Nest thermostat leaked unencrypted zip codes, now fixed

By JC Torres/Updated: Jan. 21, 2016 5:54 pm EST

It seems that Nest is again being made into the poster boy for everything that can go wrong with Internet of Things appliances. Remember the Nest Protect smoke detector fiasco of 2014? How about the more recent case of the cold shoulder from suddenly non-working thermostats? Now researchers from Princeton University have discovered how Nest, along with some other "smart appliances" might be leaking information, like the user's ZIP code, in an easily hacked, unencrypted way, leaving users exposed and even potentially in danger.

Before you hit that panic button, Nest, which is now owned by Alphabet (Google's parent company if you haven't heard), has already addressed the issue. And before you go burning your Nest products, do know that it Isn't alone in this possible crime of complacency.

The pair of researchers actually examined a good number of appliances, including Nest, Samsung's SmartThings Hub, Ubi smart speaker, Belkin WeMo switch, just to name some. In Nest's case, the researchers found that it transmitted both the owner's location data as well as that of the weather station in an encrypted manner for plain eyes to see. Fortunately, Nest was able to address the problem, even before they were notified.

Sadly, Nest wasn't the only one, as many of those other devices were also guilty of the same crime. In fact, it could be worse, as, like in Ubi's case, those transmitted more information, like voice chats and sensor readings. Information that can be used to glean more about the user, his or her habits, and, eventually, whether they're home or not. To add insult to injury, considering how low-power these devices are, some don't even have the processing capability to encrypt that information in the first place.

Rather than a glaring fault on the part of Nest, the reseearch highlights a danger in this still small but quickly growing corpus of IoT devices, devices that don't seem to have been designed with strong security in mind. Either that or they have been sacrificed on the altar of convenience or economy. It should be a signal to OEMs and software makers to plug up the hole before it sinks the whole ship.

SOURCE: Freedom to Tinker