Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
EvanAnderson 2 days ago

> ...looks like they reverse-engineered the nest thermostat and wrote a firmware...

Not to diminish what this project has done, but they modified existing firmware to make it communicate with a different server. They've also implemented a server for the thermostat API.

It's pretty neat but, at this point, it's just a hacked firmware that talks to a different proprietary server.

Edit: It's not even a modification to the firmware binaries. They're just injecting /etc/hosts entries into the firmware[0]. If the Nest device just uses DNS to resolve these names then you wouldn't even need to modify the firmware-- just point it at a DNS server that's authoritative for the necessary names.

[0] https://github.com/codykociemba/NoLongerEvil-Thermostat/issu...

forgotusername6 2 days ago | parent | next [-]

Does it not use TLS? Wouldn't the Nest have to trust a CA willing to issue certificates without proving ownership?

EvanAnderson 2 days ago | parent [-]

They're also injecting a CA bundle so, presumably, they're in including their own root of trust so they can sign their own certificate. I'm on mobile and can't easily look at what they're including.

Edit: Guess I've got openssl in my termux environment. They're injecting a fake Nest root CA key. Makes sense.

I'm shocked it was this easy to subvert the root of trust on these devices. I would expect a newer device would have the trust root pinned in hardware (TPM, etc) and firmware updates would be have been authenticated.

gruez 2 days ago | parent | next [-]

>I would expect a newer device would have the trust root pinned in hardware (TPM, etc) and firmware updates would be have been authenticated.

All those things cost money in hardware or development time, so companies basically never bother. You're probably also letting all the stories about DRM on phones or whatever color your experience on IOT as a whole. TPM basically makes no sense to implement on anything that's not a PC. Not even phones use it.

subscribed 2 days ago | parent [-]

Secure phones use it. IPhones (Secure Enclave), Pixels (Titan M2).... Yeah, that's not much....

gruez a day ago | parent [-]

"TPM" =/= Secure Enclave =/= Titan M2

You could argue TPM can work as a generic term for security coprocessors, but on a technical forum that makes as much sense as saying the pixel tablet is an "iPad".

EvanAnderson a day ago | parent [-]

To be fair, I was using TPM a little genetically (hence the "etc"). I (perhaps wrongly) assume most SoC's today have a non-volatile area for storing roots of trust and possibly a bootloader. My only embedded experience was an Android-based tablet project where DRM on the firmware was of major import because features were locked behind time/geo-limited license keys.

tracker1 2 days ago | parent | prev [-]

I'm glad they didn't go that far... I wouldn't want that to get into a home device as long as it requires physical access to bypass/update the security in place. I'm really not a fan of excessively locked down hardware.

EvanAnderson a day ago | parent | prev [-]

Piling-on to my comment here: They're using an exploit to get access to the filesystem of the device: https://wiki.exploitee.rs/index.php/Exploiting_Nest_Thermost...