Nest leaks location, ST seems to be OK security-wise

I thought most companies fixed the unencrypted data transmission issues a year or so ago?

Anyway, they don’t report any security issues with ST, at least none listed in this story.

The report


Oh no, someone could have found out my zip code! Honestly they could have probably geo-located better with IP address.

It was a bug that was caused by the Nest calling the weather api over an insecure connection. Overall a minor leak. It is really how companies handle cases, Nest patched it quickly while other companies will sit on it for months.

Yeah, I didn’t think it was much to get excited about. Oh, someone in my zip code has a Nest.

I think the fact that it’s Google owned is what made it stand out.

ST really needs to have 2FA. The data that ST has is pretty sensitive (Know when your home, being able to disable alarms, know home usage patterns, cameras, etc). I know that ST’s has quite a bit of stability issues at the moment, but I think 2FA should be a higher priority.

I’m really surprised that Nest doesnt have 2FA either.

1 Like

Assume you mean requiring two-factor authentication when we access the Web UI. Agree, 100%.

Won’t necessarily help in the instance of unencrypted data transmission, though.

The problem with two-factor authentication is that my phone is my key generator, which also has the app to control my house and see the status, etc.

There is no default web application to control Smart things.

True…However, anyone with a smartphone can download the ST App for free and log in as you with their own phone (assuming they know your login credentials.)

In that case, 2FA would resolve that issue.

1 Like

True, but a simple text/access code would suffice in that case since it is a rare event to install an app and authenticate. You could argue that is 2FA, but when I think of 2FA I think of the rolling key systems like Google Authenticate.

I wish they did have a PIN that they would require to enter for certain events. A PIN is not 2FA, but does add another layer.

Or authentication like OnHub.

You have to hold your phone over the router and it emits a tone.

The ST hub doesn’t have the tone, but I bet it could do a network test, to ensure the mobile device is on same network first time it connects.

But yeah, two-factor, like Dropbox and Dashlane, would help.

But to be blunt, I’d rather have consistent performance before adding on complexity. I don’t consider this the highest priority for the developers right now.

1 Like

I’m late to this party, but yes, 2FA should be a very high priority. I don’t even want to describe the worst case scenarios in public.

Even a mundane snafu could get blown into a PR nightmare. If no one else, at least the comms people ought to be worrying about this.