Researchers say thermostats leaked unencrypted user information over unsecured Wi-Fi, but Nest disagrees
Google’s Nest smart thermostats have been accused of leaking encrypted information.
Two researchers from Princeton University alleged that post codes related to the homes of Nest users were being broadcast, unencrypted, over unsecured Wi-Fi networks, meaning that nyone passing by the house would be able to access this data fairly easily.
However Nest says that the issue, which it says only related to the ZIP codes of local weather stations, has now been fixed, but the news the second damaging revelation about Nest in a week following a recent bug that drained the device’s battery, leaving users with no heating.
The leak was found as part of a wide-ranging study concerning the security of connected Internet of Things devices, which discovered a number of other products, including a smart picture frame and video camera, had similar vulnerabilities.
The study, published in a report on Freedom to Tinker and presented at the recent PrivacyCon conference, alleged that the Nest leak originated from an in-built weather update service, which used the location information of the user’s home and local weather stations to display upcoming forecasts.
Sensitive information such as home addresses was already encrypted, but the data collected from local weather stations was not, leaving the latter information open to interception.
“A natural reaction to some of these findings might be that these devices should encrypt all traffic that they send and receive,” the authors wrote. “Encryption may be a good starting point, but by itself, it appears to be insufficient for preserving user privacy.”
However Nest is playing down the leak, saying that the only information revealed was the location of the local weather stations.
“The authors initially made an incorrect assumption, which we pointed out to them before they presented their report, that the response to the weather update request contains exact location of the customer’s home,” a Nest spokesperson told TechWeekEurope.
“In fact, the weather information is provided by an online weather service, and the geolocation coordinates are for their remote weather stations, not our customers’ homes. The only user information that is contained in the requests is zip code. We have reached out to the researcher to make this clarification update.”
However there are questions as to why Nest is playing down the scale of the leak, as users would surely not be entering more than one ZIP code when setting up their device.
What do you know about the Internet of Things? Take our quiz!