Google’s decision to discontinue support for its first and second-generation Nest Learning Thermostats has sparked privacy concerns after a cybersecurity researcher found the devices continue uploading detailed home data to Google’s servers. The discovery emerged as part of a repair bounty challenge organized by FULU, a right-to-repair group, which offered developers the opportunity to restore lost smart features to unsupported Nest models. Security researcher Cody Kociemba, working on the project, inadvertently uncovered a hidden data flow between the thermostats and Google’s servers.
Kociemba, who collaborated with the open-source community to create the No Longer Evil software, which recovers smart functionality for aging Nest models, discovered an unexpected flood of logs from customer devices. This led to a deeper look into how Google continues to collect data even after the remote control features have been disabled. Despite the removal of smart capabilities, the thermostats still transmit a steady stream of sensor data to Google, including temperature readings, usage patterns, and system diagnostics.
While Google stated that these logs are used for issue diagnostics and service tracking, the company clarified in a statement that they are not tied to specific user accounts. However, Kociemba pointed out that since support is fully discontinued, these logs cannot be used to help customers, making the continued data flow puzzling. Google’s statement acknowledged the ongoing data flow and advised users to disconnect their devices from Wi-Fi to stop data uploads.
FULU’s bounty program encouraged developers to build tools that restore functionality to devices abandoned by their makers. Kociemba and another developer, Team Dinosaur, were awarded the top bounty of $14,772 for successfully bringing smart features back to early Nest models. The work highlights how community-driven repair efforts can keep useful devices alive while also shedding light on how companies handle device data long after official support ends.
For users who continue to use unsupported Nest thermostats, there are several steps to enhance privacy. These include checking linked devices in Google settings, using a guest network to keep the thermostat isolated from the main network, or disabling cloud-based features such as remote access and online diagnostics. Additionally, removing outdated Nest entries from Google accounts can help cut down on potential data leaks.
While no service can guarantee complete data removal, data removal services can significantly reduce the amount of personal information available to data brokers, enhancing privacy and security. These services actively monitor and erase personal data from hundreds of websites, providing an added layer of protection for users. The research underscores the importance of understanding what connected devices share, allowing individuals to make informed decisions about what remains on their network.