One of Arizona’s largest utilities is encouraging customers to purchase smart thermostats that researchers say are vulnerable to hackers.
The Salt River Project, which supplies water and power to more than 1 million people, is offering rebates and a bill credit to customers who buy these devices to control energy use. But security researchers and the FBI have raised red flags over the products.
An SRP spokesman said the utility offers rebates on a variety of devices, but that the thermostats available in the marketplace on SRP’s website are managed by a third party.
“SRP has not been in communication with these companies about the recently publicized cyber security concerns,” spokesman Jeff Lane told the Arizona Mirror.
Smart thermostats have become popular with consumers and utilities alike as they can help reduce bills by regulating power usage during peak hours or when you’re not home. They do this by learning your habits and helping you find ways to reduce your energy consumption. However, they often carry a hefty price tag.
“Our intention is to help our customers save energy and money through special discounts and rebates on more than 200 energy-efficient and water-saving products,” Lane said.
The thermostats get the “smart” moniker because they are able to connect to the internet and other devices. These type of devices are often referred to as Internet of Things or IoT devices.
The two main smart thermostats sold on SRP’s website with known vulnerabilities are the Nest, which was acquired by Google in 2014 for $3.2 billion, and the EcoBee.
“[T]he complexity of the infrastructure in the Nest Thermostat provides a breeding ground for security vulnerabilities similar to those found in other computer systems,” according to researchers at the University of Central Florida.
These researchers found that when they were able to hack a Nest thermostat it could be used to “act as a beachhead to attack other nodes within the local network.”
One of the devices that could be within that network is a smart meter, like those used by SRP and other utilities.
SRP dismissed concerns that the devices could infiltrate or harm smart meters, stating that the thermostats use WiFi which the meters would not communicate with. However, researchers have found that is not always the case. And researchers at the College of William & Mary in Virginia had findings similar to those in Florida.
“[E]merging platforms may fail to provide even bare-minimum security by allowing apps to arbitrarily add/remove other apps from the user’s smart home,” according to their study.
In an April email to users, Nest denied reports of security breaches and blamed unnamed third parties.
Nest did not respond to the Arizona Mirror’s request for comment.
EcoBee has not made a public statement on security issues discovered by researchers and also did not respond to a request for comment.
What did the researchers find?
Smart devices have been an easy target of security researchers and hackers alike.
Doorbells and even “smart” locks have been found to be easily manipulated because of lax security measures or loopholes.
In December, a San Francisco TV station reported a couple in California heard a voice over their Nest Baby Monitor Camera threatening to kidnap their child. In January, another couple in California told the San Jose Mercury News that their Nest camera began blaring out warnings of a nuclear attack by North Korea. In both cases, Nest blamed data breaches on other sites.
Thermostats are a fairly new target.
In January, a family in Illinois who had outfitted their entire house with a variety of Nest devices found their home under siege. A deep voice came over their speakers and their thermostat was cranked to 90 degrees.
The homeowner told reporters that he was unaware of additional security measures he could have taken such as two-factor authentication. Two-factor authentication requires that you confirm a log-in either by phone, text or by an alternate email.
The homeowner told local media that it became a “blame game” with Google and Nest blaming him and washing their hands of the situation.
All of this has led many researchers to look into the vulnerability of these types of products, particularly Nest.
“A Nest Thermostat, as demonstrated, may easily be compromised during transport, deployment, or by an attacker having access to it on a non-secure location,” Florida researchers said in a 2018 paper that demonstrated how they were able to hack into a Nest thermostat and gain control of its systems.
“Suddenly, what was once a learning thermostat has been transformed into a spy that can not only report on the routines of the inhabitants of a certain home or office, but also on their cyber activities and provide a backdoor to their local network which could go unnoticed,” according to the paper.
The issues with lax security extends beyond the thermostats SRP is offering rebates on.
One of the main programs used by the majority of smart meters has been found by researchers on multiple occasions to be so insecure that with a $30 purchase and some technical knowhow, you can see not only your water or electricity consumption but that of others.
“Ironically, the hardest part wasn’t snooping on everyone’s power and water usage patterns in the neighborhood, it was trying to figure out which meter was his,” a report by Hackaday says in regards to a hacker who was curious about the smart meters in his area.