British Gas has updated its Hive Active Heating app after a Which? investigation revealed it was sending out user details unencrypted.
The Which? probe into smart thermostat systems revealed that the Hive app was sending data that included what times heating was set to go on and off, along with labels such as ‘awake’ and ‘away’, unencrypted – so someone who had tapped into your wi-fi would be able to see what was sent.
It also showed the distance their user needed to be from her home before she was messaged to ask if she wanted her heating on.
Hive Active Heating thermostat
Smart thermostat systems such as Hive and Nest are revolutionising how people heat their homes by connecting their heating systems to the internet. However, like any internet-connected ‘smart’ product, there are data risks. For example, your heating schedule can indicate whether you’re home or not, and access to this information could be a burglar’s dream.
While many wi-fi routers now come with encryption as standard and you can protect yourself further using strong passwords, Which? don’t think it’s reasonable that the Hive app assumed you have these.
Hive said that while it did not believe there were security risks, it has now encrypted this information. It said data that could pinpoint where someone is in relation to their home was never sent by the app and that information, such as the phone model, is freely sent via commercial browsers.
However, it acknowledged it wasn’t best practice to expect people to have encrypted wi-fi. As a result of these findings, British Gas said it had immediately changed its app to make it more secure.
Nest and Honeywell smart thermostats
Which? also looked at the data the Nest thermostat and the Honeywell Evohome were sending and found that the Nest sent the user’s postcode unencrypted, despite publicly saying that the data was encrypted.
Nest told Which?: ‘At Nest we are continually testing our systems against the latest standards and encourage our users and third parties to report such issues to us (through our VRP). In this instance, the Nest App currently checks the weather the exact same way the consumer would if they visited the website directly – providing only a post code. This request does not contain any user identifiable information.’
It has since update the app so that the postcode is encrypted.
Which? uncovered no problems with the Honeywell’s use of data.