Update: Nest has reached out to clarify that the location data mentioned in the report is that of their weather provider’s remote stations and not of customers’ homes. Zip codes sent out to get weather reports are now encrypted. This article has been updated accordingly.
Researchers at Princeton University have discovered that Nest thermostats transmitted unencrypted zip codes of its users. Nest has since fixed the issue. The broader study takes a look at numerous Internet of Things devices from well known manufacturers to determine their safety and find privacy vulnerabilities.
Nest quickly remedied the issue after being contacted. Specifically, zip codes were sent out unencrypted to get weather data from a third-party weather service. A lack of encryption would allow anybody snooping to intercept the data and find out the general area of where a device was located.
Other IoT devices that the researchers looked at, including Samsung’s SmartThings Hub, a Belkin WeMo Switch, and a smart security camera, were all leaking some sort of information. Many were communicating personal information with servers unencrypted and in the clear.
While devices like the Samsung Hub encrypt data, nefarious perpetrators could still ascertain usage patterns like when an appliance was turned on and off. More worrying is the fact that some smart devices do not physically have the computing power to encrypt data before it is sent out on the internet.
The report goes on to talk about steps that companies could take to secure their appliances. They note that companies should be more transparent about what kind of data is being revealed by their devices.