The debate over whether the sort of omniscient internet of things device like the Next thermostat is good or evil is still being argued.
Nest/Google argues that sending it all that information will help reduce carbon monoxide in homes, manage the cost of heating, cooling and electricity use, which saves on bills and improves the environment. Skeptics are concerned about how the 32MB of data the device sends out a month (according to the researchers who've studied it) will be used by whoever has access to it.
As the lyrics of that song imply, there is not necessarily one answer that will satisfy everyone with an opinion on the issue. But from the standpoint of corporate design, ownership and oversight, the fact that enterprising technicians are learning to hack these systems in order to give consumers added features they may want is a sign that there is a growing market not so much for privacy, but for more individual say in how these devices can and should work. JL
Kashmir Hill reports in Forbes:
Over a month-long period, the researchers’ device sent 32 MB worth of information to Nest, including temperature data, at-rest settings, and self-entered information about the home, such as how big it is and the year it was built
Those with Nests in their nests have a smart thermostat that learns about their behavior over time for more efficientheating and cooling ; if you’re never home in the afternoons, it knows that’s a good time to switch to low energy mode. It’s become one of the most successful members of the Internet-of-Things club, leading Google to pay $3.2 billion in cash to acquire the company earlier this year, and leading security researchers to poke around to see how hackable the device is. “When you have a biginstall base, you have a target on you,” says co-founder Matt Rogers.
No one has hacked the Nest remotely but a few hackers have found ways to break into the system when they have physical access to the device. First these dudes, and now a group of researchers from the University of Central Florida led by engineering professor Yier Jin who tore the Nest apart and found that they could take control of the Nest system while it’s booting up, allowing them to secretly siphon data and install malware that could botify the Nest. “The software is obviously designed with security in mind, but the hardware has problems,” says Orlando Arias, a UCF senior. While data about people’s energy use is not super sexy spy stuff, it does reveal living patterns. They plan to present their Nest teardown at August security conference Black Hat – Nest Thermostat: A Smart Spy In Your Home — and have also uploaded a video to YouTube of UCFstudent Grant Hernandez doing a “hack unboxing.”
But the team says the security flaw may have a privacy upside. Like so many connecteddevices , Nest devices regularly report back to the Nest mothership with usage data. Over a month-long period, the researchers’ device sent 32 MB worth of information to Nest, including temperature data, at-rest settings, and self-entered information about the home, such as how big it is and the year it was built. “The Nest doesn’t give us an option to turn that off or on. They say they’re not going to use that data or share it with Google, but why don’t they give the option to turn it off?” says Jin.
Their hack is essentially ajailbreak of the device – though they hesitate to use that term – allowing for new programs to be written onto the system, so they wrote a program to prevent data from being sent back to Nest, without otherwise interfering with Nest’s functionality. After their presentation at Black Hat in Las Vegas, they plan to release the tool to Nest users who are paranoid about corporate access to their data. “Using this vulnerability, we can patch the Nest from sending that data to Nest servers. There was no performance impact whatsoever on the unit we tested this on,” said Arias. In a white paper accompanying their presentation, they say the Internet of Things — with its connected devices tying users to companies that can monitor them — means consumers may need to “hack our own purchased devices in order to protect our own privacy and to add features manufacturers do not include.”
“We’re trying to make [the Nest tool] easy to install and make it easy to turn that data collection on and off,” says Jin. “But it’s a fine line to tinker with these devices. Most manufacturers say it will void the warranty.”
Nest cofounder Matt Rogers was understandably skeptical about such a tool. He says Nest users can turn off the device’s Wi-Fi access to stop data from being sent to Nest, but they lose the ability to operate it remotely, get automaticsoftware updates , and energy reports. “One of the advantages of being connected is that when things like Heartbleed come up, we can immediately push down a fix,” he said. “What people want to do with their hardware is up to them. But this is their heating and cooling and their smoke alarms and you want our secure software on it. Just like when you jailbreak a phone, all bets are off.”
Rogers reiterated that Nest doesn’t share data with Google, but says Nest does benefit from the company’s security expertise – expertise jailbroken devices would miss out on. Nest has its own security engineers, and undergoes external audits and has Google doing checks. “They’re the best security team in the world, but they only found a few bugs,” he said.
When devices are jailbroken, Nest can tell, says Rogers, because Nest’s software is signed. It can see when researchers are playing around with the operating systems though Rogers says only “a very small number of devices are doing weird things.”
I asked why Nest doesn’t have an option to turn off data sharing. Rogers says it hasn’t been a big request from users. “There’s a very small vocal minority who don’t want us to have that data,” he says. “We give them a lot of value from that data.” He says that the company improves its algorithms – and saves customers money – by being able to analyze behaviors from many different homes.
And there are societal benefits, he says. “With our smoke detectors, we found that there’s way more carbon monoxide in homes that anyone realized. We can take that info to regulators,” he says. “The biggest carbon monoxide survey that ever happened before was hundreds of homes; we have thousands.”
As for the vulnerability that allows someone to hack the device if they have physical access to it, Rogers was sanguine, as that’s basically the case with any computing device. If someone gets access to your smartphone or laptop, you’re similarly pwned.
Jin says he was impressed with Nest’s security overall. “Nest keeps security in mind, but still, they should do more,” he said, hoping the company will take a possible security solution his team proposes — letting only signed programs execute on the kernel and encrypting the file system — into consideration. Of course, if Nest does, and it works, his team’s “privacy-enhancing” Nest tool wouldn’t work.