British Gas has updated its Hive Active Heating app after an investigation by consumer watchdog Which? revealed it was sending out user details unencrypted  – making it a ‘burglar’s dream’

The probe into smart thermostat systems revealed that the Hive app was sending data that included what times heating was set to go on and off, along with labels such as ‘awake’ and ‘away’, unencrypted – so someone who had tapped into a customer’s wi-fi would be able to see what was sent.  It also showed the distance the user needed to be from their home before being asked if they wanted their heating on.

Smart thermostat systems such as Hive and Nest are revolutionising how people heat their homes by connecting their heating systems to the internet. However, like any internet-connected ‘smart’ product, there are data risks. For example, your heating schedule can indicate whether you’re home or not, and access to this information could be a burglar’s dream.

While many wi-fi routers now come with encryption as standard and customer can protect themselves yourself  using strong passwords, Which? says it was not  reasonable that the Hive app assumed all customers would have these.

Hive said that while it did not believe there were security risks, it has now encrypted this information. It said data that could pinpoint where someone is in relation to their home was never sent by the app and that information, such as the phone model, is freely sent via commercial browsers.

However, it acknowledged it wasn’t best practice to expect people to have encrypted wi-fi. As a result of these findings, British Gas said it had immediately changed its app to make it more secure.

Which? also looked at the data the Nest thermostat and the Honeywell Evohome were sending and found that the Nest sent the user’s postcode unencrypted, despite publicly saying that the data was encrypted. Honeywell received a clean bill of health.

Nest said in response ‘At Nest we are continually testing our systems against the latest standards and encourage our users and third parties to report such issues to us (through our VRP). In this instance, the Nest App currently checks the weather the exact same way the consumer would if they visited the website directly – providing only a post code. This request does not contain any user identifiable information.’

It has since update the app so that the postcode is encrypted.

You may also like...

Keep Up To Date - Subscribe To Our Email Newsletter Today

Get the latest industry news direct to your inbox on all your devices.

We may use your information to send you details about goods and services which we feel may be of interest to you. We will process your data in accordance with our Privacy Policy as displayed on our parent website