nest thermostat Nest Thermostat Leaked Home Locations Over the Internet

[Reefa]

Nest may be the poster child for the so-called Internet of Things, but as it turns out, even one of the most popular connected devices—owned by Google’s parent company Alphabet, no less—isn't free from the sorts of security flaws plaguing other smart devices.

 

Researchers at Princeton University have found that, until recently, Alphabet’s popular Nest thermostat was leaking the zip code and location of its users over the internet. This data was transmitted unencrypted, or in the clear, meaning that anyone sniffing traffic could have intercepted it, according to the researchers.

 

The researchers also studied several other smart devices, including the Sharx security camera, a PixStar smart photoframe, and Samsung’s SmartThings Hub. The goal of their research wasn’t to find specific bugs in these devices, but to determine what information was being leaked when the devices communicated with their servers in the cloud.

 

Sarthak Grover, a PhD student at the Center for Information Technology Policy (CITP) at Princeton, and fellow Roya Ensafi reached out to Nest to report the bug, and said that the company “promptly” fixed it. The researchers did not disclose whether they reached out to other companies as well.

 

Grover presented some of his and Ensafi’s findings during a conference put together by the Federal Trade Commission last week in Washington, D.C. Nest did not respond to a request for comment.

 

 

 

Of the devices studied by the Princeton researchers, most leaked at least some kind of private information, meaning that anyone who can sniff traffic travelling over the internet “may be able to find out what you’re currently doing inside your home,” said Grover during the conference.

 

Apart from the Nest, the researchers found that the Sharx security camera transmits video feeds in the clear, allowing pretty much anyone with access to the owner’s network to intercept and watch them over the internet. As for the PixStar Digital Photoframe, the smart frame is designed to pull pictures from your Facebook account, but downloads them unencrypted, so someone sniffing your connection could steal the pictures, according to the researchers.

 

The researchers’ findings paint a grim reality. Some smart devices have such little computing power that they couldn’t perform the necessary encryption processes even if their creators wanted them to, and they’re all designed to send information out on the internet.

 

“What we have over here is a pretty a bad combination. You have hardware that is incapable, and information that’s always being sent to the cloud,” Grover said.

 

Their main takeaway is that Internet of Things manufacturers need to start putting security first—or perhaps regulators should set minimum mandatory security standards for manufacturers—and that, at least for now, consumers should “be afraid.”

http://motherboard.vice.com/en_uk/read/nest-thermostat-leaked-home-locations-over-the-internet

 

 

 

 

[straycat19]

Quote

anyone who can sniff traffic travelling over the internet

 

Not only can but do.  Within a 3 block radius of my house there are over 50 sniffers running at a time, most are running 24 hours a day.  That's what happens when you live in an area full of computer literate hackers.