January: it depends where you live, but for many of us, it’s a time of year that makes the news of a bug in our internet-controlled smart thermostats a chilling prospect.
And Nest, maker of the Nest Learning Thermostat, confirmed last week that the Internet of Things (IoT) gadget has been hit by a software glitch that’s resulted in drained batteries, frigid homes, cold feet and crying babies.
The issue was caused by a December software update.
Users started complaining in January, and the misery was first picked up in the media by Nest user and New York Times reporter Nick Bilton.
It’s not just Bilton who was plunged into brrrrrrr.
From Bilton’s account:
The Nest Learning Thermostat is dead to me, literally. Last week, my once-beloved “smart” thermostat suffered from a mysterious software bug that drained its battery and sent our home into a chill in the middle of the night.
Although I had set the thermostat to 70 degrees overnight, my wife and I were woken by a crying baby at 4 a.m. The thermometer in his room read 64 degrees, and the Nest was off.
And from other users:
— Tim Shea (@timothy_shea) January 6, 2016
Tim Shea @timothy_shea
@bbolan1 @nest Mine is offline. Not enough battery (?) I'm traveling. Called nest. Known problem. No resolution. #nest #fail
Nest confirmed the battery drainage problem on Wednesday and sent users to its troubleshooting page:
We're aware that some of our customers have been reporting issues with their Nest's battery getting low. We're currently looking into the issue, and we'll let you know when we have more information.
If [your] Nest Thermostat is experiencing this issue, performing a manual restart should help. We've published a new article about this issue with troubleshooting instructions: What to do if your Nest Thermostat has become slow, unresponsive, or won’t turn on
If you need any additional assistance, please Contact Nest Support, so we can help.
Nest says that the issue affects some devices updated to software version 5.1.3 or later and that recharging and restarting the thermostat should get it working again.
That, however, can be a 9-step process that may involve turning the thermostat off and on again, removing the device and recharging via a USB cable for an hour or so, and monitoring the thermostat’s progress via a mobile phone.
Matt Rogers, the co-founder and vice president for engineering at Nest, told the NYT that the bug took a few weeks to show up:
We had a bug that was introduced in the software update that didn’t show up for about two weeks.
“Things started to heat up” when devices went offline in January, he said, which probably didn’t strike shivering customers as funny: the failure of such a device can have harrowing repercussions for those who are traveling, can’t fiddle with the device and therefore might return home to frozen/busted water pipes. And let’s not forget, extreme cold can harm the elderly and infants.
Nest says that the problem’s now fixed for “99.5%” of users.
The company sent a statement in which it said that the bug is impacting a “small percentage” of Nest thermostat owners. It’s released a software update that it says should improve the problem for the “vast majority” of them.
It’s also planning additional fixes in the coming weeks to further improve performance and says its customer support is available 24/7.
Unfortunately, the Nest glitch points to the inherent danger of becoming overly dependent on a connected device.
Old-school thermostats might not be accessible via your mobile phone, but they sure don’t turn 10 toes up when your network goes down, and there’s no (or at least a lot less) software to get glitched.
It’s bad enough when the heat turns off in freezing temperatures. It could be even worse were such a glitch to affect a “smart” smoke alarm or security camera.
Unfortunately, just as we’re on the brink of an everything-connected future, we’re also just beginning to experience the myriad security issues that all these computer-enabled devices will usher in, be they in fridges, baby monitors, TVs, kettles, cars or light bulbs.
The Internet of Things Security Foundation, whose mission it is to make the IoT secure, has expressed some concern about the security, or lack thereof, of all those Things:
The resultant benefits of a connected society are significant, disruptive and transformational. Yet, along with the opportunity, there are fears and concerns about the security of IoT systems.
In fact, a 2014 study found that seven out of the ten internet-enabled devices tested by HP Security Research were sitting ducks, vulnerable as they were to some form of attack.
HP unearthed a total of 250 vulnerabilities, for an average of 25 invitations to mayhem per gadget, with the worst security holes having to do with:
- Privacy concerns
- Insufficient authorization
- Lack of transport encryption
- Insecure web interface
- Inadequate software protection
To get more specific, we can turn to OWASP (the Open Web Application Security Project), which has a list of the top 10 IoT vulnerabilities.
Those common vulnerabilities include insecure web interfaces, insufficient authentication/authorization, insecure network services, lack of transport encryption, insecure cloud interfaces, insecure mobile intefaces, insufficient security configurability, insecure software/firmware, and poor physical security.
It’s enough to make you want to hole up in your house.