The “Internet of Things” (IoT to the cognoscenti) has been around for a while, but is gaining prominence now as almost every technology-based product that can be integrated with Internet access is in fact being integrated for Internet access. The reasons for doing this are not always compelling…but ‘smart home’ tech has been around for decades (remember the X-10 home automation standard?).
One of of the hot items today is the Nest Thermostat. The Nest controller’s claim to fame is that it learns what your home’s temperature profile should be, and then programs itself so you don’t have to figure out the seven-day, four-period, three-exceptions, hold-mode only on Tuesday button-pushing interface of the typical programmable thermostat. So now a lot of people have installed these things in their wired nests.
Conveniently, you can connect your Nest controller via WiFi and get at it from anywhere through the Nest management web site. Naturally, the Nest logon asks for a working email address as the userid. We all know plenty of those, especially those found in the big email credential breaches. Better yet, if you have a specific target in mind, you can see if the victim’s email is compromised using “Have I Been Pwned?” which will indicate if that email appeared in a data breach posted to PasteBin, Slexy, et al. With a good username in hand, a brute-force or retry of previously-used credentials attack is ready to go on the Nest administration login page. A cursory test of the sign-on page indicates that you can make unlimited attempts against the same username as quickly and as much as you like. Good news for hackers, but bad news for you who own Nests.
Once you have gained access to a Nest thermostat, what can you do? Not much, or maybe a lot… it depends on the time of year and geographic location of the house. In a test with a friend of mine last winter, I was able to 0wn his thermostat, lock him out, and set his heater to “Off” in January when the outside daily highs were running around 20 degrees F. Imminent pipe-burst, and thousands in damage. Fortunately it was just a test, but it illustrates the major impacts possible when IoT devices get hacked (especially in industrial installations since expected loss = possible damage X probability). It’s not just bits and bytes that get fouled up, or information moving around; real things can be damaged by poor security of IoT devices and related management applications running on the public Internet.
p.s. Worst Case Scenario: Back in 2001 down under in Sydney, a ‘disgruntled person’ who happened to work for the sewage control system vendor hacked the sewage controllers of the city, and flooded large sections of the city and a Hyatt hotel with millions of gallons of raw sewage. The perpetrator was arrested, convicted, and jailed for two years.