Digging Deeper Into Nest Security

Bob Shaker's compelling "Consider Security Before Building Your Nest" blog post got me thinking about Internet of Things (IoT) security. In case you've been on the moon, earlier this month Google announced the acquisition of home automation company Nest Labs for $3.2 billion, thrusting the Internet of Things into the spotlight. According to Gartner the Internet of Things will include 26 billion devices by 2020. 26 billion! Attackers are likely salivating over such an incredible number of devices just waiting to be hacked. So let's ride the trending wave and consider Nest Labs, a representative sample of Internet of Things technology.

Nest Labs currently offers two lines of smart home devices: thermostats and smoke / carbon monoxide detectors. Nest devices include super cool self-learning capabilities and convenient remote administration facilities through a web interface and Android / iPhone mobile applications. But what about security? As Bob pointed out, you certainly need to consider security before stashing eggs in your Nest. So what could happen if malicious attackers took control of your Nest devices through that handy dandy web interface? Very. Bad. Things.

For example, attackers with access to your Nest Learning Thermostat could simply turn off your heat. Today in Chicago the temperature is -16 Fahrenheit. That's not the wind chill, mind you, but the temperature. That's freaky cold. If attackers turned off the heat in your trendy Chicago loft the pipes would freeze in short order, resulting in property damage and expensive repairs. A more profitable avenue of attack is robbery. Attackers could infer when you're home based on your Nest Learning Thermostat settings and Auto-Away status. After quickly building a profile attackers would know exactly when you're not home, and therefore would know exactly the best time to rob your trendy loft. But what about your home security system? I would be shocked if Nest doesn't offer a learning home security system in the coming years. So no problem there, attackers could simply disable your home security system through that handy dandy web interface.

What other Nest smart home device vulnerabilities might be lurking in the coming years? Well that depends on what new product lines Google introduces into the Nest portfolio. Nest has been surprisingly quiet regarding future product direction. However, last year Nest announced a developer API that allows third party developers to interface with the Nest Learning Thermostat. If this developer API is any indication of things to come, the possibilities will be endless. Let's brainstorm a few prospects, some of which Nest has already suggested:

• Smart window blinds? Attackers could open your blinds and become technologically savvy Peeping Toms. Hopefully your mom won't stumble across the raunchy video that the attackers upload to the Internet.
• Smart washing machines and dryers? Attacker could turn up the heat and shrink your favorite clubbing shirt. Yup, the black one with that fierce dragon and snazzy blue flames. Ouch.
• Smart refrigerators and freezers? Attackers could turn up the heat and spoil your Kobe Filet Mignon. Takeout, anybody?
• Smart aquariums? Attackers could turn up the heat and fry your poor tropical fish Arnold Schwarzefisher. Sushi, anybody?
• Smart toasters? You remember the infamous USB Toaster, don't you? Well I hope you like your toast burnt to a scorched black crisp!

Privacy considerations are another issue altogether. Google has promised that Googlefying your Nest data will be 100% opt-in, but how hard would it be to bury the requisite opt-in clause within a terms of service form that 99% of us do not even pretend to read? And let's not even think about what might happen in the future when Nest devices interface directly with your brain. Researchers are currently "miniaturizing single electrode devices that can be placed in your hair and read electrical activity from the brain through a technology called electroencephalography." You thought Google stockpiled a lot of data before? Well monitoring your Internet searches (through Google.com), browsing habits (through Chrome browsers), and smartphone usage (through Android devices) pale in comparison to the privacy ramifications if Google could monitor your brain! And will bidirectional communication with the brain eventually be possible? I for one do not want Google to hack my brain!

So with all of these potential dangers lurking in the shadows, the most important question is simple. Are the Nest web interface and mobile applications secure? First I must state that I did not in any way conduct any type of penetration test against the Nest web interface. However, I can comment on certain design choices that Nest deliberately selected in order to make the web interface as user-friendly as possible. These design choices were conscientious decisions and therefore do not fall under the responsible vulnerability disclosure process:

• The Nest login form does not explicitly disable the "AUTOCOMPLETE" attribute for the username and password parameters. Consequently, attackers with subsequent workstation access could compromise stored Nest authentication credentials.
• The Nest login page does not enforce an effective account lockout mechanism. Users can successfully login after 100 failed login attempts. Consequently, attackers can launch brute force horizontal passwordguessing attacks.
• The Nest password policy is weak. Passwords are only required to be six characters in length, and password complexity requirement are not enforced. Consequently, attackers can also launch vertical passwordguessing attacks.
• The Nest web interface does not include the "X-Frame-Options" header. Consequently, attackers can launch clickjacking attacks.
• Like virtually all online authentication mechanisms, the Nest web interface is susceptible to phishing (and spear phishing) attacks.

A user-friendly web interface is important, but a secure web interface is even more important. So what should Google do? First and foremost, Google should strengthen the security of the existing Nest web interface and mobile applications. For example, the following solutions would address the security concerns listed above:

• Explicitly disable form autocomplete. Set the "AUTOCOMPLETE" attribute to "OFF" for the username and password parameters on the Nest login form.
• Enforce an effective account lockout mechanism. For example, lock Nest accounts for 20 minutes after three failed login attempts within a 30-minute window.
• Institute a strong password policy with sufficient password length and complexity requirements For example, require Nest passwords to be eight characters in length and contain at least one uppercase letter, lowercase letter, number, and special character.
• Prevent clickjacking attacks against the Nest web interface. Set the "X-FRAME-OPTIONS" header to "DENY" or "SAMEORIGIN".
• Educate Nest users regarding phishing and other essential security considerations.

Google has a golden opportunity in their hands, and could very well cultivate Nest into a powerful and profitable line of ingenious products. However, security must be designed into each and every Nest product blueprint. Otherwise your eggs could get cracked, and Google could end up with a whole lot of egg on their face. Let's wrap things up with one last interesting tidbit. Every page within the Nest web interface includes a ridiculously oversized Nest Labs logo hidden within the HTML comments:

<!--  Copyright 2013 by Nest Labs, Inc.  All rights reserved.

                               ####
                             ########
                           ############
                         ################
                       ####################     #######
                     ########################   #######
                   ############################ #######
                 ######################################
               ########################################
             ##########################################
           #############################################
         #################################################
       #####################################################
     #########################################################
   ############################################################
 ######## ####################     #################### #########
   ####   ###############               ###############   #####
    #     ############                    #############     #
          ###########                       ###########
          ##########          #####          ##########
          #########         #########         #########
          ########         ###########        #########
          ########        #############        ########
          ########        #############        ########
          ########        #############        ########
          ########        #############        ########
          ########        #############        ########
          ########        #############        ########
          ########        #############        ########                 -->

Less the copyright information, that's 1,621 extraneous bytes transmitted within every page of the Nest web interface. Google is known for minimizing page size and load speed by removing extraneous content whenever possible, even going so far as to strip spaces and newline characters. Take a look at the page source of Google.com to see what I mean. I would be shocked if Google does not eliminate or at least shrink this ridiculously oversized Nest Labs logo. However, with critical security and privacy considerations hanging in the balance, right now Google certainly has bigger fish to fry (hopefully on a smart stovetop).