NEWTON (CBS) — Suzanne Keck keeps her smart thermostat, a Nest, at a constant 70 degrees in her Newton home. It didn’t make sense when she woke up one day last month, she said, shivering. “So I’m clicking on it. They had turned it down to 62.”
WBZ-TV’s I-Team looked into it, and found Keck had inadvertently enrolled in a program that — according to her utility, National Grid — “makes very subtle adjustments to a customer’s temperature setpoints to decrease their heating.”
Keck was surprised. “I didn’t know they’re monitoring my data, watching my habits, let alone reaching into my house and changing it without my permission,” she said. “Everybody beware of your Nest systems and the ‘big brother’ watching.”
For her, it conjured visions of Nest hacking stories.
A couple months ago in Lake Barrington, Ill., a hacker took over a family’s system, including a Nest camera. “I was shocked to hear a deep manly voice talking to my 7-month-old son,” said Arjun Sud. He said a hacker watched and taunted them through the camera’s speaker, even turning the baby’s thermostat to 90 degrees. “It was terrifying.”
According to Google, the parent company of Nest, the family had used a compromised password that was exposed through a breach on another website.
Hacking expert Steve Walker showed the I-Team, it can happen because many people use the same password for different applications, and many choose not to activate Nest’s two-step code verification.
“We can bring up the camera and he has no idea,” said Walker, hacking into a Nest system set up for a demonstration. “I have your password and we’re up on Nest and logging in. I can open up the thermostat and I can crank it up.”
Walker demonstrated another trick. In about 15 minutes, he created an app designed to look like a legitimate tool that customers can use with Nest. “We’d like to set up your home when away,” he said, making the app appear helpful while asking customers for access. If an unsuspecting customer clicks “allow,” Walker showed how he can gain control of the system and even turn off the camera. “It could be a coordinated attack or something.”
Cybersecurity expert Peter Tran said the fine print on Nest’s website discloses exactly what customer data is shared and offers ways people can opt out of sharing more than they want. “Certainly smart devices make life a little bit simpler, but also there are risks,” said Tran. “So know the risk, and know the data that’s going through your device and being shared with your internet service provider, or any third party like a utility.”
Suzanne Keck is now opting out of the program that allowed Nest and National Grid to change her heat settings. “Now that fantasy of the future house with the computer controlling the whole house is really quite a scary concept,” she said.