Researchers at Princeton University's Center for Information Technology Policy (CITP) found security vulnerabilities in many of the most popular IoT devices that they looked at, including Google's Nest Thermostat.
PhD student Sarthak Grover and CITP fellow Roya Ensafi found that most of the devices leak user information. Nest was found to leak the zip code of the weather station that users enter when configuring the device, unencrypted over the internet.
In most cases, the information leaked by the Nest thermostat is the same as the zip code of the device owner. As CITP acting director Nick Feamster asked in a CITP blog post, “When would a user ever enter a zip code other than that of their home, where the thermostat was located?”
In a presentation at the Federal Trade Commission (FTC) PrivacyCon conference, Grover warned that IoT devices can leak sensitive information, including whether device owners are at home and the activities of the device owners. “The devices inside the home send all of the information to the cloud,” he said during his talk. “In fact, if you have two devices in the home and they want to talk to each other, currently they will talk to the cloud and the information will get back to the home.”
Many other IoT devices were found to leak even more sensitive information than Nest's thermostat. The research team also examined the Belkin WeMo Switch, Ubi Smart Speaker, Sharx Security Camera, PixStar Digital Photoframe, and Smartthings hub. PixStar's Digital Photoframe, for example, a digital photo display that loads pictures from users' Facebook accounts, sends all information unencrypted, or in the clear.
This is not the first time that Nest has faced security issues. In 2014, researchers from the University of Central Florida demonstrated at Black Hat that they could root the Nest thermostat in “ten to 15 seconds” by pressing and holding the power button, inserting a USB drive and entering developer mode.