Researcher discovers security flaw in Netatmo weather station

Updated: This story was updated on Feb. 17 to note that as of Feb. 15 Netatmo had updated its process to fix this security flaw.

The Netatmo weather station, a popular and beautiful connected weather station, apparently sends your Wi-Fi password as well as other device and network information over the internet in an unencrypted format. Johannes Ullrich, CTO at the SANS Internet Storm Center in Jacksonville, Florida, posted a blog on Thursday documenting the device’s lack of security. He was pretty mild-mannered about the lapse, pointing out that the transmission of his credentials only happened at the setup and wasn’t replicated when he restarted the device again, explaining:

[blockquote person=”” attribution=””]So what happened? After looking at the full capture of the data, I found that indeed the weather station sent my password to “the cloud”, along with some other data. The data include the weather stations MAC address, the SSID of the WiFi network, and some hex encoded snippets.

Not only should data like this not be transmitted “in the clear”, but in addition, there is no need for Netatmo to know the WPA password for my network. [/blockquote]

After reporting the bug to Netatmo, the company responded, acknowledging that it does indeed dump all that data from the weather station’s memory unencrypted and that it would stop doing that the coming weeks. I also reached out to [company]Netatmo[/company] to understand the issue and why it chose to do this.

And while I doubt that most people should worry that some nefarious actor is outside their home with a Wi-Fi sniffer at the exact moment they are initially setting up their Netatmo weather station for the first time, this does drive home two issues I’ve covered this week that are linked: we don’t have a set of best practices for security when it comes to connected devices, and how many connected devices for the consumer market are hitting shelves before they are really ready for the mainstream. This means these devices are missing features, maybe a bit buggy or just not security hardened.

My bet is that when device makers send out these “beta” pieces of hardware home with normal consumers trusting that a few software updates will fix any problems down the road, they will ultimately alienate the customer and even turn them off from the smart home. After all, when a consumer reads about how her home Wi-Fi network may have been compromised, even if it were only for an instant because of some issue that will get a fix “in a few weeks,” that doesn’t exactly inspire confidence.

Want to attract the average consumer? Skip the hardware preview

For the last two years I’ve been reviewing connected devices as part of my role as Gigaom’s internet of things reporter. I’ve spent hours fiddling with radio networks, sliced my fingers open attaching wireless hubs to my garage door opener, giggled with my daughter while weighing out sugar on a connected scale, and generally had a good time. I’ve even had a few adventures in home wiring and and the occasional shock.

But of the dozens of products I’ve tested, only a few have actually been ready for the market when they’ve reached my hands. In a few cases this is to be expected: some were Kickstarter-backed projects that were shipping to the developers and reviewers at the same time and some were hitting my doorstep a month in advance of their availability in stores.

But others were shipping to the general backers or worse, in stores as I was testing my own versions of the products. And they just weren’t ready.

After two years of this, I think it’s time the market and its participants stop shipping products that aren’t up to snuff. Because as more people start picking up these devices and trying to see what the smart home is all about, a bad experience with an underperforming or buggy product is going to turn them off from the whole concept.

Sometimes, it’s worth the wait

winkbox
Take for example, the Wink home hub from Quirky. This product launched in July with major backing from Wink and Home Depot. My guess is the companies involved felt the pressure to get into the market quickly since there were already several players ranging from small (SmartThings, Revolv) to big (Staples Connect and Lowes Iris) that had been selling for months and even years in the case of Lowes.

But when Wink launched, it was buggy, lacking support for basic devices that it shared radios and aisle space with, and consumers who picked it up were pretty frustrated. Luckily, it was cheap, and Wink had the cash to keep it in the market and manage its retailers’ frustration with returns — a luxury smaller startups don’t generally have. But still, any customer who decided to take a chance on Wink to see what the fuss was about wasn’t likely to walk about thrilled with the smart home experience.

