The popular connected Nest thermostat was leaking the zip codes of local weather stations over the Internet until recently, Princeton University researchers found — highlighting, they say, the challenges in keeping information secure as people plug in more smart devices around the house.
Doctoral student Sarthak Grover and Roya Ensafi, a fellow at the Center for Information Technology Policy, reviewed other Internet-connected home devices, including the Ubi Smart Speaker, Sharx Security Camera and PixStar Digital Photoframe, and found other security concerns.
“Many devices failed to encrypt at least some of the traffic that they send and receive,” CITP acting director Nick Feamster wrote in a blog post. “Investigating the traffic to and from these devices turned out to be much easier than expected, as many of the devices exchanged personal or private information with servers on the Internet in the clear, completely unencrypted.”
In the case of the Nest, which was acquired by Google for more than $3 billion last year, the researchers said that the device revealed the zip code of local weather stations over the open Internet. They found that the Nest otherwise was a “fairly secure device,” and that it encrypted all other information being sent out.
"The authors initially made an incorrect assumption, which we pointed out to them before they presented their report, that the response to the weather update request contains exact location of the customer's home," Nest said in a statement on Thursday. "In fact, the weather information is provided by an online weather service, and the geolocation coordinates are for their remote weather stations, not our customers' homes. The only user information that is contained in the requests is zip code. We have reached out to the researcher to make this clarification update."
Security researchers have repeatedly expressed concerns about the spread of Internet connected devices that have access to peoples’ private information, saying that proper security systems are often not in place to keep information from leaking out or hackers from getting in.