Nest Root Attack | Tech Talk Today 14

Nest Root Attack | Tech Talk Today 14

Google announces their own domain name management service, the Internet of things has arrived, and it’s already been hacked. We’ll chat about the Nest thermostats rooting, Google buying Dropcam and more.

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed

Become a Tech Talk Today supporter on Patreon:


Show Notes:

— Headlines —

Google Begins Testing Domain Registrations

When Google Domains launches to the public, you’ll be able to buy and sell domains through the service. Unlike some other domain registration offerings, Google won’t charge you extra to register your domain privately. You’ll be able to create up to 100 email addresses on the domain and as many as 100 customized sub-domains. Google Domains will also use the company’s own DNS servers, so visitors should get a snappy response time when they hit up your site.

GTV Hacker » Google Nest: Exploiting DFU For Root

Today, popular Google TV hacking site GTV Hacker, announces it has hacked the device to enable the booting of unsigned code. If you own a Nest, hackers could have a backdoor into your home.

By leveraging the device’s DFU mode to boot unsigned code at the boot-loader level.

The attack on the Nest thermostat is simple, we use the device’s recovery mode to run our own modified boot-loader (stage one and two). We then use our loaded boot-loaders to initiate a Linux kernel that is used to modify the file system on the Nest. We then add a SSH server running as root as well as functionality to create a reverse SSH tunnel to a specified host using the Nest’s virtual drive.

They found this “feature” back in November 2013, and mentioned it publicly on December 5th, 2013 (see this tweet). Initially, we planned on releasing our findings at a conference this summer (along with new root methods for the Chromecast and Roku), but our talk was declined. Their loss!

They will, however, be speaking this year at DEF CON 22! Our talk, entitled Hack All The Things: 20 Devices in 45 Minutes, will feature unreleased exploits for 20 devices being released in a 45 minute period. If you are in Las Vegas this August, make sure to stop in!

If you are a Nest user, I probably wouldn’t panic yet. It seems the hacker would need physical access to the device, which limits the risk. However, a devious person could exploit it while in your home and then control it remotely later. Hopefully Google can release an update to make the thermostat more secure and block the exploit.

Nest Labs Joins Race to Define Platform for the Internet of Things

Last Friday, Nest moved to broaden its reach in the home, buying a fast-growing maker of Internet-connected video cameras, DropCam, for $555 million. And on Tuesday, Nest is expected to announce a software strategy backed by manufacturing partners and a venture fund from Google Ventures and Kleiner Perkins Caufield & Byers.

Whirlpool and Nest, Mr. Dibkey said, have worked together for more than year to develop a few applications. One allows a Whirlpool clothes dryer and a Nest thermostat to work together to conserve energy and save money. The thermostat detects a local utility’s peak load times, when electricity is most expensive. It sends a signal to the dryer to run on a cooler, slower drying cycle at those times.

In a Jawbone application, the company’s activity-monitoring wristband detects when a person gets up on a winter morning. It then sends a message to the Nest thermostat, telling it to heat up the house

Nest’s Internet of Things strategy will be backed by the Thoughtful Things Fund, a venture capital fund created by Google Ventures and Kleiner Perkins.

Google I/O 2014

How to Watch Google I/O 2014 Keynote Livestream

Google I/O 2014 runs from June 25 to 26. If you are interested in watching the Google I/O 2014 keynote as a livestream, you have a couple of options.

Question? Comments? Contact us here!