Google Nest Smart Thermostat Hacked
The Nest thermostat can be easily hacked and exploited by burglars to determine when homeowners are away.Nest

A group of researchers have demonstrated how Google's Nest 'smart' thermostats can be easily hacked using a simple trick that could be exploited to spy on homeowners.

Yier Jin and Grant Hernandez from the University of Central Florida, together with independent researcher Daniel Buentello, demonstrated the security flaw at the BlackHat security conference in Las Vegas yesterday.

By holding down the power button of the device for 10 seconds and inserting a USB flash drive, the researchers discovered that they were able to enter developer mode.

In this mode it is possible to learn everything that the thermostat knows about the owner's routine, including whether they are home or not. It is feared that this information could be sold to burglars.

Being in the developer mode could also allow hackers to form a malicious botnet to send out spam or malware to other devices.

"Entering into that mode allows you to upload your own code, your custom code, which allows you to attack existing code, implant your own and reboot normally, but maybe have something else running in the background," Hernandez said.

"We have access to the device on the highest level, and we can send stuff that Nest sends to us as well."

Google-owned Nest is yet to respond to a request from IBTimes UK for comment on this matter, however the company has previously stated that the security of its products is its "highest priority".

The device has previously been praised for its resistance to wireless hacking but less attention seems to have been paid to hacks through physical access. This could leave the door open to someone bulk-buying the devices, infecting them with malware and then reselling them to unsuspecting customers, according to Buentello.

"The software is obviously designed with security in mind," said Orlando Arias from the University of Central Florida. "However, the hardware has problems."