Exploiting Nest Thermostats
"Although the information we release has been verified and shown to work to the best our knowledge, we cant be held accountable for bricked devices or roots gone wrong."
This page will be dedicated to exploiting the [Nest] Thermostat.
All software versions of the [Nest] Thermostat are affected by this root package. NestAttack utilizes a manufacturer loading method built into the CPU that can not be patched by software.
How it works
The attack is all played out within the Nest’s DFU mode which is briefly mentioned above. This mode allows a user to push a set of images and addresses to be loaded through the device’s USB port with a utility called “omap3_loader”. DFU mode is only intended as a catalyst to load the next stages of code, the first of which in our case is the x-loader binary. X-loader is a stage 1 boot-loader that is used on the Nest as the initial loading point for the system. X-loader handles getting the device ready to execute the second stage boot-loader that is responsible for loading up the Linux kernel. On the Nest, the second stage boot-loader is an open source piece of software widely used on embedded devices known as “U-Boot”. We use our own custom modified version of U-Boot that is based on the GPL released Nest version to boot a Linux kernel. This Linux kernel is only used to access the Nest’s file system and add a cross compiled SSH server called Dropbear. This allows a user to connect to their Nest and obtain root access on their thermostat. After installing the SSH server, we move on to adding a SH script which checks the Nest’s virtual disk every 10 minutes for 2 files, a “host.txt” which contains a username and host in the “username@ipaddress” format as well as a “key.txt” which contains the RSA key for the SSH connection. If these files are found, the device connects out to a remote attacker at the specified address in the “host.txt” file and makes a reverse SSH connection. This allows remote access to a user’s thermostat and home network bypassing most firewalls. This process can be stopped at any time by placing an empty file with the name “stop.txt” within the root of the Nest’s virtual USB disk.
- Download package (Supports: Linux (Linux/OSX version in progress)).
- Extract package.
- Run the appropriate attack script depending on your OS. Follow instructions after executing.
When the script above runs there are two ways to access root, there is the reverse ssh root that is setup which is talked about below and there is a normal ssh server running on port 22.
The default credentials for your device is:
- Username: root
- Password: gtvh4ckr
Please change your password promptly upon rooting!
SSH Reverse Tunnel
The root has a SSH reverse tunnel "backdoor" setup as a PoC. This can be triggered with special files placed in the Nests mass storage device.
- "host.txt" - contains a username and host of the machine the nest will be connecting to with ssh
- "key.txt" - contains a dropbear ssh key. It's important to note that this is a dropbear formatted key which can be create by using the dropbearconvert binary on the Nest.
- "stop.txt" - this file stops the remote connection process from functioning until another "host.txt" or "key.txt" file is place on the Nest.
Connection re-attempts are made at 10 minute intervals and after made can be accessed with the following command.
"ssh -p 2223 root@localhost"
Below is a video of the root being run, and SSH installed on a Nest Thermostat
- If your device does not boot into DFU mode, unplug and retry. At times the code transfer can hang. In this scenario, it is best to retry the installation.
You can contact us on IRC ( Freenode #Exploiteers ) or on twitter @Exploiteers