Our recent lab tests found that Heatmiser’s SmartStat smart thermostat could be susceptible to ‘man-in-the-middle’ attacks, which would leave your personal data exposed.
We discovered that the Heatmiser SmartStat sent unencrypted data between the app and the smart thermostat. This means that if an attacker could get on the same local network, they’d be able to access your login details, device ID and any programmed schedules.
Although the risk of an attacker gaining access to your network was low, in our view the potential repercussions could be serious. Your weekly heating schedule would show when you’re likely to be out of the house and could be used to plan a break-in.
Smart thermostat reviews – find the right model for your home.
Updates to the Heatmiser app
We have been in contact with Heatmiser and it has committed to ‘enhance the security of [its] products’. It’s made crucial changes to its app, which are now available to download. After a further test of the update, we are satisfied that this meets our expectations for user privacy.
If you own the Heatmiser SmartStat, make sure you update your app to benefit from the changes.
Heatmiser said: ‘We take the security of our customers’ data and privacy extremely seriously so we welcome the recent findings by Which?.
‘The study by Which? of our SmartStat showed that a man-in-the-middle-type attack was possible from someone on the same network and, while the risk was low, we have taken immediate action to update our SmartStat apps to prevent this type of attack being possible. We would like to thank Which? for working with us to enhance the security of our products.’
Our testing of smart thermostats in 2015 similarly brought up data privacy concerns. We found that, at the time, the Hive Active Heating thermostat also sent unencrypted data across the network. Following our research we contacted British Gas, which made updates to the Hive app that made users’ information more secure.
We will continue to work with companies to address our research findings and help them to make their products as safe and secure as possible.
Which? security testing
It’s not just smart thermostats we screen for data security. Many internet-connected products go through tough security and privacy assessments in our test lab.
You would expect your smart products to keep your information secure, but many leave your data vulnerable to attack. During our assessments we try to find any weaknesses in the product or app, such as poor passwords, unencrypted data or technical vulnerabilities.
Where we find severe or critical issues, we contact the manufacturer involved and work with them to fix the problems.
When we are satisifed that users won’t be put at risk, such as with the Heatmiser app, we publish our findings. But when the company involved won’t engage with us, we make consumers aware of the potential security risks in their smart home.
In a separate investigation, we looked at how much of your personal data your smart products are collecting and how this is used. Find out more here.