Skip to content
Naked Security Naked Security

Nest smart thermostat glitch leaves cold feet and steaming mad customers

January: when the news of a bug in your Internet-controlled smart thermometer is as bitter as the cold winds of the Northern Hemisphere.

January: it depends where you live, but for many of us, it’s a time of year that makes the news of a bug in our internet-controlled smart thermostats a chilling prospect.

And Nest, maker of the Nest Learning Thermostat, confirmed last week that the Internet of Things (IoT) gadget has been hit by a software glitch that’s resulted in drained batteries, frigid homes, cold feet and crying babies.

The issue was caused by a December software update.

Users started complaining in January, and the misery was first picked up in the media by Nest user and New York Times reporter Nick Bilton.

It’s not just Bilton who was plunged into brrrrrrr.

Many other users of the smart thermostat reported the same problem and took to the company’s community forum or social media to vent their frustration.

From Bilton’s account:

The Nest Learning Thermostat is dead to me, literally. Last week, my once-beloved “smart” thermostat suffered from a mysterious software bug that drained its battery and sent our home into a chill in the middle of the night.

Although I had set the thermostat to 70 degrees overnight, my wife and I were woken by a crying baby at 4 a.m. The thermometer in his room read 64 degrees, and the Nest was off.

And from other users:

Tim Shea @timothy_shea
@bbolan1 @nest Mine is offline. Not enough battery (?) I'm traveling. Called nest. Known problem. No resolution. #nest #fail

Nest confirmed the battery drainage problem on Wednesday and sent users to its troubleshooting page:

We're aware that some of our customers have been reporting issues with their Nest's battery getting low. We're currently looking into the issue, and we'll let you know when we have more information.

If [your] Nest Thermostat is experiencing this issue, performing a manual restart should help. We've published a new article about this issue with troubleshooting instructions: What to do if your Nest Thermostat has become slow, unresponsive, or won’t turn on

If you need any additional assistance, please Contact Nest Support, so we can help.

Nest says that the issue affects some devices updated to software version 5.1.3 or later and that recharging and restarting the thermostat should get it working again.

That, however, can be a 9-step process that may involve turning the thermostat off and on again, removing the device and recharging via a USB cable for an hour or so, and monitoring the thermostat’s progress via a mobile phone.

Matt Rogers, the co-founder and vice president for engineering at Nest, told the NYT that the bug took a few weeks to show up:

We had a bug that was introduced in the software update that didn’t show up for about two weeks.

“Things started to heat up” when devices went offline in January, he said, which probably didn’t strike shivering customers as funny: the failure of such a device can have harrowing repercussions for those who are traveling, can’t fiddle with the device and therefore might return home to frozen/busted water pipes. And let’s not forget, extreme cold can harm the elderly and infants.

Nest says that the problem’s now fixed for “99.5%” of users.

The company sent a statement in which it said that the bug is impacting a “small percentage” of Nest thermostat owners. It’s released a software update that it says should improve the problem for the “vast majority” of them.

It’s also planning additional fixes in the coming weeks to further improve performance and says its customer support is available 24/7.

Unfortunately, the Nest glitch points to the inherent danger of becoming overly dependent on a connected device.

Old-school thermostats might not be accessible via your mobile phone, but they sure don’t turn 10 toes up when your network goes down, and there’s no (or at least a lot less) software to get glitched.

It’s bad enough when the heat turns off in freezing temperatures. It could be even worse were such a glitch to affect a “smart” smoke alarm or security camera.

Unfortunately, just as we’re on the brink of an everything-connected future, we’re also just beginning to experience the myriad security issues that all these computer-enabled devices will usher in, be they in fridges, baby monitors, TVs, kettles, cars or light bulbs.

The Internet of Things Security Foundation, whose mission it is to make the IoT secure, has expressed some concern about the security, or lack thereof, of all those Things:

The resultant benefits of a connected society are significant, disruptive and transformational. Yet, along with the opportunity, there are fears and concerns about the security of IoT systems.

In fact, a 2014 study found that seven out of the ten internet-enabled devices tested by HP Security Research were sitting ducks, vulnerable as they were to some form of attack.

HP unearthed a total of 250 vulnerabilities, for an average of 25 invitations to mayhem per gadget, with the worst security holes having to do with:

  • Privacy concerns
  • Insufficient authorization
  • Lack of transport encryption
  • Insecure web interface
  • Inadequate software protection

To get more specific, we can turn to OWASP (the Open Web Application Security Project), which has a list of the top 10 IoT vulnerabilities.

Those common vulnerabilities include insecure web interfaces, insufficient authentication/authorization, insecure network services, lack of transport encryption, insecure cloud interfaces, insecure mobile intefaces, insufficient security configurability, insecure software/firmware, and poor physical security.

It’s enough to make you want to hole up in your house.

Just be careful if you’re barring the door with a smart deadbolt or a smart doorbell: even these devices can be part of the Internet of Busted Things!

Image of Nest Learning Thermostat courtesy of Nest.com

9 Comments

Just to digress from the subject in hand, does Nick Bilton really think that 64 degrees is ‘a chill’. That’s warm where I come from! I don’t even switch on the heating unless it goes below 52; I’d hate to have his heating bills.

I guess if you have bought into the precision promised by a digital thermostat of this sort, 18C instead of 21C (64F instead of 70F) is a big deal simply because it’s different from what was selected.

The temperate South of England is weird about household heating: as far as I can see, many people deliberately dial in winter indoor temperatures that are above where they’d set the aircon for cooling in summer if they had aircon. (Or summer, but you get my point.) Maybe there is the same school of thought in some of the mild and temperate parts of the US? If 20C is hot and 0C is cold, I guess you get excited about every degree in between :-)

If you have an infant and follow the pediatrician’s advice about no blanket until 12 months 64 is chill and the thermostat with dead battery wasn’t going to come back on at a lower temperature

I can’t get over the fact that one of the commenters above sets a night time temperature of 70F and thinks that 64F is far too cold. My house is rarely heated as high as 70F during the day, let alone at night.

What could possibly go wrong when you entrust “things” (that are connected to the Internet) to control other things! To be fair we are just at the dawn of the IoT era, and there will be problems, the lack of Internet security being the most prominent. A major appliance manufacturer announced last week at CES that a new model kitchen range will communicate with your Nest thermostat, which will send you an alert if the stove is on and the Nest determines you are “Away.” Based on Lisa’s article, you might want to check our stove when you leave your house if you own a Nest thermometer.

I don’t appreciate the dooms day tone of this article. Google of all IoT devices has a very secure model at least in comparison. I also don’t think a glitch or failure in a Nest thermostats is any less acceptable than 99% of the thermostats on the market are capable of which are almost all digital at this point.
On the other hand welcome to the world of home automation google. You think people get ticked when there phone or browser doesn’t work correctly. Try when you blow cold air on cold people or fail to message them when there wine cellar heats up or when the you get locked out of there house.

I didn’t see any “doomsday” in there. I think the tone is pretty well-defined by this bit:

“Unfortunately, the Nest glitch points to the inherent danger of becoming overly dependent on a connected device. Old-school thermostats might not be accessible via your mobile phone, but they sure don’t turn 10 toes up when your network goes down, and there’s no (or at least a lot less) software to get glitched.”

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?