✕
Walking to a
thermostat
to change a setpoint may be going the way of rolling down car windows, writing checks at the grocery store, and getting up to change the TV channel. However, the path to temperature control through
smart thermostat technology
is more involved than many customers realize.
A few will understand that smart thermostats represent another example of modern convenience entailing some degree of added vulnerability, though, and they may have questions or concerns. Internet research can answer some of their questions, but the customer could direct any remaining issues to who is possibly the only other in-person participant in the customer’s experience: the technician doing the installation.
For that reason, contractors may be well served to prepare technicians for those conversations. That preparation might not make or break a sale already into the installation stage, but it may ease a few additional sales, and it can cement a customer’s perception of the contractor as knowledgeable, up to date, and in touch with consumer concerns.
Hacks Are Rare, but They Hurt
The thermostat may be just a room away, but the user’s command often leaves the phone, hops onto the local Wi-Fi, travels out and across the internet hundreds of miles to a manufacturer’s server, and then loops back through the local Wi-Fi to the thermostat, all fast enough to not raise an eyebrow (or a posterior).
Bringing the internet into that task opens the door to risks that are rare but real. In 2019, a hacker infiltrated a smart home setup of a Wisconsin household in an incident that attracted national attention. In what amounted to a cyber-home invasion, the intruder harassed the homeowners with audio through their camera, loud music through associated speakers, and high temperature settings via the connected thermostat.
The latest smart products highlight the ability to tell if the customer is home or away in order to adjust temperature settings to efficiently align with their habits. That is a potential tool for tracking whereabouts or determining a home’s status in the hands of someone with criminal intent.
The stakes are different for commercial applications. A few years ago, someone gained access to a casino’s data, network, and customer info by exploiting a sensor that monitored conditions in one of the casino’s fish tanks. Any item in a Wi-Fi network connected to the internet is an asset but also a potential liability if it represents a weak link for security, and it only takes one to get in the door.
Making A (Privacy) Statement
“At the same time, we want to make the HVAC contractor that has done business with that consumer the point of least resistance at any time of need for the consumer.”
— Gene LaNoisHead of professional industry partnerships Google
Just as IAQ has increased its profile in the age of COVID-19, this kind of privacy concern may see an uptick in consumer awareness in an era where use of personal online data has made headlines as a battleground for ethics and national policy.
“At Google, we are huge advocates for consumer privacy and allowing customers to make a conscious decision around the information they are willing to share,” said Google’s Gene LaNois. LaNois is the company’s head of professional industry partnerships and a resource on topics like the Nest thermostat. Out of several manufacturers contacted to submit comment for this story, Google was the only respondent.
LaNois emphasized that privacy “is not a fine print thing for us,” but rather a core part of his team’s mindset.
“At the same time, we want to make the HVAC contractor that has done business with that consumer the point of least resistance at any time of need for the consumer.”
To that end, Google and others in the thermostat market can get out in front of questions and make a good impression on web-researching homeowners by posting their privacy policies upfront.
Google’s privacy page for Nest products and services includes, among other things, its transparency pledge and a clear list of what data a product like Nest Learning Thermostat collects.
Ecobee posts another example of a privacy statement. It explains what types of environmental data its devices may collect and for what purposes. Uses can range from direct tasks like adjusting settings for efficiency to indirect features like aggregating usage in similar homes to provide benchmarks and comparisons that homeowners may appreciate.
When using these products, there is also the matter of basic personal info commonly referred to as account data. Companies should be clear about consumer choices for how that is used, where choices exist, and how they can manage that. All in all, LaNois noted, “I would just say that we are big fans of consumer ‘opting in’ for sharing necessary information.”
Contractors should be ready to explain the extent — or the limit — of what they are able to see if a customer signs on for remote monitoring and/or automatic alerts sent to that contractor.
Life Without Wi-Fi?
A contractor may occasionally encounter a customer who wants an upgrade from an old thermostat but who does not want to increase their home network’s exposure to any internet-related risks.
TWO FACTORS:
Two-factor authentication and strong requirements from manufacturers can each contribute to security for consumers using home networks including devices like smart thermostats. (Courtesy Of Psyomjesus, CC-BY-SA-4.0)
At Skyler.tech, for example, Skyler Sadlier wrote a blog post about what he calls a “privacy-focused thermostat” option for users who want home automation without getting into the cloud.
Similarly, the Home Rider Systems website devoted a post to “how to create a smart home without the internet.”
That might sound counterintuitive to many, but it isn’t. One alternative home automation method involves Z-Wave technology. A variety of brands (including Trane, Honeywell Home, and less familiar names) make thermostats that are Z-Wave compatible.
For privacy-minded customers, the appeal of Z-Wave is that it facilitates a home automation network while bypassing Wi-Fi altogether. Like devices using the ZigBee protocol, Z-Wave coordinates a mesh network where devices work together to pass data around the group as needed instead of all devices relying on something like an internet router as a central pass-through.
Consumer Self-Defense
Contractors can also prove their value by being ready to diplomatically explain to customers that they are their own best protection against any sort of rare network intrusion.
In the case of the Wisconsin couple, a Google spokesman emphasized at the time that using two-step verification can eliminate that type of threat. Of course, consumers are more used to that now than a few years ago, but they have different levels of patience for administering “extra” levels of security.
At the Information Science department of the University of North Texas, Hsia-Ching Chang explored “Security and Privacy Issues with Smart Thermostats — A First Look.”
In that paper, one of the author’s conclusions is that “IoT devices should not be allowed to connect to less secure wireless infrastructure. The amount of data that can be stolen and the damage that can be caused by compromising the wireless network, hence gaining access to confidential information, is not worth the risk.”
Most consumers will probably not adopt that level of vigilance as a default. The HVAC contractor can take the opportunity to at least offer some basic info intended not to frighten anyone away from the benefits but to help customers make decisions they will be comfortable with.
Hsia-Ching Chang also noted that different manufacturers may have different password requirements for customers setting up their access and accounts. Number of characters, type of characters, and password re-use are all things that consumers are used to navigating by now.
Everyone likes simple and easy, but those factors can play a real role in protecting appliances like a smart thermostat and a network. This conflict between ease of use and protection may provide the chance to mention resources whose value extends beyond HVAC, such as online password managers. These tools can generate secure passwords for individual apps or websites while letting the consumer avoid the hassle of retyping complicated combinations.
Stay Positive
Giving adequate attention to security does not need to scare anyone away from the benefits that modern smart thermostats can offer. For one thing, maintaining good security and user privacy is in the best interest of the manufacturers as well as consumers.
In addition, smart thermostat security is only an issue because the devices can deliver significant convenience. Smart thermostats are popular for some good reasons, as even the section titles of the earlier Home Rider Systems article illustrate:
“How Smart Home Devices Increase Property Value”;
“Increase comfort and convenience”; and
“Reduce energy consumption and costs.”
Smart thermostat and home automation conveniences continue to accumulate for consumers. Making the effort to understand the privacy and security particulars of the specific items they sell and service can make sure the upside keeps growing for contractors, too.