB UART3 UART3 UART3 MMC1 MMC1 MMC1 XIP XIPwait NAND DOC
- 30. #RSAC Boot configuration pins 4..0 are fixed in Nest’s hardware sys_boot[5] is changes based on reset type Conveiently, circuit board exposes sys_boot[5] on an unpopulated header… Device Programming
- 31. #RSAC Nest USB Device Descriptor
- 32. #RSAC TI USB Device Descriptor
- 33. #RSAC Full control over the house Away detection Network credentials Zip Code Remote exfiltration Pivoting to other devices Implications
- 34. #RSAC Unauthorized ability to access Nest account We now have the OAUTH secrets Ability to brick the device We can modify the NAND Persistent malware in NAND X-loader bootkit in NAND Control over all Nest devices
- 35. #RSAC The Attack
- 36. #RSAC Device Reset Press the button for 10 seconds causing sys_boot[5] = 1’b1 Inject code through the USB into memory and execute Be quick! Attack
- 37. #RSAC Custom X-Loader to chainload U-Boot + initrd Custom U-Boot Utilize existing kernel Load our ramdisk (initrd) Ramdisk Mount Nest’s filesystem and write at will Arbitrary, scriptable, code execution Netcat already comes with the Nest Initial Attack
- 38. #RSAC Rebuild toolchain Cross-compile dropbear (SSH server) Add user accounts and groups Reset root password Refining a Backdoor
- 39. #RSAC A custom Linux kernel Custom logo Debugging capabilities (kgdb) Polling on OMAP serial ports Linux Kernel Modification
- 40. #RSAC Demo
- 41. #RSAC Positive View The backdoor provide legitimate users to opt-out of uploading logs files Negative View The backdoor may be maliciously exploited A Relief to Nest Labs The backdoor needs physical access to the device (although remote attack is under investigation) Double-Edged Sword
- 42. #RSAC Code Authentication Processor must authenticate the first stage bootloader before it is run Use public key cryptography Userland protection Only execute signed binaries Filesystem encryption Processor-DRAM channel protection A Solution – Chain of Trust
- 43. #RSAC How to Apply This Knowledge 47 Identify whether your product shares vulnerabilities with these examples. Build security strategy and implement NOW, don’t wait. Explore 3rd party validation and other ways to leverage proven security measures. Regardless of form factor, focus on the data. And of course, as a user, quarantine WiFi access for each of your IoT devices.
Editor's Notes
- #3: Sales data according to
- #4: Sales data according to
- #5: Health Corporate Manufacturing Retail Transportation Utilities Consumer
- #6: Sales data according to
- #8: Mention that Nest Labs definitely takes security seriously. Let this talk show that even the best of the designers can make mistakes.
- #11: Front plate uses ttyO2 to talk to the back plate. Show live hardware and demonstrate some of its functions.
- #13: This smart device may be too smart for its own good. Firmware does everything for the user. Attacking the firmware will result in greater damages to the user.
- #14: Nlbpfirmware.plist is an XML document which contains among other things base64 encoded data (firmware image for backplate). Tool to flash firmware is included in the device’s filesystem.
- #15: Firmware is downloaded using HTTP
- #17: Usage statistics System logs Nest software logs (Zip Code, device settings, wired option)
- #31: Boot configurations are read by ROM code and latched into CONTROL.CONTROL_STATUS register. Pins can be used for anything afterwards.
- #43: Other findings: Nest attempts to start a secure shell server of its own, no binaries found. SSH server keys are on device and unique to each unit.
- #45: Boot device, use netcat as payload. Have small shell to target computer.