While doing security research dealing with IOT devices and home security, I decided to look into smart thermostats.  While Googles Nest series of IOT devices seem to have the greatest security built into them it appears that the Google Nest Thermostat has a security vulnerability.  In this day in age even the big companies like Google, Amazon, Samsung, etc.… still have vulnerabilities in their so called “Smart” devices.  Even though these big companies still sometimes overlook a vulnerability in their IOT devices, purchasing a device from a big company is probably the consumers best bet in getting the best security tested device.  Google is not a newcomer into the world of security, and they seem to do a very good job of releasing secure devices into the world but the war dealing with computer security is a never-ending battle and sometimes hackers even get one over on Google.  I am a big fan of Google and what they do in the technological world and I have many Google devices powering my home.  Fortunately, I do not have the Google Nest Thermostat and I don’t know if I will ever wind up getting a Smart thermostat anyway.  In this document I will go over what the Google Nest Thermostat is, how this vulnerability can be taken advantage of, and what Google is doing, or the user can do to prevent becoming victim to this vulnerability.

         The Google Nest Thermostat is a smart thermostat that is part of Googles line of IOT devices.  The capabilities of this thermostat are built in WIFI, a temperature sensor, a humidity sensor, 24-bit color display, and is available in 5 different languages (Google, 2020).  If you would like to buy one of these smart thermostats it will cost about $249.00.  Google states on their web site that this thermostat is compatible with 95% of heating and cooling systems.  This thermostats operating system is Linux based and has menus for switching from heating to cooling, access to device settings, energy history, and scheduling (Wikipedia, 2020).  Since its first appearance in the market, it has been given many security updates and to get an update it requires two factor authentications.  This thermostat connects to all other Nest devices through a protocol called Weave that is done over WIFI.

         The vulnerability on the Google Nest thermostat is taken advantage of by connecting to it by the USB port with a flash drive and while holding the power button for 10 seconds a person can inject malicious software into the devices (Wagenseil, 2014).  This malicious software can be of any type mainly botnets or spying software.  Note that to achieve gaining access to this vulnerability the malicious user has to have physical access to the device.  This type of hack was demonstrated by three security researchers at a Blackhat conference on August 7, 2014.  The three researchers’ names were Yier Jin, Grant Hernandez, and Daniel Buentello (Wagenseil, 2014).  The nest thermostat appears to have very good security when it comes to wireless communications, but the USB is quite insecure.  The nest devices know much of a user’s private information like if they are home or not, their postal code, usernames and passwords.  Since it knows this type of information, this vulnerability could be very dangerous if the right hacker gains access to it.  The malicious software injected into the nest thermostat can also be used to gain access to other devices on the network which could be done using an ARP(Address Resolution Protocol) tool (Tilley, 2015).

         The Nest company is trying to become the biggest name in home connected devices.  The company’s founder says that they have a team in place to test for vulnerabilities and that they do extensive testing on all of their devices.  I am sure that after this vulnerability was found out that the Nest company has pushed an update of some sort to patch the device.  The Nest company has also stated that if a hacker has physical access to a device no matter what device it is, that they can potentially hack the device.  To prevent becoming a victim of this type of attack I think the user should always be aware of who they let inside their home.  Since physical access to the device is necessary to exploit this vulnerability, like some other devices I have researched, being aware of who is in your home is a big thing.  The user should always make sure that all of their IOT devices are up to date with the latest security patches.  The reason that the Nest thermostat allows a person to connect with a flash USB and load software onto it is so the firmware can be manually updated.  I guess the Nest company did not see this as a great threat.

         To conclude I would like to state that I like the Google Nest Company.  I think that they are on a solid path to becoming the most used IOT home devices.  I like how all of their devices work together on the same network and I think that the company itself takes great pride in their security practices.  This hack may possibly be an example of something that could be inevitable in the process of designing an IOT device.  Maybe Nest is right that any device can be hacked if a malicious user has physical access to it.  I personally do not have a smart thermostat because I only change the temperature on mine about twice a year, but I love the idea of having your thermostat become smart so that if you are away on vacation or something like that you can control the temperature of your home from far away.

Works Cited

Google. (2020, April 9). Nest Thermostat Specifications. Retrieved from store.google.com: https://store.google.com/us/product/nest_learning_thermostat_3rd_gen_specs

Tilley, A. (2015, March 6). How Hackers Could Use A Nest Thermostat As An Entry Point Into Your Home. Retrieved from forbes.com: https://www.forbes.com/sites/aarontilley/2015/03/06/nest-thermostat-hack-home-network/#788408d39864

Wagenseil, P. (2014, August 7). Nest Smart Thermostat Can Be Hacked to Spy on Owners. Retrieved from tomsguide.com: https://www.tomsguide.com/us/nest-spying-hack,news-19290.html

Wikipedia. (2020, April 9). Nest Learning Thermostat. Retrieved from wikipedia.org: https://en.wikipedia.org/wiki/Nest_Learning_Thermostat#Hardware