Wink wasn’t ready for market. But what about LIFX, the $99 connected light bulbs that change color and connect via Wi-Fi? The bulbs were pricey, but since Philips Hue had primed the market, others were coming in with newer variations, and LIFX was winning accolades. But in July, after a few of my friends had picked up the bulbs, an English hacking firm reported that the bulbs exposed users to a significant security flaw by letting people hack into to users’ Wi-Fi networks. Not only that, LIFX stored users Wi-Fi passwords all in one database. Both problems were quickly solved, but the exploit and the database setup exposed some basic flaws in how LIFX had handled security and notifications. Simply put, it wasn’t ready.

Take it on faith

canary
My final beef with products that aren’t ready concerns those companies that are pitching some type of algorithm as part of their value, but the algorithm isn’t quite trained on enough data yet. Much like the vaporware of the 1990s, I think of these products as faithware, as in we just have to have faith that they’ll work well and do what we want them to do. Algorithms aren’t magic. They have to be trained and even the act of training them introduces biases that mean it may not work in the way we want it to.

[pullquote person=”” attribution=”” id=”913890″]I think of these products as faithware, as in we just have to have faith that they’ll work well and do what we want them to do.[/pullquote]

If something has a learning algorithm that assumes you love things one way (sleeping at night, for example) and you don’t live that way, it’s not going to make your life easier. So products like Canary home security system (which is on sale now and will ship in March) that offer an algorithm that will arrive eventually worry me. If learning is a big reason you are buying a product then make sure that’s a feature that exists straight out of the box when you buy it rather than down the road. Because ideally you’ll want to train it within your return window for that item.

The home is a shared environment

This may sound harsh. I know that all of these companies are after a first mover advantage and everybody is out there right now popping a Wi-Fi or Bluetooth module on an everyday object and building an app for it. But hardware is not software. There’s only so much iteration a consumer is willing to take when it comes to a functional object that she plans to install in her home. Especially an object that will be used by everyone in that home.

Nest and Philips Hue both were consumer ready products.

Nest and Philips Hue both were consumer ready products.


It’s fine when your app crashes; at worst, you reboot and move on. But when you spend $250 on a connected door lock that your husband was a bit dubious about in the first place, and he comes home with his arms full of groceries and gets stuck on the doorstep because the lock didn’t open, you can’t tell him to reboot. That lock is going to get returned. And my bet is your mission to connect your home just got set back by a few years.

As I’ve been playing with devices I’ve expected the quality to get better over time. And while I think there has been a slight uptick in overall quality — devices coming out of the PCH incubator for example tend to arrive consumer-ready (although without as great support for Android devices) I’m still surprised at the overall uneven quality of the products that are shipping to consumers. Maybe some of the entrepreneurs who participated in how we built it campaign at our Structure Connect event last year can offer a lesson or two.

[youtube https://www.youtube.com/watch?v=Q5fDy4tzgHY&w=560&h=315]

Please, guys. I love hardware and I love connected devices. But the mainstream consumer isn’t going to love anything that they have to spend hours troubleshooting. Or that they have to worry about from a security standpoint. We may love playing with our connected outlets and sensors, but trust me, everyone else wants to just set them and forget them.

You have to release products that let them do that. Until you can, keep them to yourselves.

Nest tweaks its energy reports to include Nest Protect data

Nest users who look forward to their monthly emails are in for a change. Starting today they will get Home Reports instead of Energy Reports, and if they have a Nest Protect, they’ll see safety and usage data from the Protect smoke detector or smoke detectors in their home.

nest_energy_report_top
The new information will include details on the status of the Nest Protect in the home. That data will include battery levels, connectivity and sensor status, fire and safety tips that will join the energy savings tips that thermostat users will be familiar with, plus a recap of the entire month’s energy usage history. Currently Nest users can get that history on their apps going back 10 days, but now they can click-through on the email to see the full month’s worth of data.

That will actually be nice if you can export it, because then you might be able to use that data in more places outside the Nest universe. I can think of a several places I’d like to use my HVAC usage data, especially since I can download my utility usage from my power company each evening. So my next question: when will Nest start adding Dropcam data to these reports, and what might that look like?

Worried about smart TVs listening in? Welcome to the smart home

The last weekend saw a fair amount of freaking out over the privacy policy associated with Samsung’s smart TVs, which warns customers that “if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party through your use of voice recognition.”

