Is Your Thermostat A Snitch

As a general rule I’m a huge fan of technology. But even I have major reservations with the so-called Internet of things (really just adding a chip to devices that were previously analog). It’s not that the ideas themselves are bad but there isn’t enough attention being paid to the implementations, especially from a security and privacy standpoint.

The Nest thermostat is one of the more popular regular household devices with a chip added to it. What’s not to like about a thermostat that automatically adjusts the temperature in your home based on when you are and aren’t there? Besides that software bug that drained the battery and caused people’s furnaces to shutdown. And the fact the bloody thing snitches on where your house is:

Researchers at Princeton University have found that, until recently, Alphabet’s popular Nest thermostat was leaking the zip code and location of its users over the internet. This data was transmitted unencrypted, or in the clear, meaning that anyone sniffing traffic could have intercepted it, according to the researchers.

The researchers also studied several other smart devices, including the Sharx security camera, a PixStar smart photoframe, and Samsung’s SmartThings Hub. The goal of their research wasn’t to find specific bugs in these devices, but to determine what information was being leaked when the devices communicated with their servers in the cloud.

I have no idea what a thermostat would need to even know where your house is. It needs to know the temperature inside and what you want the temperature to be at so it can order your climate control system to make the two numbers be the same. But it apparently does have access to that information and the developers cared so little about the privacy of their customers that they not only failed to keep the data private but didn’t even bother encrypting it when it was sent. And this isn’t an isolated incident. The complete disregard for these kind of details is plaguing the Internet of things market.