Nest thermostats were transmitting unencrypted location data over the internet

In a report published to the site Freedom to Tinker and presented at the recent PrivacyCon conference, researchers at Princeton University detail how they detected that Nest’s popular thermostat, among other web-connected devices, was transmitting data unencrypted, so in theory, online hackers could have intercepted that private information if they were looking in the right place.

With Nest, only users’ ZIP codes and the locations of nearby weather stations were transmitted unencrypted, Nest’s head of product marketing Maxime Veron told Gizmodo on Wednesday. They found that the Nest otherwise was a “fairly secure device”, and that it encrypted all other information being sent out.

Nest-owned by Alphabet, the parent company of Google-makes thermostats that are self-programing to adjust the temperature of a home based on the owner’s schedule, saving energy when they are not at home. Among those devices were the Belkin WeMo Switch, the Nest Thermostat, Sharx Security Camera, Ubi Smart Speaker, and more. That’s why Princeton’s Center for Information Technology just did a security review of a number of smart gadgets.

However there are questions as to why Nest is playing down the scale of the leak, as users would surely not be entering more than one ZIP code when setting up their device. The device then pings the weather station in the area, which could be close by, or span for tens of miles away, and it was that data that was vulnerable to hacking. In other words, user location information, as well as coordinates of company weather stations, weren’t secure. The IoT company reportedly quickly patched the flaw when it was notified. This is quite a bit creepier than ZIP codes being leaked, essentially allowing people to spy on users without their knowledge.

Nest Labs hoped to spark an Internet of Things (IoT) revolution with the introduction of the Nest Learning Thermostat. “The devices inside the home send all of the information to the cloud”, he said during his talk.

“[It] transmits video over unencrypted FTP; if the server for the video archive is outside of the home, this traffic could also be intercepted by an eavesdropper”, the report said.

However Nest is playing down the leak, saying that the only information revealed was the location of the local weather stations.