Well, yeah: that’s how cloud-based speech recognition works. You say stuff and it goes off to a powerful computer somewhere for voice-to-text translation and interpretation. The issue here is of course the idea of Samsung’s TV listening in all the time – if chatter is being constantly monitored and parsed, that isn’t just reminiscent of 1984; it’s pretty much described in Orwell’s book.

I’ll come back to that issue in a moment — spoiler: I suspect the fears are overblown — but first it’s worth mentioning the wider picture. With quite superb timing, on Monday the EU Agency for Network and Information Security (ENISA) issued a report about the security of the smart home. In the agency’s view, smart TVs will likely act as the main interface for this nascent concept, which introduces dozens of potential threats.

Sensors everywhere

The smart home is all about sensors – cameras, temperature sensors, motion sensors, humidity sensors, and of course microphones. They will probably come from a variety of manufacturers, because the cost of making a device connected is quite low, but ENISA reckons that the smart TV will become the coordinating hub.

This is debatable — there’s also the smartphone as a potential hub — but nonetheless plausible. As the agency said, the screen size allows for the display of a lot of information, there’s a good amount of space for processing power, memory and storage, and TVs are pretty good at integrating with other devices such as consoles and external storage. TVs are already used as hub interfaces in hotel rooms, ENISA noted. Also, TV manufacturers are really keen on their products becoming home gateways of this kind.

As ENISA put it:

The physical location of the smart TV, often in the centre of a home, provides a good position for monitoring a location and the activity within it. Lifestyle data gathered from the smart home is likely to be very attractive to advertisers and data-miners…

It is difficult to learn that much about individual behaviour from a single smart device, but with multiple devices and some contextual knowledge it becomes easier to make inferences about behaviour. At least sufficient to support aggressive advertising, reminders, deals etc. and this can influence the inhabitants’ way of living.

And that’s only the planned, commercially-minded spying. Hackers and intelligence agencies might also want to spy for other purposes. There’s loads more that can go wrong — even bearing in mind that ENISA’s report is intended as an exhaustive list of warnings, it still makes for unsettling reading:

  • Incorrect settings could cause physical damage, depending on what’s being controlled, and “multiple errors can occur through voice-controlled smart home systems.”
  • All kinds of outages can temporarily brick home functionality, from electricity and internet outages to remote problems in the cloud. There’s also a risk of signals being jammed, accidentally (by neighbors with the same system, for instance) or otherwise. Also, connected things and the cloud services that keep them running can be hacked or hit with denial-of-service attacks.
  • The wireless protocols used to connect everything could be vulnerable to things like man-in-the-middle attacks, where someone close-by can snoop on and alter communications, or replay attacks, where they can capture and replay signals so as to bypass locks and security systems.
  • Hoaxers could have fun: “For instance, the system that inserts adverts into streamed content on a smart TV could be exploited to push hoax content to the viewer, or web-enabled displays in the home could display false information… Attackers with access to the smart home components could fake a system crash or error, or virus, and then offer to repair this as a method of gaining physical access to the home or further access to other components.”

Securing the smart home will probably be a complex matter due to the various players that are involved. As the report pointed out, some devices may belong to the occupant, while others (such a set-top box) may be leased and under some company’s control. The occupant will probably want to preserve her privacy as much as possible, while vendors might be after as much saleable data as they can get their hands on. And anyway, most of them are more experienced at designing appliances than they are at managing the security implications of those devices being connected.

Still, ENISA suggested that keeping things simple might help. The more automation and data storage is handled locally and under the owner’s control, and the fewer external services that are thrown into the mix, the less “attack surface” there will be. Critical and non-critical software should run on separate systems, and manufacturers should follow good security practices around things like authentication and encryption.

Privacy by design

Now here’s where we circle back to Samsung’s smart TV – the report also noted that vendors could try to bake in privacy-by-design principles from the start. These principles were put together a few years back by former Canadian data protection regulator Ann Cavoukian, and personally I would not trust any smart home equipment from a vendor that can’t demonstrate how they comply with them.

