Wednesday, October 2, 2013

Reverse Engineering the NEST Thermostat - Part 1

Earlier this year I glanced over the teardown of the NEST smart thermostat. This was before I had even purchased one. One of the things that stood out was the inclusion of zigbee hardware that was never mentioned in any official NEST documentation. Why would they not advertise this? I figured this was for some future unannounced product integration. I ended up buying a couple of thermostats anyway. Months followed when I heard about a new feature that integrated with select energy providers to save you money. At that point I knew something must be going on with the zigbee hardware. Energy providers have been known to employ zigbee equipped smart meters. This made sense, let the devices talk via zigbee while the user used the WiFi radio. Still, no word from NEST on the zigbee functionality. In fact, NEST has declined to comment several times (here is the most requested inquiry that was left unanswered). Even after releasing a web API last week, they made sure to "say nothing about that ZigBee radio that has been sitting dormant in Nest since day 1". Was the zigbee radio even on? What kind of security scheme is it using to protect itself from malicious individuals? How would you feel buying a device broadcasting a rouge wireless signal? Now what if that device controlled a very dangerous piece of equipment like your air conditioning system? Or worse, what if that device also knew when you were home and was allowing outsiders to see this data? With the speculation of new product announcement, I hope they will at least acknowledge the existence of the zigbee radio and hopefully shed more light on its mechanics.

Regardless, I started reverse engineering it. Some of my goals are:

1. Is the zigbee radio on?
2. What security mechanisms does it employ to protect the air conditioning system from being overloaded and potentially causing physical damage?
3. How does it protect the data about my habits, such as when I am home, from being viewed by malicious entities?

Below you will find the first part of that journey. It is composed chronologically, starting with a general overview transitioning into the reverse engineering of its design of both hardware and software. I chose a video format as visuals are critical, at least initially. I plan to follow up with a technical written account of the second half.

*DISCLAIMER* I am not accusing NEST of any intentional wrongdoing. I enjoyed taking apart their product as well as using it. In fact I own and utilize 2 NEST thermostats daily. I just would like for them to disclose more information about its inner workings. All opinions on my blog and in the video are my own. Thank you.

Happy Hacking,

Daniel B.

UPDATE 10/8/2013: NEST has officially announced a new product aiming to replace the common smoke detector. What's really interesting is how it works with their existing thermostat. Hmm...at least they made a mention about its 802.15.4 radio.


4 comments:

  1. You should search for the FCC-ID at http://transition.fcc.gov/oet/ea/fccid/

    This will (by law) detail all the radios and give nice internal photos/etc.

    ReplyDelete
  2. Awesome work,

    Have you had any luck turning on the zigbee radio yet?

    ReplyDelete
  3. Nice analysis so far! When can we expect to see "part 2"?

    Are you 'in' yet? (console access/etc)

    I just got a Nest last night. I've been digging into the firmware to see if I can find any 'holes' in the firmware update process (this Nest is really being used at my house - I don't want to tear it apart/possibly break it :) ).

    I'd be interested in any updates you have.

    - Paul

    ReplyDelete
  4. Earlier this year I glanced over the teardown of the NEST smart thermostat. This was before I had even purchased one. One of the things that ... ismartthermostat.blogspot.com

    ReplyDelete