Google officially turned off remote control functionality for early Nest Learning thermostats last month, but that hasn’t stopped it collecting a stream of data from these downgraded devices. After digging into the backend, security researcher Cody Kosimba found that the first and second generation Nest Learning Thermostats are still sending information to Google about manual temperature changes, whether someone is present in the room, if sunlight is hitting the device, and more.
But after cloning Google’s API to create this custom software, they started receiving a bunch of logs from customer devices, which they shut down. “On these devices, while they [Google] Access to control them remotely was closed, they gave up the ability to upload logs to devices. And the logs are quite extensive,” Kosimba explains. The Verge,
Along with preventing users from remotely controlling early Nest Learning thermostats (apart from the European version from 2014), Google turned off the ability for users to check the status of their devices from the Nest or Google Home app, while also blocking security and software updates. Google notes that unsupported devices will “continue to report logs for troubleshooting,” although the data the company is collecting no longer appears to be useful.
According to Kosimba, “Although these logs may contain technical details such as HVAC error status, Google can no longer use that information to assist customers who still rely on these thermostats, as support has been completely discontinued even in cases of device failure.”
Google is still receiving all the information collected by Nest Learning Thermostats, including data measured by their sensors, such as temperature, humidity, ambient light, and motion. Kosimba says, “I was under the impression that the Google connection with the remote functionality would also be severed, however that connection is not severed, rather it is a one-way street.” The Verge Reached out to Google with a request for comment but did not immediately receive a response.
FULU awarded $14,772 to Kosimba and another winner, known as Team Dinosaur, for rolling back smart features in unsupported thermostats.