Turning up the heat on the smart thermostat

Andrei Petrus, 2 years ago 3 min read

A smart thermostat is near the top of many shopping lists of ‘must have’ Internet of Things (IoT) devices for the connected home. They look cool on the wall and help us to be energy-efficient in our homes (which in turn saves us money). They bring convenience to the way we control our environment and fit into the way we manage our lives today, learning our temperature preferences, using motion sensors to detect our presence, and using our smartphone’s location services to know exactly where we are. Continuously. Yes, your smart thermostat probably knows more about you than your best friend does.

As the number of smart thermostats in use goes up, so too does the importance of safeguarding our data and our connected homes.

The smart thermostat goes mainstream

In a short space of time, smart thermostats have become more widely adopted. According to Berg Insight, the M2M/IoT market research provider, in 2016 2.3 million homes in Europe and 7.8 million in North America had smart thermostats. This is forecast to rise rapidly in the coming years to reach 34.7 million and 43.4 million respectively in 2021. It would seem that the devices’ benefits are starting to strike a chord with consumers; so much so that over half (54%) of respondents in the UK strongly agreed or agreed that they would like to be able to control their heating remotely in a Deloitte survey.

A smart thermostat offers all the advantages of a traditional programmable thermostat without most of the programming hassles – and with the added bonus of remote smartphone access. The user may establish basic settings but then, over time, the device can learn the user’s habits and preferred temperature settings so that the house is warm (or cool) when they get home from work. And with easy smartphone access, users can double check that the house is indeed the correct temperature while they are away.

Smart home security

So far, so comfortable, but with that comfort comes some risks. The fact that the smart thermostat knows when the user is home or away is a security issue in itself. It probably knows a lot more too, such as how many people are home and the name and passwords of the home WiFi network; even the precise location of the house.

Unfortunately, we’ve already seen smart devices being hacked and used as a weapon of mass disruption: by combining thousands of devices together, a botnet army succeeded in knocking major sites offline with a Distributed Denial of Service (DDoS) attack, disrupting internet access for millions. It’s only a matter of time before smart thermostats are directly targeted, not just as a platform from which to launch attacks, but for the valuable data on their user’s physical presence. With smart thermostats, it is an open question just how secure or encrypted the data is as it travels between company servers and the home. Is the data stored on the device itself encrypted? Does the device manufacturer keep the data to itself or could it resell it to other companies?

Secure as well as smart?

In 2015, a worrying 44% of 1549 surveyed members from the European Information Systems Audit and Control Association considered it very likely that researchers could hack a thermostat and use this vulnerability to access home data via the WiFi network. What’s more, 39% thought this scenario was somewhat likely.

How right these experts were. In 2016, white hat hackers from Pen Test Partners did indeed hack a smart thermostat, and inserted a warning screen that threatened to shut down the entire system unless a ransom payment was made.

Other researchers have shown how a thermostat can be hacked while booting up. The hacker did require half a minute physically with the thermostat to add malicious firmware and reset the device, but once they were in they could access not only the device system but other smart devices in the network system too.

Securing the IoT

A smart thermostat and its online support crew knows a lot about the user – perhaps too much. The potential for hacking incidents to occur underlines the importance of security for all connected devices.

While individual device-level security remains a priority, security at the gateway (the router) offers a particularly convenient option. It places no demand on the consumer for IT skills, requires no additional hardware or expertise and is implemented by the internet service provider or router manufacturer, securing the smart home against privacy invasion, smart device hijacking and misuse of private data. Router manufacturers and ISPs can ease the pressure on end-users by bolstering their own security offering in this way and, at the same time secure themselves a competitive advantage in the race to keep customers safe online.

Read our white paper on how you can help secure the connected home

Want to comment on this post?

We encourage you to share your thoughts on your favorite social platform.
Turning up the heat on the smart thermostat

Andrei Petrus

Andrei is a natural born tech geek and product devotee, who leads Avira's efforts in the IoT & Smart Home spaces. Having joined Avira in 2012 as a product guy, during the years he has fathered multiple products that are enjoyed by 100+ million users across the world. Follow Andrei @AndreiPetrus on Twitter and https://www.linkedin.com/in/andreipetrus/

You might like

Corporate Responsibility

2018: Watch your step when the chips are down

2018: Watch your step when the chips are down

2018 will be a year of change: GDPR, threats to the IoT, nation states, feeling increasingly threatened by cryptocurrencies and the Internet giants…

2 years ago 3 min read

Should I be (more) paranoid after my IoT Christmas?

Should I be (more) paranoid after my IoT Christmas?

A comprehensive approach to mitigate the problem of an insecure smart home is to secure the network. This is in contrast to a single-minded focus on securing individual IoT devices, which will not be possible, for a long time yet.

2 years ago 3 min read