Started reading this expecting to laugh it off as fearmongering, but left all 
It’s not based on specific vulnerabilities, but it’s not too much of a stretch to imagine they exist.
1 Like
I saw something similar but they talked about AC units.
The Nest thermostat installed base is in the millions and increasing by hundreds of thousands per month. Each one connected to a heat pump with electric backup strips has a 10+kW controllable load attached. Scary potential indeed since the nest platform includes all the location data as well…
1 Like
With access to the thermostat input voltage, which is proportional to the utility voltage, one could even correlate local thermostats to the utility feeder level by associating their input voltages at a sufficiently fast resolution.
1 Like
@pswired, I highly doubt that second part. Transformer variability between furnaces and time resolution of voltage samples would limit.
Given a large enough dataset, one wouldn’t need a consistent voltage ratio between customers. The analysis would only need to correlate changes on the feeder (tap changer / voltage regulator operations) with certain customers. If the voltage on the feeder increases by 5%, it doesn’t matter if the turns ratio on the HVAC transformer is different from customer to customer, they will all see a roughly proportional change at the same time.
Agree that it’s possible this wouldn’t work if the time resolution on samples is really rough. But we only need whole-second resolution for this to work. Even a minute of resolution might work for a tap changer actuation, as these are voltage shifts that only happen a few times per day. Given a long enough data collection period, if the samples are taken randomly, an attacker would eventually have enough data to make educated guesses about feeder correlation.
@pswired,
Looking at time variance of voltage might help reduce dependence on absolute voltages, but transformers are non-linear devices and the biggest variability is not in ratio of windings, but in non-linearity/hysteresis/energy loss. I’ve seen some 24v furnace transformers that are operated in their linear zone and others that are in deep saturation for much of their cycle.
Here I am just thinking this was scary. Leave it to you guys to up the anxiety level.
1 Like
Well, this may be a moot point, because looking closer, the thermostat battery voltage is the only parameter exposed to the user for the gen2 thermostat:
That doesn’t mean the R input voltage isn’t available through means other than the exposed UI in the app. Or that other nest devices such as the protect don’t report input line voltage (without any HVAC transformer to worry about).
Anyway, the input voltage value as seen by the nest thermostat OS is almost certainly an RMS value, so even if the voltage waveform of the HVAC transformer is nonlinear, there should, in my mind, still be an opportunity to correlate customers on the same utility feeder based on events (e.g. tap changer operations) and major voltage swings (e.g. a local sewage pumping station coming online) given enough observation points and sufficient temporal resolution.