The VICE Channels

    Nest Thermostat Leaked Zip Codes Over the Internet (Updated)

    Written by

    Lorenzo Franceschi-Bicchierai

    Staff Writer

    A Nest thermostat (Image: Bit Boy/Flickr)

    Nest may be the poster child for the so-called Internet of Things, but as it turns out, even one of the most popular connected devices—owned by Google’s parent company Alphabet, no less—isn't free from the sorts of security flaws plaguing other smart devices.

    Researchers at Princeton University have found that, until recently, Alphabet’s popular Nest thermostat was leaking the zip codes of its users over the internet. This data was transmitted unencrypted, or in the clear, meaning that anyone sniffing traffic could have intercepted it, according to the researchers.

    The researchers also studied several other smart devices, including the Sharx security camera, a PixStar smart photoframe, and Samsung’s SmartThings Hub. The goal of their research wasn’t to find specific bugs in these devices, but to determine what information was being leaked when the devices communicated with their servers in the cloud.

    Sarthak Grover, a PhD student at the Center for Information Technology Policy (CITP) at Princeton, and fellow Roya Ensafi reached out to Nest to report the bug, and said that the company “promptly” fixed it. The researchers did not disclose whether they reached out to other companies as well.

    Grover presented some of his and Ensafi’s findings during a conference put together by the Federal Trade Commission last week in Washington, D.C.

    Of the devices studied by the Princeton researchers, most leaked at least some kind of private information, meaning that anyone who can sniff traffic travelling over the internet “may be able to find out what you’re currently doing inside your home,” said Grover during the conference.

    Apart from the Nest, the researchers found that the Sharx security camera transmits video feeds in the clear, allowing pretty much anyone with access to the owner’s network to intercept and watch them over the internet. As for the PixStar Digital Photoframe, the smart frame is designed to pull pictures from your Facebook account, but downloads them unencrypted, so someone sniffing your connection could steal the pictures, according to the researchers.

    The researchers’ findings paint a grim reality. Some smart devices have such little computing power that they couldn’t perform the necessary encryption processes even if their creators wanted them to, and they’re all designed to send information out on the internet.

    “What we have over here is a pretty a bad combination. You have hardware that is incapable, and information that’s always being sent to the cloud,” Grover said.

    Their main takeaway is that Internet of Things manufacturers need to start putting security first—or perhaps regulators should set minimum mandatory security standards for manufacturers—and that, at least for now, consumers should “be afraid.”

    Update, Jan. 20: Slides presented by the researchers stated that incoming weather updates contained "location information of the home and weather station in the clear." However, Nest contacted Motherboard to clarify that "the geolocation coordinates are for their remote weather stations, not our customers' homes, and that "the only user information that is contained in the requests is zip code."

    The researchers confirmed this was the case, and Motherboard has updated both the article and headline accordingly.