I’m doing some research, driven by recent groundswells of some awesome security activity focused on so-called “smart meters.” Specifically, I am interested in the emerging interconnectedness, consumerization and prevalence of more generic smart devices and home automation systems and what that means from a security, privacy and safety perspective.
I jokingly referred to something like this way back in 2007…who knew it would be more reality than fiction.
You may think this is interesting. You may think this is overhyped and boorish. You may even think this is cuckoo…
Speaking of which, back to the title of the blog…
Brood parasitism is defined as:
A method of reproduction seen in birds that involves the laying of eggs in the nests of other birds. The eggs are left under the parantal care of the host parents. Brood parasitism may be occur between species (interspecific) or within a species (intraspecific) [About.com]
A great example is that of the female european Cuckoo which lays an egg that mimics that of a host species. After hatching, the young Cuckcoo may actually dispose of the host egg by shoving it out of the nest with a genetically-engineered physical adaptation — a depression in its back. One hatched, the forced-adoptive parent birds, tricked into thinking the hatchling is legitimate, cares for the imposter that may actually grow larger than they, and then struggle to keep up with its care and feeding.
What does this have to do with “smart device” security?
I’m a huge fan of my NEST thermostat. It’s a fantastic device which, using self-learning concepts, manages the heating and cooling of my house. It does so by understanding how my family and I utilize the controls over time doing so in combination with knowing when we’re at home or we’re away. It communicates with and allows control over my household temperature management over the Internet. It also has an API <wink wink> It uses an ARM Cortex A8 CPU and has both Wifi and Zigbee radios <wink wink>
…so it knows how I use power. It knows how when I’m at home and when I’m not. It allows for remote, out-of-band, Internet connectivity. I uses my Wifi network to communicate. It will, I am sure, one day intercommunicate with OTHER devices on my network (which, btw, is *loaded* with other devices already)
So back to my cuckoo analog of brood parasitism and the bounty of “robbing the NEST…”
I am working on researching the potential for subverting the control plane for my NEST (amongst other devices) and using that to gain access to information regarding occupancy, usage, etc. I have some ideas for how this information might be (mis)used.
Essentially, I’m calling the tool “Cuckoo” and it’s job is that of its nest-robbing namesake — to have it fed illegitimately and outgrow its surrogate trust model to do bad things™.
This will dovetail on work that has been done in the classical “smart meter” space such as what was presented at CCC in 2011 wherein the researchers were able to do things like identify what TV show someone was watching and what capabilities like that mean to privacy and safety.
If anyone would like to join in on the fun, let me know.