Published in News

Nest adds two-factor authentication to its smart thermostats

by on07 March 2017


Prevents unapproved logins in event of account compromise


Palo Alto-based startup Nest Labs, which introduced its first Nest Learning Thermostat in 2011 along with a range of other home automation devices, prior to being acquired by Google, has just announced that it is introducing two-factor authentication for additional security to prevent customer security footage from getting stolen by thieves.

Two-factor can be enabled through “Account Security” menu option

Two-factor authentication is a login method where a person is only granted access after presenting several separate pieces of evidence to an authentication system. Most applications and websites do this by asking the user for a login password, followed by a verification code sent via email or text message. Nest will now allow users to open the Nest app on their connected home devices, navigate to Account Security, and enable a new option to activate “2-step verification".

According to Nest Founder and Chief Product Officer Matt Rogers, the process "takes a minute or two for our customers, but for hackers working from computers all over the world, things get a whole lot harder". He said: “We all know data security is a moving target, Technology keeps advancing, but so do the people who want to break into your email, your credit card or any other account they can get their hands on. But your home is your safe haven, where private information should stay private."

Back in January 2016, a group of researchers at Princeton University’s Center for Information Technology Policy discovered that some users’ Nest thermostats leaked zip codes onto the internet. This was based on the coordinates of the company’s weather stations, a  bug that has since been patched. Another group of researchers at the University of Central Florida found that they could gain control of Nest’s Linux operating system while the devices were booting up by installing a custom software package through the USB port. While this second method is more of a jailbreak rather than a firmware security bug, the researchers noted that data sent over the air is encrypted, while data stored on the device is not. They used an ARP tool to trick other devices on the same Wi-Fi network into talking with the compromised Nest using the custom software package.

The security researchers admit that two-factor authentication is one of the best protection mechanisms available for home users who may be more vulnerable to having an unpatched Nest device connected to their network, while enterprise users shouldn’t need to worry about the ARP spoof as most corporate networks have deployed detection software for their IoT networks.

Last modified on 07 March 2017
Rate this item
(0 votes)

Read more about: