Update: Nest got back to us, saying that the researchers assumed incorrectly what the geo-location data was for, which actually was used for the weather station, not the user’s house:
“The authors initially made an incorrect assumption, which we pointed out to them before they presented their report, that the response to the weather update request contains exact location of the customer’s home. In fact, the weather information is provided by an online weather service, and the geolocation coordinates are for their remote weather stations, not our customers’ homes. The only user information that is contained in the requests is zip code. We have reached out to the researcher to make this clarification update.”
A group of researchers have revealed that the Internet of Things is probably less secure than you expect.
At a talk during PrivacyCon held by the Federal Trade Commission last week, the researchers revealed that many smart devices leak private information in cleartext — with little to no effort to encrypt that data.
The most notable of their findings was that the Nest thermostat was leaking the zip code of the user in clear text (see update above — the data actually related to the nearby weather station).
When the researchers reported the bug it was quickly fixed by Nest, however it’s unclear how long the hole was open before it was found.
Transmitting data in cleartext isn’t inherently bad, but it means that any ‘bad actor’ on your home or the ISP’s network could easily steal that information without all that much work.
The group studied other devices, such as a smart photo frame that communicated with the internet entirely unencrypted and a Ubi smart speaker that leaked sensor data, which could be used to track whether you were at home.
The biggest question still surrounding the Internet of Things is how secure these devices really are — though the researchers said that the Nest was one of the “more secure” devices.
Many of the creators of smart gadgets are small startups that don’t have the resources or knowledge to build out sophisticated security, leaving you wide open to attack.
The problem is that right now we’re in an all-out brawl for who will own the definitive IoT platform. Until then, expect a bumpy ride.