Nest’s announcement that it will share user data with Google as well as third-party services like Logitech and Jawbone has unsurprisingly reawakened privacy concerns, coinciding with a new hack of the Smart Thermostat that could in theory give nefarious backdoor access. The Nest Developer Program will allow fitness wearables like UP24, Mercedes-Benz cars, and Logitech Harmony remotes to link with the thermostat, but it’s Google Now integration – and what that means for Nest’s privacy promises – that have some concerned.
Those issues arose first when Google announced it intended to acquire Nest at the start of the year. Nest insisted that it would be handing over none of the user data – including whether the thermostat had decided the house was occupied or not – to its new owners, at least not as a matter of course.
Any subsequent sharing would be on an opt-in model, not an opt-out one, Nest chief Tony Fadell said. At the time of the acquisition, Nest had no public timeline for when such a system might go live.
That point, it seems, is now. The Nest Developer Program does exactly what Fadell committed to: offers owners of a Nest to selectively turn on (or off) data sharing with other platforms, in the name of a smarter smart home.
Data shared will be limited, with Nest insisting that each company involved in the Program detail exactly what information about the user and their home is being tapped into and why. Most importantly, perhaps, Google gets no special treatment: Google Now will get the same amount of information as any other third-party firm, not blanket access to the full Nest database.
Nest’s decision to play more readily with other firms, having once been vocal in declaring the value of its independence, was inevitable perhaps, but the timing of a new exploit of the thermostat by a team of hackers could have been better. The GTV Hacker group found that a firmware update mode of the OMAP3630 processor powering the thermostat could be used to install a different bootloader, which in turn could start up an SSH server that would give remote access.
It’s worth noting that a physical connection via a USB cable is required for that first bootloader step to be completed, something Nest pointed out to Engadget in a statement:
“This is a physical jailbreak requiring physical access to the Nest Learning Thermostat. It doesn’t compromise the security of our servers or the connections to them and to the best of our knowledge, no devices have been accessed and compromised remotely” Nest spokesperson
If compromised, the exploit could be used to remotely monitor activity in the home much in the way of Nest’s official program, but without any of the safeguards or even user awareness that it was taking place. Of course, on the flip-side there’s the potential for those with a mind for tinkering to use the greater underlying access to Nest’s architecture to better integrate the thermostat with their choice of home automation system.
In fact, by using the bootloader access, a completely different OS could be installed on Nest, opening the door to community-driven ROM projects that enhance the functionality of the sensor-packed gadget.