I have one in my house and two at my church. The neat thing is that we can leave the church with at 85F in summer and 50F in winter, but when someone is going there for some event like choir practice I can whip out my iPhone and turn up the heat for them an hour before they get there, without leaving my home.
I was displeased to hear that Honeywell decided to discontinue their Apple Watch app efforts. That was going to be the pinnacle of my thermostat world, being able to lift my wrist and quickly tweak the temperature.
No idea about security. These devices phone home to the mother ship on a very regular basis. I assume that’s so you don’t have to poke a hole in your firewall to allow your iPhone app to talk to your thermostat–the app talks to the vendor’s server, and the thermostat eventually polls the server for updates.
Their servers must be busy with all of those pings from all of their customers.
Yeah, security is one of the reasons I’d be leery about getting one of these things. I’ve worked on security features and I know that implementing good security is REALLY hard. It’s completely different from any other type of software engineering. The fact that the device has a password is irrelevant; there could be any number of backdoors, protocol bugs, unsecured “administrative” access holes, etc. I would not trust a system to have adequate security unless it was developed by a company whose main business is software, and even then I wouldn’t be surprised to learn of a hole.
Slashdot regularly posts articles on the latest wave of IoT security problems. This includes WiFi thermostats.
Sure, there’s your password and all that, but these idiot companies leave open other access methods all the bleeping time. It is astonishing. To presume that your access method is secure implies that all access is secure is extremely naive.
The thing with a WiFi thermostat is that an attacker can do rapid and/or extreme cycling which can be hard on the HVAC system. Esp. the AC.
If you live in a very cold climate and are gone for a trip, the attacker can turn the heat off entirely and stuff freezes in your house. E.g., water pipes. Then turn on the heat, the water melts, the pipes leak and you come home to a mess.
And that’s just a primary attack. One thing they love about IoT devices is that gives them access to your local network, and from there they can put malware on your computers.
There’s always a race between the companies and the attackers. A new hole is discovered, it starts getting exploited, an update is rolled out and the hole is patched.
But IoT makers are loathe to do updates. Once you bought it, that’s it. So if Yet Another Hole is found, there will be no patch. It’s there until you replace the device. And “fixing” a hole by hardware replacement is not as cheap or easy as software replacement.
From a security tech point of view: you should assume at some point someone will access it and do something bad. Hoping otherwise is foolish.