It’s no secret that connected home devices are riddled with security concerns. A recent investigation into Nest thermostats leaking user data onto the internet seemed especially anxiety-inducing, given how incredibly popular the gadgets are. But the story’s not as scary as some reports might lead you to believe.


The new research comes out of Princeton’s Center for Information Technology Policy. There, two researchers have spent the last two months testing the security of various smart home gizmos. They looked at the Nest thermostat, Belkin’s WeMo Switch, Ubi’s Smart Speaker, Sharx’s Security Camera, a Smartthings hub, and a PixStar digital photo frame. The results were not pretty.

It turns out that “many devices fail to encrypt at least some of the traffic that they send and receive,” according to a CITP blog post that was published yesterday. Many of these devices were sending both private and public information about the users, unencrypted, out into the digital ether.


This sensitive information including anything from basic user data like ZIP codes to more sensitive information like voice chats and home location. That makes for a sliding scale of sketchiness, but the simple fact that the devices leaked unencrypted data is not good. Some also misread the CITP findings and reported that Nest thermostats “leaked home locations over the internet,” a claim that was not true but certainly caught people’s attention.

With Nest, only users’ ZIP codes and the locations of nearby weather stations were transmitted unencrypted, Nest’s head of product marketing Maxime Veron told Gizmodo on Wednesday. Nest also said that the bug causing the leak had been fixed. We also reached out to Sarthak Grover, one of the Princeton Ph.D. students behind the research, to confirm the timeline. Nest and the researchers provided conflicting reports about when the ZIP code bug was discovered and by whom. But suffice it to say, nobody wants bugs in connected home devices that leak private information onto the public internet.

The CITP researchers presented their findings at Federal Trade Commission privacy conference last week in Washington. And while this particular series of bugs doesn’t spell doom for the future of connected home devices, it’s certainly encouraging to see security researchers spotting what tech companies miss.

For now, your Nest thermostat probably isn’t telling hackers where you live. But just remember that anytime you connect something to the internet, there’s always a risk that it opens a door for hackers to sneak in when you’re not looking.

[Center for Information Technology Policy]

