Nest may be the poster child for the so-called Internet of Things, but as it turns out, even one of the most popular connected devices—owned by Google’s parent company Alphabet, no less—isn’t free from the sorts of security flaws plaguing other smart devices.
Researchers at Princeton University have found that, until recently, Alphabet’s popular Nest thermostat was leaking the zip code and location of its users over the internet. This data was transmitted unencrypted, or in the clear, meaning that anyone sniffing traffic could have intercepted it, according to the researchers.
The researchers also studied several other smart devices, including the Sharx security camera, a PixStar smart photoframe, and Samsung’s SmartThings Hub. The goal of their research wasn’t to find specific bugs in these devices, but to determine what information was being leaked when the devices communicated with their servers in the cloud.
Sarthak Grover, a PhD student at the Center for Information Technology Policy (CITP) at Princeton, and fellow Roya Ensafi reached out to Nest to report the bug, and said that the company “promptly” fixed it. The researchers did not disclose whether they reached out to other companies as well.