Privacy, eye, data

This is basic stuff, particularly when you’re making gadgets for various kinds of monitoring. Maximum privacy protection should be in the default settings, as opposed to opt-in settings. Privacy should be a key consideration from the start, rather than an add-on feature. The trade-offs from choosing high privacy levels should be kept to a minimum. Data should be protected all the way, wherever it goes, and destroyed as soon as it’s not needed. And what happens to that data should be transparent to the people generating it.

So how does Samsung’s smart TV system stack up in this regard? On the plus side, the company said in a statement that it encrypts the data it collects to “prevent unauthorized collection or use.” A microphone icon also appears on the TV when the speech recognition feature is active, so users can be aware that their words are going into the system.

From there on, things get shakier. The user can turn the feature on and off, which is good, though it’s not clear what the default setting is. They “can also disconnect the TV from the Wi-Fi network” – a move that would of course kill much more functionality, such as that of smart TV apps. Use of the voice recognition feature means that “voice data is provided to a third party during a requested voice command search” so that content can be returned to the TV. Fine (again, that’s how this works), but who’s the third party? Could Samsung perhaps be a bit more specific about what happens with this data?

The confidence game

To be clear, I don’t think Samsung is doing anything especially egregious here. There are many always-listening devices out there now, such as Amazon’s Echo speaker, that are in a constant passive listening state. They’re waiting to hear a wake command that puts them into an active listening state (in Samsung’s case, it’s “Hi, TV.”) Until that point, they’re only storing the voice data long enough to analyze it for that phrase, generally on the device itself – it’s only when the word is spoken that data starts getting sent into the cloud, to those third parties.

This distinction between these listening states is super-important and, unless I’m very much mistaken, Samsung’s smart TV voice recognition feature isn’t quite the privacy-munching monster some are painting it as. If you’re consciously searching via voice command, just as when you’re searching in a browser, you should be aware that the words contained in your search request will be whisked off to some distant server so you can get a result. C’est la vie.

However, important questions remain about other aspects of Samsung’s system, and I’ve put a few to the company: Once the data goes to that “third party”, is it also encrypted in their systems? How long is it stored for? What does Samsung do to ensure that hackers can’t access the microphone in the TV? Is any of this data available to law enforcement or intelligence services brandishing a warrant?

Anyone who wants customers and users to offer up potentially sensitive data should be prepared to answer questions such as these. That applies to web services and apps as well, of course, but those making products for the smart home – products whose entire purpose is to observe and record – had better be particularly sensitive to privacy worries. The smart home could turn out to be a very vulnerable thing, and vendors should do all they can to set their customers’ minds at rest.

UPDATE (10 February): Samsung has confirmed to me that the passive voice recognition system on the TV is for voice commands, so “Hi, TV” would be followed by a volume adjustment command, for example. This is not connected to the internet at all. The cloud-based voice recognition feature everyone is so upset about uses a separate microphone in the remote control. It is only activated by pressing a button on the remote control (good) and the third party voice-to-text provider is Nuance, which has a worryingly liberal privacy policy (bad) that is referenced at initial set-up (good, but only for the person setting it up.)

I have asked for details of the Nuance privacy policy that Samsung’s customers are apparently shown at set-up, but the manufacturer has frustratingly tried to palm me off on Nuance for further details. This is precisely the kind of transparency failure I’m talking about. If it’s so hard for me as a journalist to find this stuff out, what hope is there for a user of this shared device who wasn’t there during the initial set-up?

Canary is a home security system that makes you do the work

If you’re in the market for a smarter Dropcam, then the $249 Canary may be the connected camera system for you. If you’re looking for a more traditional home security system, I’d wait a bit longer before going with Canary — unless you’re a huge fan of DIY security and don’t mind a lot of false positives.

So what is it?

The $249 device is an IP camera that also contains a mic, temperature, humidity and air quality sensor. It’s an attractive little product that connects to your home Wi-Fi network. You interact with it via an app on your IOS or Android device. The system has three states: armed, which means you get a notification and a recording whenever something triggers the camera; disarmed, which means you get a recording when something triggers the camera; and privacy which means the camera and mic are turned off. Basically the difference between armed and disarmed is a notification.

canary

When you receive a notification, you have the option to open the app from the notification, check the video and are then given the option of saying everything is okay, sounding an alarm or calling the police. That’s the what I mean when I call it DIY security — you are doing the work.

