- January 22, 2016
- Posted by: Kerry Tomlinson, Archer News
- Category: Home Security, Posts with image, Vulnerabilities
This is a prime example of how things can and will go wrong with your smart home, experts say.
On a frosty winter night, a chill fell over homes across America. Their Nest smart thermostats froze, so to speak, and temperatures inside the houses dropped.
“Woke up to a dead Nest and a very cold house,” wrote one customer on Nest’s community forum on January 6. “Not good when you have a baby sleeping!”
“Our Nests are just drained, completely, and non-responsive,” wrote another.
“It’s 20 degrees and snowing, so can’t afford to not have heat,” said another Nest user.
“NOT HAPPY!” echoed another on the forum.
Finally came an answer from the company that makes the Nest, a “learning” thermostat that says it programs itself based on how you set your temperatures, and lets you monitor the system from your phone.
It was a glitch.
“Some Nest Thermostats that have been updated to software version 5.1.3 or later may become unresponsive or may not charge the battery efficiently, causing it to shut down,” the company said on line. “Recharge and restart your thermostat to get it working again.”
Recharge and restart
New York Times reporter Nick Bilton, who says his Nest died as well, described the “recharge and restart” process from a customer’s perspective:
“But the fix can require customers to follow a nine-step procedure to manually restart the thermostat, which involves detaching the device from the wall, charging it with a USB cable for 15 minutes, reattaching it to the wall, pressing a series of buttons, charging it again for at least an hour, and then… I know, you’re not the only one confused. (Nest does offer to send an electrician to your home if you can’t figure it out on your own.).”
Nest spokesperson Ivy Choi told Archer News that the issue is being resolved.
“There was a software bug that impacted a very small percentage of Nest Thermostat owners. In some cases, this caused the device to respond slowly or become unresponsive,” Choi wrote. “We have released a software update that should improve this problem for the vast majority of impacted customers.”
Choi said the company is working on more help for customers.
“On top of this, we are also planning additional fixes in the coming weeks to further improve performance. For customers who are still having problems, performing a manual restart of the thermostat will help. Nest customer support is also available 24/7 for assistance,” she said.
Coolness vs. security & control
This case may serve as a warning for people thinking of adding yet another connected device to their homes, security experts say.
“This is a great example of how IoT [Internet of Things] devices are out of control,” said Jim Feely with Archer Security Group.
Research from HP Security showed that some smart devices have security flaws.
And some companies have been prosecuted by the Federal Trade Commission for not reasonably securing their networks, products or services, Ars Technica reported.
That means someone else may be able to control some of the devices in your home, and their affects on you.
In the case of the Nest, it was a glitch. But Feely warned that being vulnerable, either to glitches or to attackers through security flaws, may outweigh the “coolness” factor of these devices.
“It’s neat that I can change my thermostat setting from my cell phone,” Feely said. “If I live in a temperate area of Arizona, I might not care if my home thermostat is out of my control. If I have a baby at home in North Dakota in the winter, maybe an out-of-control thermostat isn’t worth the risk.”
“The same goes for locks, light bulbs, garage door openers, etcetera,” he added.
“Consumers need to take a hard look at the IoT devices and decide if the risks from being out of control are acceptable in each situation,” Feely said.
Nest told Archer News it does have security measures in place to prevent hackers from getting in to the system and affecting customers, and reiterates that the problem was a glitch, not a security issue.
“As more and more devices become connected to the internet – and each other – security and privacy are becoming increasingly important to consumers,” Choi said.
“Nest has always prioritized the security of our products and the privacy of our customers, and we are constantly investing in maintaining that commitment and staying ahead of any threats. You can read more at nest.com/privacy and nest.com/security,” she said.
Fixing the glitch
Some Nest customers on the forum expressed unhappiness with the company’s customer service while they were trying to get answers and a fix.
“I was on hold so long with Nest, my battery on my phone just died,” wrote one.
“Too late. We all froze to death, waiting for a response,” said another.
But some experts say other smart device customers could end up in a much worse position.
“At least the people at Nest were responsive to customer complaints and had the technical talent to solve the problem,” said Patrick Coyle with Chemical Facility Security News.
Some smart device companies may leave you hanging, he said.
“I suspect that we are going to see more problems like this, and we will see a wide range of response efficacy,” he said. “Some companies will be better than others at responding to customer issues, and this should result in an inevitable shakeout in IoT vendors.”
“Too bad that many people will find out too late that they have chosen a vendor that was not going to stay in business for long,” he added.
Archer News checked in with Nest, asking if there had been issues like this before.
“To our knowledge, we have not encountered this bug before,” Choi wrote
But what about any previous bugs?
Choi said she was not sure what the answer was and would look into it.
In the meantime, there are reports online detailing problems with previous bugs.
TechCrunch reported in January 2014 that Nest had posted support center information about “intermittent low battery or connectivity issues with thermostat software 4.0.”
“We have discovered a bug in our latest 4.0 thermostat software that affects a small percentage of our users…affected users will see a low battery warning on the thermostat, see their thermostat as “OFFLINE” intermittently in the app, and won’t be able to control them using the Nest app….As of Sunday, Dec. 8th, we have a short-term solution and have started updating affected thermostats. We’re rolling these thermostats back to version 3.5.3, which should fix the problem,” Nest said, according to TechCrunch.
