Smart thermostats — the kind that connect to your home’s wireless network so that they can be controlled over the Internet — are increasingly popular. But their rapid rate of adoption has far outpaced discussion of the security and privacy risks they pose. Here’s an overview of these privacy challenges, and tips for addressing them.
The biggest privacy threat from smart thermostats is that, by design, they collect information that most people consider private. By tracking when you turn your heat on and off, they provide strong clues as to when you are home. They could also reveal when you are on vacation.
Normally, this information is only available to the thermostat manufacturer and/or your utility company. But hackers or other third parties could potentially access it. That’s especially true if it is logged and stored over a long-term period by the company, or if the company shares the data with other companies.
In addition, WiFi thermostats pose a broader security threat because, if they are hacked (which happens more than you might think), they can give attackers inside access to all of the devices on your home network.
So what can you do to protect yourself from the privacy and security threats of smart thermostats? Precise instructions depend on your particular set up, of course (and we will cover specific devices in future posts). But here are some general tips for keeping your smart thermostat private:
- Review the manufacturer’s logs and privacy policy. We think ecobee‘s privacy statement is the best, generally speaking. It is specific and says the company collects and shares only certain types of information. Nest‘s privacy policy, in contrast, is more ambiguous and mentions collecting things like your utility bills. Those documents very likely contain information (such as your address) that you probably don’t want to be passed around between companies unnecessarily.
- Use an anonymous email address when configuring your device. Most smart thermostats require you to enter an email address when you register. They use this to notify you of events, and sometimes to log in to the device portal. For added privacy, do not use your normal email address when registering your device. Instead, create a separate one exclusively for this purpose.
- Use a dedicated wireless network. Most smart thermostats are designed to connect to your regular wifi network, just like any other device in your home. That means that someone who hacks into the thermostat has instant access to your whole network. To make things more secure, you should create a separate wireless network for your thermostat. One way to do this is to buy a second router. But a more cost-effective solution is to flash your existing router with an open-source firmware like DD-WRT, then create a secondary virtual wireless network.
- Use a VPN router. You can’t install a VPN app on your thermostat. But you can still route the thermostat’s connection through a VPN if you set up a VPN router and connect the thermostat to it. This way, your real IP address and location won’t be visible to anyone tracking data from the thermostat.
Privacy on smart thermostats and other IoT devices is an evolving challenge. But it’s best to start planning now in order to keep these devices — which promise to become increasingly impossible to avoid in modern homes — as secure and private as possible.