Google’s Nest Thermostats Still Collect Your Data
▼ Summary
– Google disabled remote control features for early Nest Learning Thermostats but continues collecting extensive data from them.
– Security researcher Cody Kociemba discovered these devices still transmit information like temperature changes, occupancy, and ambient light to Google.
– Kociemba developed open-source software to restore smart functionality through FULU’s bounty program for unsupported Nest devices.
– Google’s data collection includes technical logs and sensor readings but can no longer be used to assist customers due to discontinued support.
– FULU awarded Kociemba and Team Dinosaur a $14,772 bounty for successfully returning smart features to the outdated thermostats.
Google continues to gather extensive data from its older Nest Learning Thermostats, even after disabling their remote control features. This ongoing data collection was uncovered by security researcher Cody Kociemba, who found that first- and second-generation models still transmit detailed information to Google. The data includes manual temperature adjustments, occupancy detection, ambient light readings, and other sensor measurements.
Kociemba made this discovery while participating in a bounty program organized by FULU, a right-to-repair advocacy group co-founded by electronics repair specialist and YouTuber Louis Rossmann. The program challenged developers to restore smart functionality to Nest thermostats that Google no longer supports. Kociemba responded by creating the open-source No Longer Evil project.
While cloning Google’s API to build his custom software, Kociemba unexpectedly began receiving extensive log files from customer devices, which he promptly disabled. He explained that although Google removed the ability for users to control these thermostats remotely, the company retained the capability for the devices to upload logs. According to Kociemba, these logs are remarkably comprehensive.
In addition to cutting off remote control for early Nest Learning Thermostats, including the 2014 European edition, Google also disabled status checks via the Nest or Google Home apps and halted security and software updates. Google states that unsupported devices will continue reporting logs for diagnostic purposes, yet the collected data no longer appears to serve a functional benefit for users.
Kociemba points out that while these logs may include technical details like HVAC error states, Google can no longer use this information to assist customers, especially since support has been completely discontinued, even in cases of device failure.
The data transmitted to Google encompasses all information captured by Nest thermostat sensors, covering temperature, humidity, ambient light, and motion detection. Kociemba noted that he initially believed the connection to Google would be severed along with remote functionality, but instead, it remains active as a one-way data stream. Requests for comment from Google were not immediately answered.
FULU awarded Kociemba and another winner, known as Team Dinosaur, a combined bounty of $14,772 for successfully restoring smart features to the unsupported thermostats.
(Source: The Verge)
