While we wait for Google I/O (which starts tomorrow) to find out what will become of the company's TV platform, a team that we've seen bust open the padlocks on Google TV, Chromecast and Roku has a new target. GTVHacker just revealed an exploit for the (now Google-owned, and owner of Dropcam) Nest Learning Thermostat. It could let owners do new and interesting things (like replace the Nest software entirely) but of course, someone with bad intentions could take it in another direction: monitor whether the owner is home via its motion detector, sniff network traffic, or just crank up the temperature a few degrees -- all without even opening the device. Interested in how the hack works? Check after the break for more details and a video, and if you're headed to DEFCON in August, the team has a demonstration planned that's oh-so-comfortingly titled "Hack All the Things."
[Image credit: gpshead/Flickr]
So how is it done? The GTVHacker exploit is loaded using Nest's own pathway for loading software to run its own boot-loader and add an SSH server with root access. In layman's terms - it sneaks in like a legitimate update, but opens a backdoor giving whoever put it there complete control, and potentially without the device's owner being aware that anything has changed. A more detailed account of how it works is on the GTVHacker blog, but the team has already packaged the tool as a one-click root + installer that works from Linux (available for download here, Windows version coming soon), so all it takes to run the tool is a PC and a USB cable -- so if you see any of your guests loitering in the living room with a laptop and a cord, that's just one more thing to worry about.
Filed under: Household, Google
Source: GTVHacker Blog
0 comments:
Post a Comment