Recently, the CEO announced in this letter that they were disabling the wave feature of the Nest Protect. For those that don’t know, the wave feature allows someone to turn the smoke alarm off by waving their hand. The idea is that if there is a false alarm (something burning on the stove) you can silence it without the need to climb on a chair or wave a towel.
The interesting point made in the letter from the CEO was that if your nest was connected to the internet it would be updated to disable that feature within the next 24 hours. Hmm.. so this begs the questions on how updates are pushed and what access does Nest have into these devices. I don’t recall getting a notice about the update, which is also concerning.
The first reaction to finding out the device was being auto updated was positive for me. The fact that they have a way to update this device is excellent. Many devices like smart TVs and other new ideas don’t really include updates or a way to update at all. As I started to think about it a little more I began to question how positive this is. I think there is a grey area around the idea of manual updates and automatic updates.
So the device updated itself… what could go wrong? It is not like we haven’t ever seen an update go bad to other software (Windows, AV, etc) What happens if the update kills the device. For some reason, it no longer functions properly. Especially if I didn’t even know it updated, I wouldn’t know to go test it to make sure everything is fine. Maybe your TV getting “bricked” is a big deal because you can’t watch your favorite show on CW, but a smoke detector… What if that gets “bricked” and you don’t even know? That device you are depending on to warn you of a fire to save your life could now potentially not work anymore. Fortunately, the device runs on specific hardware with very little variance, so the chances that the update would have issues if successfully tested in the lab are much smaller. There is still a chance though. Of course, the Nest does say to test the device weekly, so at least you would find out in a few days depending on release and your test schedule.
On the flip side, we have manual updates. The user (us) has to go out and do the update. The issue here is that many people don’t understand the significance of the updates or just don’t want to deal with the hassle. If the update is really important, how do you ensure everyone actually does it?
I don’t know what the right level of participation is, and maybe it depends on the application of the device and its importance. For use consumers or business users, we need to start paying more attention to our devices and the update process. In the event that an update is available, look into applying it, or the effects of not applying it. If it auto-updates, the manufacturer should let you know it has updated the device, but you are then responsible for testing it to make sure it still appears to be functioning properly.
In the Nest’s case, it has a self-test feature to verify that it is working ok. Other systems may have a different way of testing. Your gaming console might stop working if it is not right. The TV may not turn on. All signs that the update didn’t go well. As in business… know what devices you have, how they connect, and be on the lookout for updates or vulnerabilities to the device.
James Jardine is a Principal Security Consultant at Secure Ideas. If you are in need of a penetration test or other security consulting services you can contact him at james@secureideas.com or visit the Secure Ideas – Professionally Evil site for services provided.