Internet Of Unsecure Things: Nest Thermostats Caught Leaking Home Owner Zip Codes

nest thermostat 1
Nest Labs hoped to spark an Internet of Things (IoT) revolution with the introduction of the Nest Learning Thermostat. After all, many homeowners had never encountered a thermostat that was so adept at maintaining heat/cooling levels using a bevy of sensors and software magic while shutting off when you left the room and turning back on when you returned.

Nest’s achievements with its thermostat (and later, the Nest Protect) were enough to attract the attention of Google, which bought the company for $3.2 billion in 2014.

While no one expects that a Nest thermostat should be locked down as securely as say, a smartphone, you would at least assume that it wouldn’t leak out personal information of homeowners. However, two researchers from Princeton’s Center for Information Technology Policy (CITP) — Ph.D. student Sarthak Grover and fellow Roya Ensafi — discovered that Nest thermostats were actually putting out the home zip code (and as a result, the closest weather station) of its users.

Nest acknowledged that this was a bug in its thermostat software and was of course not an intentional act. And while something as innocuous as a zip code is relatively harmless in the grand scheme of (we’re not talking email addresses, home addresses, of credit card information here), lax programming could lead to even more serious privacy leaks.

Such is the case with other devices that the research team tested, including the Sharx Security Camera, PixStar Digital Photoframe and Ubi Smart Speaker. The Ubi speaker was found to be sending voice chats and sensor reading over unencrypted HTTP, while the Sharx security camera transmitted video over unencrypted FTP.

nest thermostat 2

At least in the case of the Nest thermostats, Google quickly issued a fix.

“Some devices encrypt data traffic, but encryption may not be enough,” revealed the CITP via a blog posting. The researchers’ findings also revealed some very troubling data that privacy experts have warned about as more and more home home appliances, baby monitors and security camera become “cloud aware.”

“Encryption may be a good starting point, but by itself, it appears to be insufficient for preserving user privacy.  For example, user interactions with these devices generate traffic signatures that reveal information, such as when power to an outlet has been switched on or off. It appears that simple traffic features such as traffic volume over time may be sufficient to reveal certain user activities.

“Even when the data traffic itself is encrypted, other traffic sent in the clear, such as DNS lookups, may reveal not only the presence of certain devices in your home, but likely also information about both usage and activity patterns.”

The IoT revolution represents just another attack vector for malicious parties to track your every move, even when you think that you’re safe and secure in your own home. It’s up to tech companies to secure customer data and from the looks of things, they still have a long way to go.