Reverse-Engineering Google Nest Devices

Then there are the Nest cameras, reporting everything you do to Google.<p><i>&quot;The telescreen received and transmitted simultaneously. Any sound that Winston made, above the level of a very low whisper, would be picked up by it; moreover, so long as he remained within the field of vision which the metal plate commanded, he could be seen as well as heard. There was of course no way of knowing whether you were being watched at any given moment. How often, or on what system, the Thought Police plugged in on any individual wire was guesswork. It was even conceivable that they watched everybody all the time. but at any rate they could plug in your wire whenever they wanted to. You have to live - did live, from habit that became instinct - in the assumption that every sound you made was overheard, and, except in darkness, every movement scrutinized.</i>&quot; - &quot;1984&quot;, Orwell<p><i>&quot;Video and audio signals and data: When you enable the recording or streaming features of your Nest Cam, we may record and process video and&#x2F;or audio recordings from the device, subject to your configuration and settings. This may include capturing and emailing to you portions of this data as part of a notification or analyzing the data to identify motion or other events. We may process information from your Nest Cam so that we can send you alerts when something happens. In addition, if you have the recording features enabled, we will capture, process and retain video and audio data recordings from your device for the duration of your recording subscription period (for example, 10 or 30 days) and you will be able to access those recordings using the Services during that time.&quot;</i> - NestCam privacy policy, Google

<i>&gt; with email and plaintext password</i><p>It&#x27;s totally reasonable to transmit a password in clear if it&#x27;s being transmitted inside of an SSL tunnel (which it is in this case).<p>Most if not all techniques that would allow for not transmitting the password in a server-decryptable fashion would require the password or a password equivalent to be stored in clear on the server.<p>In case of a breach, that would be devastating.

&gt; <i>you cannot operate the camera or switch your thermostat’s settings without Internet connection</i><p>This should say *remotely. I know it does in the paragraph before, but sometimes people only read bullets.<p>So is the complaint here I can&#x27;t find out what data the device is sending back to Nest in whole? And contrary to the post, their Public API is pretty extensive.<p>Seems to me this is just another person with a concern around no local control&#x2F;data retrieval. There is at least one other thermostat that has that.

&gt; […] creating a walled garden around the user’s own data is a shady move. All of my private data should be easibly accessible to me though open API without any gimmicks. In its press release Nest promised introducing a public API[,] however [it] seems limited in many ways compared to the internal API used by Nest mobile app - and to add insult to injury - many of its features require an active Nest subscription.<p>This is exactly one reason why using &quot;Cloud&quot; services for long-living things, like Hardware, is a great risk.<p>When Google shuts down Google Reader, we can all migrate to an alternative easily.<p>When Google shuts down Nest, people are left with non-working thermostats, and have to spend money and rebuild their systems to continue on.<p>Even worse, if just the internet goes down – not that rare in areas in the US only served by one ISP which doesn’t have to fear competition – one is even left without heating.<p>The reaction of the people on the recent case where Nest went down itself, and people were left without heating, fits well as context for the following excerpt from &quot;The Sorcerers Apprentice&quot; (1797, Johann Wolfgang von Goethe):<p><pre><code> Herr, die Not ist groß! Sir, my need is sore. Die ich rief, die Geister Spirits that I&#x27;ve called werd ich nun nicht los. My commands ignore.</code></pre>

I am surprised the Nest devices allow themselves to be man-in-middle&#x27;ed like this. Why are Nest devices accepting a random (valid) certificate? One would think they will only accept a valid Google certificate, signed by the Google root certificate.<p>Am I missing something? The article does not mention about any software tampering on the device itself.

The nest thermostat seems to use firebase.com API from my research.