Are Wi-Fi Thermostats Safe?
I am thankful that we were able to provide a free, in-home estimate for a particular customer. We were mentioning our promotion for a Wi-Fi thermostat that was free after RG&E rebate with the installation of a new system. The customer mentioned he was wary of Wi-Fi thermostats, because it would be easy for hackers to attack these “smart” thermostats which he believed posed a security risk. This statement gave us pause, because our customer happened to work in cyber-security, which makes him an expert in such matters. (Note: The specifics of this conversation are tough to pin down, as they were related by a high-ranking member of Boccacino Heating who, as of 10 weeks ago, didn’t know you could get email on your smartphone)
As a result of that conversation, we decided to take a deep dive into the relative security of Wi-Fi thermostats. We know that they are convenient, or that they can save your lake house from disaster on a windy winter day. But are they safe? As our homes get smarter and smarter, this is an increasingly relevant question to ask.
I had quite a bit to learn in order to even barely understand what might make a thermostat, or any other connected device, vulnerable. I’ve done what I can to try and make this accessible for people of all levels of technical savvy, so parts of what follows may seem a bit elementary to more knowledgeable readers. The first question I had to answer was, “what are the risks posed by a wi-fi thermostat?” There are 2 potential vulnerabilities: 1. Your Data, and 2. Your Network.
YOUR DATA
Your data moves in 2 different states when dealing with Wi-Fi: wirelessly/broadcast in the air between the thermostat and its internet router, and by wire from your router to some remote server (and back). Accordingly, there are two different standards of security protocol.
A. In the Air:
Your thermostat communicates with your home’s router wirelessly. It is in fairly constant communication with the router, and could potentially send sensitive data, so it’s important that the data is secured in some manner. The basic layers of protection are WPA2/WPA/WEP.
Verizon suggests using WPA2 if compatible. Here’s a somewhat detailed description of the differences, and here’s one for, well, dummies! The bottom line is that data secured under these protocols is encrypted, and therefore it exhibits security similar to most of the wireless connections you typically engage. As the preceding link notes, WPA2 is used by the Federal Government to encrypt data classified as Top Secret, so it is a fairly rigorous standard.
B. Across a Wire:
Once your data successfully gets from the thermostat to the router, it will do the rest of its work on wires. The data will go from your home across wires to the servers of whichever thermostat you may own. The data will be housed on the server and then will run across wires back to your home where it will communicate with your thermostat/laptop/tablet/cell phone, etc. Once it leaves your house, you also want your data protected, and it is protected by different acronyms: SSL or TLS.
Symantec explains that these terms are often used interchangeably, so it’s worth double checking if you see reference to SSL, it may in fact follow TLS protocols, which are more secure. Here is a more complex description of the specific systems, if you are very technically savvy. While TLS is more secure, both take advantage of encryption and will keep your data as secure as your typical communications.
(For the record, your thermostat will also communicate with your furnace/air handler, but that is a wired connection that does not communicate with the outside world)
So where do the new smart thermostats stand on their connection protocols? We took a look at the three most common thermostats that we install: ecobee, nest, and Honeywell.
Here is ecobee’s statement from their website regarding security protocols. They state that they will only utilize an SSL connection and can establish WEP, WPA, or WPA2 wi-fi connection.
Here is nest’s statement on storing and transferring data. It uses similar protocols to ecobee, by recommending WPA-2 wireless connection and then utilizing TLS to encrypt all data sent to and from nest servers. Nest is owned by Alphabet (the parent company of Google), so you can be assured that their tech department is robust, to say the least. They even have a page where if you can expose a vulnerability in the thermostat, they will pay you handsomely for reporting it to them (to assure that you are not paid handsomely by hackers for the information).
Honeywell offers a more open structure for connections: it will allow for an Open Wi-Fi connection, but also supports WEP, WPA, and WPA2 wi-fi connections. So assure that you are taking advantage of these more secure protocols when connecting your Honeywell thermostat.
After doing our due diligence, it appears that smart thermostats due an adequate job of safe-guarding your data. There have been no reported data breaches as a result of connected thermostats. There was a recent report of a potential hacking of a smart thermostat by a number of engineers specifically seeking to expose flaws in the infrastructure, but upon close inspection the only data that was exposed was zip code information for users based on weather towers that they were pinging. (If you’re anything like me, you have your zip code right in your Facebook profile anyway)
YOUR NETWORK
There is another possibility for your thermostat to pose a security risk to your home. Let’s say you’ve done everything properly with your home network: you have a password protected router, you utilize encrypted data connections between your home’s devices and the router, you restrict your internet use to low-risk sites, etc. Well, what if you install a wireless thermostat and hackers use that device to hack onto your network and then overrun all other devices?
