Nest was acquired by Google for $3.2 billion

Nest heating glitch and data leakage amongst smart home flaws

A report carried out by researchers from Princeton University has found some worrying privacy flaws in a number of connected devices, including the Google-owned Nest thermostat.

Sarthak Grover and Nick Feamster published their research, titled “The Internet of Unpatched Things,” to better understand the security landscape for consumer smart devices. Broadly speaking, they found that low capability hardware meant that security protocols were lacking.

A traffic analysis of the Nest thermostat found that incoming weather updates leaked user location data to a high degree of accuracy, with latitude and longitude figures displayed to within 8 decimal digits. However, Nest is far from the worst of the IoT devices when it comes to user privacy. The PixStar Digital Photoframe leaked the user email ID and user activity in plain text, while the Ubi Smart Speaker allowed malicious actors to intercept all voice chat and sensor readings.

According to the study, the fragmented nature of the Internet of Things in its present state is contributing to the security issues. The multitude of IoT manufacturers combined with a lack of industry standardisation means that it is difficult to enforce baseline security protocols.

Nest will be keen to avoid any reputational damage as a result of the report, particularly given the company’s ambitious aims in the smart home market. In an interview with Internet of Business late last year, Lionel Paillet, Nest’s general manager for Europe, emphasised that the company sees itself as much more than a smart thermostat business, instead targeting the entire connected home market.

Currently, the most pressing concern for Nest is dealing with a recently discovered software bug that has left some users without heating just as temperatures have begun to fall. The glitch drains the thermostat’s battery life, leaving the system deactivated. Although Nest has published a nine-step workaround for affected users, a software patch to resolve the issue has yet to be released.