Which? probe uncovers Hive heating app data riskThermostat app sending information unencrypted

19 August 2015

Hive thermostat

We had some privacy concerns about the Hive app

British Gas has updated its Hive Active Heating app after a Which? investigation revealed it was sending out user details unencrypted.

Our probe into smart thermostat systems revealed that the Hive app was sending data that included what times heating was set to go on and off, along with labels such as ‘awake’ and ‘away’, unencrypted - so someone who had tapped into your wi-fi would be able to see what was sent. 

It also showed the distance our user needed to be from her home before she was messaged to ask if she wanted her heating on. 

Are smart thermostats worth it? Don't miss our full first look reviews of smart thermostats, including Hive and Nest.

Hive Active Heating thermostat

Smart thermostat systems such as Hive and Nest are revolutionising how people heat their homes by connecting their heating systems to the internet. However, like any internet-connected ‘smart’ product, there are data risks. For example, your heating schedule can indicate whether you’re home or not, and access to this information could be a burglar’s dream. 

While many wi-fi routers now come with encryption as standard and you can protect yourself further using strong passwords, we don’t think it’s reasonable that the Hive app assumed you have these.

Hive said that while it did not believe there were security risks, it has now encrypted this information. It said data that could pinpoint where someone is in relation to their home was never sent by the app and that information, such as the phone model, is freely sent via commercial browsers. 

However, it acknowledged it wasn’t best practice to expect people to have encrypted wi-fi. As a result of these findings, British Gas said it had immediately changed its app to make it more secure.

Nest and Honeywell smart thermostats

We also looked at the data the Nest thermostat and the Honeywell Evohome were sending and found that the Nest sent the user’s postcode unencrypted, despite publicly saying that the data was encrypted.

Nest told us: ‘At Nest we are continually testing our systems against the latest standards and encourage our users and third parties to report such issues to us (through our VRP). In this instance, the Nest App currently checks the weather the exact same way the consumer would if they visited the website directly - providing only a post code. This request does not contain any user identifiable information.'

It has since update the app so that the postcode is encrypted. 

We uncovered no problems with the Honeywell’s use of data.

Smart thermostats 

Smart thermostats connect to the internet, allowing you to control your heating remotely. Beyond this principle, different models vary hugely – some learn when you want your heating on and off, while others let you set different temperatures in different zones.

As well as the convenience, most smart thermostats also claim to help you reduce your energy use. This could be by enabling you to turn off your heating remotely if you forget or by giving you a better understanding of your energy use.

If you're thinking of buying a smart heating control, find out more about the different features of those available and which one's best for you by visiting our smart heating controls comparison table.

More on this...