Researching security vulnerabilities in IOT devices, specifically dealing with the issue of home security I decided to look into garage door openers.  I came across this article that says there is a man who has developed a way to crack the code of the ordinary garage door.  This kind of hack could be disastrous to a homeowner because it lets a malicious user gain access to many houses that have an entrance to their house through the garage.  There is not just one garage door opener that is susceptible to this hack, many garage doors are.  I personally would not want anyone to be able to open my garage door and gain access to my house and with the knowledge of this research I am going to look into the brand and the garage door opener that I have to make sure that this vulnerability is not able to be done on my garage door.  Many people have these garage door openers that are susceptible to this hack and they may need to upgrade their garage door to prevent being a victim of this attack.  There are actually two kinds of codes that can be cracked by this security researcher’s method, the first one was discovered earlier than the other because the later is more difficult to hack.  These two kinds of codes are called “fixed code” and “rolling code” and there are many garage door openers that use these kinds of codes to allow access to your garage and possibly your house.  In this document I will go over what garage door openers are susceptible to this attack, how the attack is implemented, and what a user can do to prevent being a victim of this type of attack.

There are many brands of garage door openers that are susceptible to this hack.  Some of them include Nortek, NorthShore, Chamberlain, Liftmaster, Stanley, Delta-3, and Moore-O-Matic (Kamkar).  The attack was designed by Samy Kamkar and he states that only garage doors with fixed code entry systems are vulnerable to this attack although he has also developed a hack for garage doors with the rolling code entry systems.  Samy Kamkar has presented his rolling code hack for garage doors at DEFCON 23.  The difference between fixed code and rolling code is that the fixed code system uses the same two-character code every time to open the door and rolling code changes the two-character code every time the garage door is opened.  There are other kinds of systems that use hopping codes, Security+, or Intellicode and Samy Kamkar says that these doors may be safer from this kind of hack but they are not foolproof (Kamkar).  Wired.com has requested comment from companies like Nortek and Genie but they didn’t respond at first about the vulnerability and then posted on their website it is stated that they use rolling codes (Greenberg, 2015).  Later on, after Kamkar figured out how to hack fixed code systems he also found out how to hack rolling code systems.  The owners of the Liftmaster brand of garage door openers stated that they have not used fixed code systems since 1992 but Kamkar looked into a manual from a 2007 version and said he found that it uses a fixed code system (Greenberg, 2015).

         Samy Kamkar has posted the code that he used to crack the fixed code systems and the code that he used to crack the rolling code systems, but he intentionally sabotaged the code that he posted so malicious users would have a tough time getting the code to work.  To crack the codes Kamkar uses brute force to find the right code for each door.  The doors that he tested use at most 12 bits which is 4096 possible combinations (Greenberg, 2015).  Using a brute force technique to crack the code for these garage doors would take about 29 minutes but Kamkar improved it by taking out wait periods between trying generated codes, removing redundant transmissions, and optimization that allows transmission of overlapped codes (Greenberg, 2015).  With all of the optimizations that Kamkar has put into his code, he reduced the time of using brute force to crack the individual codes from 29 minutes down to 8 seconds (Kamkar).  Kamkar says you need to be an expert in RF signals and microcontrollers to be able to fix the code that he has posted on GitHub and use it.  Using brute force to crack a code usually takes a very long time to do because the algorithm tries every possible combination to find the right code.  I think it is quite the feat that Kamkar got the brute force algorithm down to only 8 seconds to find the code from the original 29 minutes.

         Preventing the ability to become victim to this kind of attack would require the user to actually completely change out their garage door opener.  Since the time of this discovery by Samy Kamkar, garage door opener manufacturers or designers should have made design decisions to implement greater security measures into their products.  This is not an example of poor security design by garage door companies because these garage doors were out for a very long time before the ability to hack into them became present.  It is and example of how fast technology is evolving and the need for greater security implementation grows with the technology.  These vulnerable garage door openers were tested with this hack using two-character codes, maybe companies will adopt a secure code encryption with like SHA1 or something like that.

         To conclude I would like to state that garage doors openers are just one of the many IOT devices in a person’s home today.  This number of IOT devices in a user’s home is increasing day by day.  More and more people are turning to the convenience of IOT devices.  Security vulnerabilities are a common thing with home IOT devices and companies need to ramp up their testing of security.  I think it is clear that the companies that allow these vulnerabilities to be present in their devices are going to lose more business and actually the whole business may go bankrupt as a result.  I think if a company is going to build an IOT device for use in a person’s home that there should be security testing guidelines and a certification for the product they are building so the end user knows exactly what they can expect from a security standpoint of their product.