A poster on Amazon who said he was an HVAC contractor wrote in 2013 that a Nest software update had a bug in it.
“Some Nest owners found their thermostats unable to connect to wifi. Others found their pipes frozen as the Nest failed to turn on their equipment,” the poster said.
“Again, not everyone had an issue,” the poster added. “But a thermostat is not an iPod. A buggy update is going to cause a much bigger problem than being without your music if you are part of the group that does have problems. They need to stop forcing updates on people (have a way to apply them at will) and test them extensively on their own systems before release.”
Nest has not yet answered Archer News’ question about previous bugs. But it did offer some defense.
“All consumer products do sometimes encounter software bugs, so one of the main benefits of Nest products is that they can receive software updates to quickly resolve and minimize any bugs that do create issues for our customers,” Choi said.
“Customers enjoy using Nest products – this is evident on Amazon, where the Nest Learning Thermostat has more than 1,700 reviews with an average of 4.5 stars, and Nest Protect is a best-seller with 1,400 reviews averaging 4.6 stars,” she said.
Another Amazon reviewer in 2013 said that he or she came home to a “sweltering-hot apartment when the outside temperature was in the mid-to-high sixties.”
The Nest was malfunctioning, the reviewer said, and when it failed, it should have failed to a setting that was less risky.
“…When it fails it DOES NOT FAIL SAFE – which is a pretty major problem when you’re talking about a device that is controlling expensive heat and cooling (and, in a cold climate, keeping your pipes from freezing!)” the reviewer wrote.
Some experts agree that smart device companies should focus on a device’s “failure” setting.
“Designers of IoT devices are going to have to start taking a long hard look at failure modes,” said Coyle.
“If a smart thermostat is going to fail, it should fail to a ‘dumb’ thermostat state, not a non-functioning silicon brick. If your smart refrigerator system controller fails, it should not result in spoiled food,” he said.
Sucking out your data?
Some smart devices may also have impacts you don’t feel—at least not right away.
“The greatest thing about this technology is that it learns your habits and optimizes around them,” said Patrick C. Miller with Archer Security Group. “The scary thing about this technology is that it learns your habits.”
And habits can be worth money.
“They suggest many things to many interested parties,” he said.
“Thieves can predict the best time to steal your stuff. Energy companies can know how to price your power in ways that benefit you—and them,” Miller explained. “Couple this data with something like a Fitbit and/or smart meter (or both), and your insurance company can know whether or not you are sleeping enough to be as healthy as they prefer to match the cost of your monthly payment for coverage.”
Miler said he is not talking about any specific device, like the Nest or any others, but instead, about the concept of giving away your information.
“These technologies are truly innovative, exciting and awesome, however there is a slippery slope when it comes to privacy and ownership of the data they produce,” he said. “Data is private until it isn’t. There is no stuffing the data genie back into the bottle.”
The company says it pledges to “be transparent about the different types of information we collect and how we use them, ask your permission before sharing your personal information with third parties for purposes other than to provide Nest’s Products, and to do so only when we think they will provide you with a welcome additional service, use best-in-class data security tools to keep your data safe and protect the Nest Products from unauthorized access.”
Some businesses are ready to monetize your data from your smart home.
“There is a gold mine in the data collected from the Internet of Things, devices, sensors, etc., and a green field opportunity for companies to determine how to provide customers value from that data,” wrote Ben Rossi in Information Age, a publication that says it provides insight and analysis for IT leaders.
“Understanding how customers consume products and services provides insights into their habits, behaviors and patterns that can’t be seen otherwise,” he said. “The vendors that succeed at getting close to their customers will win the Internet of Things market.”
He said companies can use this “usage” data to keep customers coming back again and again by giving them what they want.
But what if a company has other plans for your information, your habits, your likes, wants, needs?
You may want to think about your data, as well as your device. Both are important, experts say.
“A fundamental principle in IT security is control. Who controls the asset, and does the person/thing in control have the same interests and responsibilities that you have?” asked Feely.
A few Nest customers indicated they were thinking about changing thermostats, after spending several hundred on their smart device.
“I might as well have a $10 Walmart thermostat at this point,” one wrote.
Another said he also spent money on an HVAC company to fix problems. “Maybe [a] dumb thermostat will save me more $$ in the long run? I hate to think about the whole house connected to the internet and software bugs.”
But with the march toward smart houses, cars and appliances, light bulbs and locks, you may have hard time escaping smart devices. Or you may like the convenience—or the coolness—of connected things.
Researchers say they are working on a system to rate these devices, based on security and safety.
A group going by the name “I Am The Cavalry” said it is looking at issues like whether the devices use weak passwords out of the box, among other things, reported The Next Web.
The Federal Trade Commission has put out a security best practices guide for smart device makers, and has asked for legislation to be able to get tougher on companies that don’t follow reasonable security processes, Ars Technica reported.
For Nest users, however, it is no longer a surprise that a glitch can now control your warmth, and your world.
“The consumer’s choice is to use the thing, or not use the thing. They have very little control over what it does—or how it does it—once it’s installed,” Feely said.