Question for OP, I get the rest of it, and that connected thermostats can give a company an idea when you are home or not, but is there something else the general population should know about with them?
all these "smart" devices are a potential backdoor to your LAN. They download updates, so at any time the vendor (or someone doing a man-in-the middle attack pretending to be the vendor) could decide to activate a VPN client on it (or any other form of tunneling) and presto they are into your home.
The very minimal value provided by being able to remotely control your home's temperature does not justfiy introducing that kind of security risk. Also, these devices are made by companies whose specialty is pumping refrigerant around... they have extremely limited software expertise to put it politely. Not their domain. There is no reason to think they would be well designed to be secure.
Question for OP, I get the rest of it, and that connected thermostats can give a company an idea when you are home or not, but is there something else the general population should know about with them?
all these "smart" devices are a potential backdoor to your LAN. They download updates, so at any time the vendor (or someone doing a man-in-the middle attack pretending to be the vendor) could decide to activate a VPN client on it (or any other form of tunneling) and presto they are into your home.
The very minimal value provided by being able to remotely control your home's temperature does not justfiy introducing that kind of security risk. Also, these devices are made by companies whose specialty is pumping refrigerant around... they have extremely limited software expertise to put it politely. Not their domain. There is no reason to think they would be well designed to be secure.
Don't put them on your LAN? Mine are on their own VLAN. They can talk to each other, and to the internet.
I didnt consider the update vector being used to gain local access. Thanks.