Works Cited

Greenberg, A. (2015, June 4). This Hacked Kids’ Toy Opens Garage Doors in Seconds. Retrieved from wired.com: https://www.wired.com/2015/06/hacked-kids-toy-opens-garage-doors-seconds/

Kamkar, S. (n.d.). Open Sesame. Retrieved from samy.pl: http://samy.pl/opensesame/

While researching security vulnerabilities in IOT devices focusing on home security, smart ovens came to mind.  I thought what could be worse than a hacker getting into a person’s smart oven and burning their house down to the ground.  It turns out that there is an exact hack of this type in a smart oven. Security involving IOT devices is an important aspect in the safety of a user’s home and I actually couldn’t believe that there is a hack that would let a malicious user turn on an oven.  Say that a user had some dish towels or something on their oven range that is flammable and then they went off to work only to come home to their house burnt to a crisp because a hacker turned on their stove while they were gone.  As I research security vulnerabilities in IOT devices it is becoming more and more clear that the companies that produce these smart home gadgets are lacking very much in security testing of their devices.  In this document I will go over what oven has this type of security vulnerability, how this type of hack is executed, and what a user can do to prevent this type of security vulnerability from burning down their house.

         The smart oven that has this security vulnerability is the AGA Range Cooker.  The vulnerability was discovered by Pen Test Partners.  These range cookers are very expensive so you would think that the company would have done extensive security testing on their appliances but that doesn’t seem to be the case.  Pen Test Partners say that they tried to disclose the vulnerability to the AGA company through Twitter and AGA blocked them.  Pen Test Partners finally got through to AGA via their technical support (LAIDLAW, 2017).  It was important for Pen Test Partners to get in contact with AGA appliance company before they disclosed the vulnerability so that there could be something done about it before the information got into the wrong hands.  Something like this allowing a malicious user the ability to burn your house down could really tarnish a company’s name. The AGA company seems very reluctant to fix this vulnerability. This oven draws a maximum of 30 amps which is enough to burn a house down.  The owners of this type of oven should know that if they have the latest model with the remote control option then there is a possibility that they could be victim of this kind of attack (Leyden, 2017).

         The hack in this smart oven is executed by an SMS that is unauthenticated and is sent from the ovens mobile application running on the user’s phone.  The oven has a SIM card that costs the user around 5 dollars a month.  The user could send a command to turn on all of the burners at once and since the SMS from the mobile application is not authenticated that means that a malicious user can perform an enumeration attack.  Enumeration is a process to establish an active connection to a target machine to discover potential attacks (Chakravartula, 2018).  Once the malicious user slowly but effectively uses enumeration to find the smart ovens phone number they can just simply send an SMS command to it.  The command would look something like this “WebtextPass,35257,Baking Oven On” (Leyden, 2017).  The enumeration attack could potentially take a while to execute because it is like a brute force attack to obtain the smart ovens phone number.  AGA is being criticized by security testers because they say that making a WIFI interface would have been cheaper and safer than using a SIM card with a phone number for every device.  It is amazing to me that AGA designed a device with a SIM card and a phone number but totally lacked when it came to security testing the device.  I don’t even know if there is a patch that could be made for a device that is controlled this way.  Maybe that is why the AGA company is reluctant to provide a fix for their vulnerable devices.

         With this vulnerability disclosed to the public, a consumer should be very cautious when buying a smart appliance from AGA.  The company probably lost a considerable amount of business because of this problem and it’s their own fault.  I’m not sure if there is anything that an owner of one of these devices can do to prevent being a victim of this attack except for just throwing away their smart stove and getting a new one from a different manufacturer.  I guess the owner of this type of smart oven can remove the SIM card and only operate their stove the old-fashioned way.  They could probably cancel the remote access option on the smart stove since they are paying a monthly plan for it anyway.  If AGA doesn’t come up with a patch to this vulnerability then the owner of the smart stove pretty much has no other option than to disable the remote-control option, otherwise risk their house being burnt down by a malicious arson with too much time on their hands.

         To conclude, I would like to state that security testing should be a major part of a producer of IOT devices software engineering process.  This is especially the case for companies that make IOT devices that operate inside a user’s home.  This smart oven is just another of the many mistakes made by companies producing these smart devices.  With the outrageous price tag that AGA is putting on their smart ovens I’m sure that consumers would appreciate some sort of security certification or something of the sort to go along with the smart device so that they can have some type of assurance that the product was produced correctly with a substantial amount of security vulnerability testing done.

Works Cited

Chakravartula, R. (2018, February 28). What is Enumeration? Retrieved from resources.infosecinstitute.com: https://resources.infosecinstitute.com/what-is-enumeration/#gref

LAIDLAW, J. (2017, April 20). HALF BAKED IOT STOVE COULD BE USED AS A REMOTE CONTROLLED ARSON DEVICE. Retrieved from hackaday.com: https://hackaday.com/2017/04/20/half-baked-iot-stove-could-be-used-as-a-remote-controlled-arson-device/

Leyden, J. (2017, Aprin 13). Half-baked security: Hackers can hijack your smart Aga oven ‘with a text message’. Retrieved from theregister.co.uk: https://www.theregister.co.uk/2017/04/13/aga_oven_iot_insecurity/