Google officially turned off remote control functionality for early Nest Learning Thermostats last month, but it hasn’t stopped collecting a stream of data from these downgraded devices. After digging into the backend, security researcher Cody Kociemba found that the first- and second-generation Nest Learning Thermostats are still sending Google information about manual temperature changes, whether a person is present in the room, if sunlight is hitting the device, and more.
But after cloning Google’s API to create this custom software, he started receiving a trove of logs from customer devices, which he turned off. “On these devices, while they [Google] turned off access to remotely control them, they did leave in the ability for the devices to upload logs. And the logs are pretty extensive,” Kociemba tells The Verge.
Along with preventing users from remotely controlling early Nest Learning Thermostats (in addition to the European version from 2014), Google turned off the ability for users to check the status of their devices from the Nest or Google Home app, while also blocking security and software updates. Google notes that the unsupported devices “will continue to report logs for issue diagnostics,” though the data the company is collecting no longer appears to be useful.
“Although these logs can contain technical details such as HVAC error states, Google can no longer use that information to assist the customers who still depend on these thermostats, since support has been fully discontinued, even in cases of device failure,” according to Kociemba.
Google is still getting all the information collected by Nest Learning Thermostats, including data measured by their sensors, such as temperature, humidity, ambient light, and motion. “I was under the impression that the Google connection would be severed along with the remote functionality, however that connection is not severed, and instead is a one-way street,” Kociemba says. The Verge reached out to Google with a request for comment but didn’t immediately hear back.
FULU awarded Kociemba and another winner, who goes by the name of Team Dinosaur, with the $14,772 bounty for bringing smart features back to the unsupported thermostats.