The problem is, dealing with these types of modern threats, you have to read sentences like, “There are oftentimes directory traversal vulnerabilities that let you read out kernel memory and dump passwords and things like that”. It’s tough for me to know if that makes it easy or hard to hack my thermostat because you need an advanced degree in Computer Science to understand many of the words in that sentence.
But there are three main possibilities for hacking into your thermostat (based on much more accessible reading that I’ve done.)
- Physical Access. There are multiple stories packaged in scary headlines about hacking into your home through a Nest, but each one requires the hackers to have physical access to the device.
- Downloading Ransomware. Someone recently hacked into an unidentified Wi-Fi thermostat and installed Ransomware (“pay me $300 or I will turn the thermostat to 99 degrees!”) by disguising itself as a picture the user downloaded to use as the background wallpaper on their display.
- Someone near your house running an IP Scan (which finds all devices broadcasting a Wi-Fi signal within a given distance), discovering your Wi-Fi thermostat, entering it remotely (disguised as an admin using the factory password) and then making changes to the thermostat and entering the whole network. Ecobee has an Access Control feature that requires a 4-digit pin created by the homeowner to make any changes, Nest prevents entering the system through IP Ping as part of their programming infrastructure, and Honeywell has no factory set admin passwords, and will have you manually adjust your thermostat to a certain temperature to verify that the access or changes being requested are coming from the homeowner.
I’m sure that there are others. Several were probably developed in the time it took me to write this summary. So it’s impossible to address everything here. But in talking with several people at the major thermostat companies, they are clearly vigilant about staying ahead of the hackers.
The best answer when it comes to keeping your network safe is probably to be sensible in your decision making. Take these simple precautions with your Wi-Fi thermostat:
- Only purchase devices from reliable sources like the manufacturer’s website, or Amazon. Don’t buy an open box thermostat from Craigslist.
- Stick to the defaults on the thermostat as much as possible. Don’t expose yourself to additional risk by downloading pictures of cats or other items from the internet.
Thermostats have come a long way in the last 10 years, as have virtually all items in our homes (smart fridge? I suppose my kids will laugh at me someday for laughing at the thought of it). I can’t believe that I needed to spend this much time trying to understand the various grades of encryption to answer a thoughtful thermostat question. What would Mike Boccacino think of this new HVAC landscape if I could tell him?
At the end of the day, I think the best way to look at these connected devices is with a bit of education and a lot of common sense: develop a basic understanding of the things in our life that are transmitting data & how the data is moving. Make sure you are taking reasonable precautions to assure that data stays encrypted and you restrict sensitive information to secure networks. We can never be sure that our data will always be 100% secure, but we can make sure that we understand the relative risks and handle them in a common sense way. As this BBC article points out, hackers are like water: they will always take the fastest, unobstructed way to the bottom. As you introduce speed bumps, they will generally keep moving in search of the easiest available target. The article points out that the easiest way onto your network is through you directly letting them in; that’s why spam is still such a common part of our inbox. PC World offered a nice write up about simple steps everyone can take to make sure their home stays safe as it gets smarter.
An Aside
A very fundamental aside.
This discussion relies heavily on encryption. You’ve probably said it before. I have. At cocktail parties. At Wegmans. On the beach (ok, not on the beach). But it is a common part of our lexicon. As confidently as I have used it, though, I was thankful that no one ever said, “That’s neat. Please define encryption.”
Here’s what I would have said: “Oh, well, encryption. Yeah, it’s a process where IT people come up with this encrypting quality to put around your data. Like a shell. A data shell. A hard data shell of security.”
Upon further review, I was almost half right on that. An over-wrought egg metaphor was close. Because encryption scrambles your data (get it?!?!). The basic idea, as I understand it, is that you type “Hi Steve.” onto your phone, and then the program’s encryption sends something along the lines of;
“JIR2Q80358012QHT8321FEQWJ8924181JF8Q1283RH8032QF89HEWUQHPGIOAHFIEWKAJEFIOQEWH89T43HQ8JQ084UF84UQ33FEIALUFIDSOAJGKLADSJGERQ84T143”
…to Steve. When Steve’s device receives all of that gibberish, it has the unique key to unscramble it back into “Hi Steve.” A lot of work to say “Hi” to Steve, but you’ll be glad it’s there when we’re talking about your bank account information.
Want to sound smart? When someone says encryption, say, “Oh, you mean machine cryptography? One of the breakthroughs for the Allies in their quest to defeat the Nazis in World War II? Big fan.”
Want to learn more? I found some of the more accessible summaries of encryption to be found in Wired and Digital Guardian.
You’d prefer a compelling series of videos? Check.
A silly game showing a desperately simple version of encryption? Check.
(Links current as of November 2017. I am a lay person that has done research on this subject in order to become more informed of a potential security threat facing the Internet of Things – including thermostats – please don’t rely on my 6 hours of reading and 1 hour of talking to the different thermostat companies as your sole consideration when making decisions about your internet security)
