Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
Google has officially turned off the remote control function for Early Nest Learning Thermostats last monthbut it did not stop collecting a stream of data from these downgraded devices. After digging into the backend, security researcher Cody Kociemba found that first- and second-generation Nest Learning Thermostats were still sending information to Google about manual temperature changes, whether a person was present in the room, if sunlight was hitting the device, and more.
But after cloning Google’s API to create this custom software, it started receiving… Large collection of logs from client deviceswhich stopped him. “On these devices, while they (Google) turned off access to control them remotely, they left the ability for the devices to upload logs,” Kosimba says. “And the logs are very extensive.” Edge.
Along with preventing users from remotely controlling early Nest Learning Thermostat devices (as well as the European version from 2014), Google has shut down the ability for users to check the status of their devices from the Nest or Google Home app, while also blocking security and software updates. Google notes Unsupported devices “will continue to report logs to diagnose issues,” although the data the company collects appears to be no longer useful, it said.
“Although these logs can contain technical details such as HVAC error states, Google can no longer use this information to help customers who still rely on these thermostats, as support has been discontinued entirely, even in cases of device failure,” Kosimba said.
Google still gets all of the information collected by Nest Learning Thermostats, including data measured by its own sensors, like temperature, humidity, ambient light, and motion. “I was under the impression that Google’s connection would be broken with the remote job, but that connection has not been broken, instead it is a one-way street,” Kosimba says. Edge I reached out to Google for comment but did not immediately receive a response.
FULU awarded Kociemba and another winner, called Team Dinosaur, a $14,772 reward for returning smart features to unsupported thermostats.