Nest, a home automation focused company owned by Alphabet, recently acknowledged a bug with its Learning Thermostat that leaked user location data. In setting up the thermostat, a zip code is required to access local weather data. This data was left completely unencrypted when being sent over to Nest servers. While researchers from Princeton University originally thought the specific addresses of owners' homes was being passed over the web unprotected, Nest later reveal that the exposed information was only owners' zip codes, with the home addresses being encrypted and safe from devious hands.
Nest addressed the issue soon after being notified that data was being transmitted out in the open. The group of researchers also investigated several other Home Automation products, like Samsung's SmartThings Hub and the Sharx security camera. While the SmartThings Hub appeared secure, researches reported that the Sharx camera transmitted all video data unencrypted, meaning anybody could gain access to the stream and view the camera.
We have seen all sorts of leaks and vulnerabilities present in Home Automation products in the past - even the Ring video doorbell we recently reviewed was found to be storing WiFi passwords in plain text. Thankfully, at least in case of the Nest thermostat, not much can be extrapolated from a zip code other than general location.
Though we doubt this is the last vulnerability we will see, we are sure Nest and the others will take more care to avoid them in the future. Extreme cases, like the Sharx unencrypted video camera feed, demonstrates that more caution needs to be taken regarding home automation security for all manufactures. As the home automation sector grows and more of these gadgets find their way into our homes, security and encryption of user data is something everybody can agree needs to be adequately addressed.
Source: Freedom to Tinker Via: Mashable
23 Comments - Add comment