Exploiting Nest Thermostats
"Although the information we release has been verified and shown to work to the best our knowledge, we cant be held accountable for bricked devices or roots gone wrong."
This page will be dedicated to exploiting the Nest Thermostat.
All software versions of the Nest Thermostat are affected by this root package. This is because it utilizes a recovery method built into the CPU that can not be patched by software.
Rooting Your Nest
The attack is all played out within the Nest’s DFU mode which is briefly mentioned above. This mode allows a user to push a set of images and addresses to be loaded through the device’s USB port with a utility called “omap3_loader”. DFU mode is only intended as a catalyst to load the next stages of code, the first of which in our case is the x-loader binary. X-loader is a stage 1 boot-loader that is used on the Nest as the initial loading point for the system. X-loader handles getting the device ready to execute the second stage boot-loader that is responsible for loading up the Linux kernel. On the Nest, the second stage boot-loader is an open source piece of software widely used on embedded devices known as “U-Boot”. We use our own custom modified version of U-Boot that is based on the GPL released Nest version to boot a Linux kernel. This Linux kernel is only used to access the Nest’s file system and add a cross compiled SSH server called Dropbear. This allows a user to connect to their Nest and obtain root access on their thermostat. After installing the SSH server, we move on to adding a SH script which checks the Nest’s virtual disk every 10 minutes for 2 files, a “host.txt” which contains a username and host in the “[email protected]” format as well as a “key.txt” which contains the RSA key for the SSH connection. If these files are found, the device connects out to a remote attacker at the specified address in the “host.txt” file and makes a reverse SSH connection. This allows remote access to a user’s thermostat and home network bypassing most firewalls. This process can be stopped at any time by placing an empty file with the name “stop.txt” within the root of the Nest’s virtual USB disk.
Download package (Supports: Linux (Linux/OSX version in progress)). Extract package. Run the appropriate attack script depending on your OS. Follow instructions after executing. Enjoy
Below is a video of the root being run, and SSH installed on a Nest Thermostat
- If your device does not boot into DFU mode, unplug and retry. At times the code transfer can hang. In this scenario, it is best to retry the installation.
You can contact us on IRC ( Freenode #GTVHacker ) or on twitter @GTVHacker