In a recent article on security researcher Matt Smith’s website, the Globe and Mail noted that the smart home alarm system is “often used by many home users.”
The article then highlighted the fact that home alarm monitoring systems are also susceptible to attack, including those built into smart home products.
In fact, Smith’s article noted that, “an attacker could gain access to any of the home-based smart home monitoring systems, including the Nest thermostat, the Amazon Echo, the Nest Light and other smart devices.”
Smith explained that, while he was unable to prove that the home alarms he found vulnerable were specifically connected to the internet, he did point out that these home alarm control systems are likely to be vulnerable to a wide range of remote attacks, including botnet-style attacks and remote desktop attacks.
Smith, who also developed a security research tool, said he discovered that, in his case, his home security system had a “bug in it” that could be exploited to launch remote attacks against the system.
A Nest spokesperson told The Globe and Post that the Nest Protect smart home security systems are not vulnerable to remote hacking, and that Nest has implemented an update to the Nest Home Security Suite to ensure that it is “always secure.”
The Nest spokesperson also noted that they are working with Smith to ensure the security of the software.
The security researchers wrote that “the problem in Nest’s Nest Protect software is that it uses a simple, but insecure method of signing users, allowing any unauthorized user to run arbitrary code in the Nest Nest Protect application and potentially access the Nest’s network.”
According to Smith, this vulnerability could be “used to launch attacks against Nest’s system.”
He also noted the possibility that, for example, an attacker could use a browser vulnerability in Nest to hijack an incoming email.
“The attacker could then install malware that would send the email to a malicious destination,” Smith wrote.
Smith noted that he has also seen several reports of hackers successfully accessing Nest’s security software, and he noted that this could also be done remotely through a browser, allowing an attacker to “access any of Nest’s connected home alarm sensors and possibly gain access remotely to the device’s network or network interface.”
In an emailed statement to The Globe, Nest spokesperson Julie Leder said that the company is working with security researchers “to address this vulnerability in the security software.”
“As soon as this vulnerability is patched, we will be rolling out the updated Nest Protect products to address this issue.
In the meantime, we strongly recommend that users upgrade their Nest products to the latest version,” the spokesperson added.
While it is important to note that the vulnerability is not widespread, Smith noted in his article that he is working on a security audit of Nest security software and that the problem could affect a large number of smart home devices.
In a statement to the Globe, Smith said that, although the issue has not yet been publicly disclosed, the issue is likely related to Nest’s smart home software, which he noted is “a critical component” of smart homes.
Smith wrote that he “believes that Nest’s software, as well as the products that it supports, have been vulnerable to some kind of remote code execution attack.”