GOOGLE'S NEST THERMOSTAT has been rooted by hackers at the Black Hat Conference in Las Vegas.
In the demonstration that the team has replicated on Youtube, Daniel Buentello from the University of Central Florida shows how he is able to gain root access and remote control over a Nest thermostat via USB in 15 seconds.
The smart thermostat maker, which was bought by Google earlier this year for $3.2bn, has been made the focal point of the "Works with Nest" programme, an Internet of Things initiative that allows a growing number of household appliances to interact.
Speaking to the conference, Buentello pointed out, "This is a computer that the user can't put an antivirus on. Worse yet, there's a secret back door that a bad person could use and stay there forever. It's a literal fly on the wall."
While The INQUIRER does not condone Buentello's use of the word "literal", he made a valid point. If this is the hub device of our automated home, then a rogue element could leave in the realms of dystopian Sci-Fi.
To illustrate the point, Bentello's demonstration changed the display of the Nest to an image of HAL the killer computer from 2001, with the message, "I know that you and Frank were planning to disconnect me, and I am afraid that is something I cannot allow to happen."
A statement from Zoz Cuccias of Nest given to Venturebeat does little to quell the concern, as it turns into a sales pitch. "All hardware devices - from laptops to smartphones - are susceptible to jailbreaking; this is not a unique problem. This is a physical jailbreak requiring physical access to the Nest Learning Thermostat. If someone managed to get in your home and had their choice, chances are they would install their own devices, or take the jewelery."
He went on to suggest, "One of your best defenses is to buy a Dropcam Pro so you can monitor your home when you're not there."
By sheer coincidence, Dropcam was purchased by Nest in June and is part of the "Works with Nest" programme, making it potentially susceptible to malware from a hacked Nest thermostat. µ
What could possibly go wrong...
Committee clams firm failed to implement 'adequate security'
Meme Ban means Meme Ban
It's anonymous data at first but the NYT figured out how to make it personal