Categories: M2MNetworks

Nest Thermostats Accused Of Leaking Information

Google’s Nest smart thermostats have been accused of leaking encrypted information.

Two researchers from Princeton University alleged that post codes related to the homes of Nest users were being broadcast, unencrypted, over unsecured Wi-Fi networks, meaning that nyone passing by the house would be able to access this data fairly easily.

However Nest says that the issue, which it says only related to the ZIP codes of local weather stations, has now been fixed, but the news the second damaging revelation about Nest in a week following a recent bug that drained the device’s battery, leaving users with no heating.


The leak was found as part of a wide-ranging study concerning the security of connected Internet of Things devices, which discovered a number of other products, including a smart picture frame and video camera, had similar vulnerabilities.

The study, published in a report on Freedom to Tinker and presented at the recent PrivacyCon conference, alleged that the Nest leak originated from an in-built weather update service, which used the location information of the user’s home and local weather stations to display upcoming forecasts.

Sensitive information such as home addresses was already encrypted, but the data collected from local weather stations was not, leaving the latter information open to interception.

“A natural reaction to some of these findings might be that these devices should encrypt all traffic that they send and receive,” the authors wrote. “Encryption may be a good starting point, but by itself, it appears to be insufficient for preserving user privacy.”


However Nest is playing down the leak, saying that the only information revealed was the location of the local weather stations.

“The authors initially made an incorrect assumption, which we pointed out to them before they presented their report, that the response to the weather update request contains exact location of the customer’s home,” a Nest spokesperson told TechWeekEurope.

“In fact, the weather information is provided by an online weather service, and the geolocation coordinates are for their remote weather stations, not our customers’ homes. The only user information that is contained in the requests is zip code. We have reached out to the researcher to make this clarification update.”

However there are questions as to why Nest is playing down the scale of the leak, as users would surely not be entering more than one ZIP code when setting up their device.

What do you know about the Internet of Things? Take our quiz!

Mike Moore

Michael Moore joined TechWeek Europe in January 2014 as a trainee before graduating to Reporter later that year. He covers a wide range of topics, including but not limited to mobile devices, wearable tech, the Internet of Things, and financial technology.

Recent Posts

Google Ordered To Pay $43m By Australian Court

Search engine Google fined $43 million by Australian court for tracking Android users location data…

1 day ago

Hacker Touts Data Sale Of 48.5m Users Of Covid App – Report

Personal data of 48.5 million Chinese citizens who used Shanghai's Covid App, is being offered…

1 day ago

Facebook Tests Default End-to-End Encryption For Messenger

Privacy move. Platform tests secure storage of people's chats on Messenger, in a move sure…

1 day ago

UK’s CMA Begins Probe Of Viasat Acquisition Of Inmarsat

British competition regulator the CMA, begins phase one investigation of $7.3 billion merger between Inmarsat…

2 days ago

Cisco Admits ‘Security Incident’ After Breach Of Corporate Network

Yanluowang ransomware hackers claim credit for compromise of Cisco's corporate network in May, while Cisco…

2 days ago

Google Seeks To Shame Apple Over RCS Refusal

Good luck convincing Tim. Google begins publicity campaign to pressure Aple into adopting the cross…

2 days ago