BRITISH GAS HEATING APP COULD RESULT IN A HIVE OF BURGLAR ACTIVITY
British Gas has updated its Hive Active Heating app after an investigation by consumer watchdog Which? revealed it was sending out user details unencrypted – making it a ‘burglar’s dream’
The probe into smart thermostat systems revealed that the Hive app was sending data that included what times heating was set to go on and off, along with labels such as ‘awake’ and ‘away’, unencrypted – so someone who had tapped into a customer’s wi-fi would be able to see what was sent. It also showed the distance the user needed to be from their home before being asked if they wanted their heating on.
Smart thermostat systems such as Hive and Nest are revolutionising how people heat their homes by connecting their heating systems to the internet. However, like any internet-connected ‘smart’ product, there are data risks. For example, your heating schedule can indicate whether you’re home or not, and access to this information could be a burglar’s dream.
While many wi-fi routers now come with encryption as standard and customer can protect themselves yourself using strong passwords, Which? says it was not reasonable that the Hive app assumed all customers would have these.
Hive said that while it did not believe there were security risks, it has now encrypted this information. It said data that could pinpoint where someone is in relation to their home was never sent by the app and that information, such as the phone model, is freely sent via commercial browsers.
However, it acknowledged it wasn’t best practice to expect people to have encrypted wi-fi. As a result of these findings, British Gas said it had immediately changed its app to make it more secure.
Which? also looked at the data the Nest thermostat and the Honeywell Evohome were sending and found that the Nest sent the user’s postcode unencrypted, despite publicly saying that the data was encrypted. Honeywell received a clean bill of health.
Nest said in response ‘At Nest we are continually testing our systems against the latest standards and encourage our users and third parties to report such issues to us (through our VRP). In this instance, the Nest App currently checks the weather the exact same way the consumer would if they visited the website directly – providing only a post code. This request does not contain any user identifiable information.’
It has since update the app so that the postcode is encrypted.