A security researcher discovered that Google is still collecting data from discontinued Nest thermostat models in millions of American homes. The data collection affects first- and second-generation Nest Learning Thermostats and raises questions regarding consumer privacy and security.
The continued data collection was discovered by Cody Kociemba, chief executive of the mobile development firm Hack/House. He told Straight Arrow News that even though Google ended security and software updates last month, as well as the ability to remotely control the older Nest models, he found that user data is still being transmitted from individual units to the company.
Download the SAN app today to stay up-to-date with Unbiased. Straight Facts™.
Point phone camera here
“During my analysis of the backend communication layer used by the abandoned Nest Generation 1 and Generation 2 thermostats, it became clear that these devices continue transmitting large amounts of data to Google, even after key remote features were shut down,” Kociemba told Straight Arrow News.
“In other words,” he said, “Google intentionally left the data-collection firehose running while removing the functionality many customers originally bought these thermostats for.”
Kociemba said Google collects information regarding “presence detection (whether you’re home or away), temperature adjustments, sunlight detection, HVAC activity, humidity changes and even certain network details.”
The collection raises privacy concerns given that such data, according to Kociemba, provides a significant insight into a household’s daily patterns.
Google says the continued data collection is necessary for “issue diagnostics.” However, in a statement to The Verge, Google spokesperson Laura Breen said users “who prefer to stop providing these logs can simply disconnect their device from Wi-Fi.”
Vulnerable to hacking
Sean O’Brien, founder of the Yale Privacy Lab and chief executive at Ivy Cyber, told SAN that the data gathered by Google is far from trivial.
“Proximity signals alone can reveal when someone is home, when they leave and when they sleep,” O’Brien said. “Combine that with temperature adjustment behavior and you can map out daily rhythm with surprising accuracy. Over time, you get a very clear picture of household routine.”
But privacy isn’t the only concern. The lack of future security updates also raises issues for users of older Nest models.
“Any vulnerability that exists today will remain unpatched indefinitely,” Kociemba said.
Hackers can hijack vulnerable internet-connected devices en masse for use in distributed denial-of-service attacks, which can knock a target server offline by flooding it with fraudulent traffic.
A vulnerable thermostat could also allow a hacker to gain a foothold into one’s network, potentially leading to data theft or other security issues.
“An internet-connected device that is open to the internet but can never be fixed is exactly the kind of target attackers look for,” O’Brien said.
Kociemba and other experts say there’s one simple fix that can significantly reduce both the privacy and security issues.
“For users who are uncomfortable with this ongoing data collection, or with the risks of running an unmaintained internet connected device, the safest immediate step is to disconnect the thermostat from Wi-Fi,” he said. “Doing so blocks further telemetry from reaching Google and also reduces the attack surface of a device that will never see another security update.”
‘No Longer Evil’
Kociemba told SAN he discovered Google’s continued data collection while participating in a “bug bounty” program from the right-to-repair advocacy organization FULU. The program offered $14,722 to anyone who could bring back smart features to Nest devices that are no longer supported by Google.
In a project titled “No Longer Evil,” Kociemba, who was ultimately awarded the bounty, detailed his findings alongside the release of an open-source software program designed to let users once again control their old thermostats without the need for Google.
“Your thermostat shouldn’t become e-waste,” Kociemba said, “because some corporation decided to flip the kill switch.”
