If you ask Nest about sharing data with its new owner, the company will say that advertising isn’t part of its business model and that it plans to protect the privacy of its customers from Google. Nest will have to share some data with Google and others in order to enable automatic home-related features, but it is not supposed to lead to Google targeting users with even more ads than it currently does. To make sure Google won’t someday spam Nest owners with ads, a group of hackers plans to take preemptive action against Google and Nest, Forbes reports.
Researchers from the University of Central Florida have found a vulnerability they can exploit in order to stop Nest thermostats from sending data to Google.
“The software is obviously designed with security in mind, but the hardware has problems,” UCF senior Orlando Arias said.
Apparently, the hackers can “secretly siphon data and install malware that could botify the Nest” while the device boots up. The hackers used this “feature” to write a program that can prevent the Nest from sending data to Google, after finding that the thermostat sent 32MB of information during a month, including details about temperature, at-rest settings and self-entered information about the home such as how big the home is, and the year it was built.
“The Nest doesn’t give us an option to turn that off or on. They say they’re not going to use that data or share it with Google, but why don’t they give the option to turn it off?” UCF engineering professor Jin said.
“Using this vulnerability, we can patch the Nest from sending that data to Nest servers. There was no performance impact whatsoever on the unit we tested this on,” Arias said.
The hackers want to release this Nest jailbreak solution to interested owners that want to prevent Google from getting more updates about their home, after introducing it at the Black Hat conference in Las Vegas in early August.
Meanwhile, Nest co-founder Matt Rogers said that users can turn on the Wi-Fi of the Nest to stop data transfers, but thus they would miss out on updates, energy reports and give up on remote-controlled features.
While further emphasizing the fact that Nest doesn’t share data with Google, Rogers says that it benefits from Google’s expertise on security and said the thermostat lacks an off feature for data sharing because not many users have asked for one. “There’s a very small vocal minority who don’t want us to have that data,” he said. “We give them a lot of value from that data.”
Interestingly, Nest also knows when its thermostats are jailbroken.