Smart thermostats are near the top of many shopping lists of ‘must have’ devices for the connected homes. After all, who wouldn’t want the financial and energy efficiency advantages of a programmable device without all the installation headaches? But have you considered the security and privacy issues that they might involve?
Smart goes mainstream
Smart thermostats are becoming popular, scoring a 45% approval rating as one of the most important features in a smart home according to a survey by Realtor.com, trailing security by only one percentage point.
People are adding them to their homes at an accelerating pace. In the EU, the numbers are expected to jump from a tiny 4 million in 2017 to 22 million devices by 2020. In the United States, an even greater jump has been forecast, moving from 12 million to 33 million during the same period, according to Statista data.
What does a smart thermostat do?
A smart thermostat is simply the latest rendition in the three basic stages in regulating home temperatures – basic, programmable, and smart. At the basic stage, a thermostat just has the user to set the temperature range and hopes they don’t forget to turn down the settings at night or when leaving on vacation. Programmable thermostats enable users to adjust the heat on daily or weekly schedule. While a definite boost to energy efficiency, they still require the user to spend time pushing buttons and adjusting the settings to unplanned changes.
Smart thermostats offer all the advantages of a programmable device without most of the programming hassles – and with the bonus of remote smartphone access. Most of these devices have the user establish the basic settings. Then over time, the device learns user’s habits and preferred temperature settings so that the house is warm (or cool) when the owner gets home from work. And with easy smartphone access, users can double check that the house is indeed the correct temperature while they are away.
Smart home security
Comfort can be risky. Having an online device automatically adjust heating and cooling is a security issue for the experts and the ordinary user. At the very least, that smart thermostat knows when you are home or when you are away. It probably knows a lot more – perhaps how many people are home, where you are, the name and passwords of the home WiFi network, and even the precise location of your home.
Smart devices of many types have been hacked and infected. As consequence, some devices have been permanently blocked and others conscripted into a botnet army – helping flood the internet with spam, malware, and other goodies. By combining thousands of devices together, botnet armies have succeeded in knocking major sites offline with their DDoS attacks, disrupting internet access for millions.
With a smart thermostat, it is an open question how secure or encrypted this data is as it travels between the company servers and the home. It’s a question if the data stored on the device itself is encrypted (with the Nest thermostat it is not). It is also a question if the device manufacturer will keep this data to itself – or will resell it to other companies.
Does smart stand for safety?
Nearly half (44%) of 1549 surveyed members from the European Information Systems Audit and Control Association considered back in 2015 that it was very likely that researchers could hack a thermostat and use this vulnerability to access home data via the WiFi network and 39% thought this scenario was somewhat likely.
How right these experts were. In 2016 white hat hackers from Pen Test Partners indeed hacked a smart thermostat, and inserted a warning screen that threatened to shut down the entire system unless a ransom payment was made.
Other researchers have shown that a Nest thermostat can be hacked while booting up, giving the hacker access to the device system – as well as all the other smart devices in the network that are part of the “Works with Nest” system. This approach requires the hacker has less than half a minute physically alone with the Nest thermostat – like a secret agent bugging a phone – to add the malicious firmware and reset the device.
Is a smart thermostat worth it?
A smart thermostat and its online support crew know a lot about the user – perhaps too much. Are you comfortable giving out that much private information? How reputable is the company that you’ve let listen in to your every move?
These are issues to keep in mind while shopping. “You’re not just buying gear,” warned Andrew Tierney, one of the Pen Test hackers. “You’re inviting people on your network and you have no idea what these things do.”