Setting it up took me about five minutes. I popped the Canary out of the box, plugged it in where it could monitor my front entryway, and downloaded the app on my iPad. After signing up, I followed the instructions and plugged in a yellow cable that came with the Canary to securely link the Canary and my iPad via some type of audio signaling.

Once I was set up, I invited my husband to download the app and we were a go. Initially, I used his iPhone 6 and my iPad with the app because the Android app didn’t come out until this week. I only tested the Android app for about 72 hours, instead of the almost two weeks I tested the Canary overall. I will note that I experienced trouble receiving notifications on the Android device when the system was armed, which is a pretty essential feature.

slider-5

In general, I liked the premise of the device and the camera. It has a wide-angle lens (147 degrees) that was good during the day and at night. I liked the idea of being able to monitor the air quality in my home, although in practice, it was less illuminating. For example, after the Canary had been on in my front foyer for an hour or two, it showed that the air quality in my home had gone from normal to abnormal and then to very abnormal — which was where it stayed unless I opened the windows for long periods of time.

This worried me, but when I asked Canary Co-founder/Design Director Jon Troutman what was causing such a poor reading, he said that the sensor was just tracking the relative measure of air quality in my home. It should improve based on the sensor’s location and on how the sensor learns about the quality of air in my home. If over time the air quality stays the same, the level that early on gave me a very abnormal reading will default to the new normal.

So far that regulation hasn’t happened, but moving the sensor to a new location helped. The system has a few little bugs that Troutman said should be fixed with a software update soon. The primary bug was that the camera sometimes stopped recording before an action was complete. For example, my camera, which was set up to record my front door, sometimes stopped recording before I’d finished entering the house. Other times, I would not get notifications in the armed state (this happened most often in the Android app, although once or twice in the iOS version) and the apps themselves would sometimes need a restart before updating.

tempcanary

The training and smarts

My dog, my Roomba and other benign things could trigger notifications from my Canary (more on that below). Each time I get a notification, I have the option of training the Canary by naming the objects in the video. Choices include the people who are in the system, like me and my husband; “pet movement”; shadows; reflections; people and a variety of other common items. You also can make your own categories, so I made categories for my daughter and my Roomba.

At first I religiously trained my Canary, assuming that it would start learning quickly the way my Nest does. I was horribly disappointed to learn that the results of my training would take place much later. Troutman couldn’t give me a time frame more specific than “later this year” for when the existing learning algorithm would be tweaked based on the user training. I feel that a large portion of the product’s quality will rest on the quality of that learning algorithm, and I think it’s a pretty important element of the review.

After all, I am getting about a dozen push notifications to evaluate a day, thanks to my pet, vacuum and random light changes. Canceling out the vacuum is easy since I know what time that runs, but the other stuff is still too many false positives to have to filter through, which makes this a poor choice for pet owners until we know how the algorithm works.

Screenshot_2015-02-06-15-11-38
As a security system, I felt that it somewhat failed because, while it (sometimes) sent me a notification when something changed in my home, it relied on me to then decide if I wanted to sound an alarm or call the police. This meant that I had to make sure I checked each and every Canary notification that came through when the system was armed to check that it was just my dog and not a burglar.

Once Canary updates its learning algorithm with the results of user training, it should eventually cut down on false positives (like those caused by my dog and Roomba), and it will also offer paid monitoring plans ranging in price from $19 to $39 a month, while only the free and $9-per-month plan will require DIY security. The $9 per month plan gets you more cloud storage, if you want it. But in some ways, the tiered is the point: Having a smarter connected system down the road, but no monthly fees, might be worth the $249 price tag for many people.

What if security isn’t really about a traditional alarm system, but more about being able to keep an eye on your home? That’s Troutman’s pitch, especially in the rental market, where the traditional firms aren’t event an option. I also found plenty of uses for the Canary outside of the traditional security idea from using it to alert me if the dog jumped on our bed during the day when we were out (she does) to checking to see if I brought my water bottle back from the gym (couldn’t tell). My daughter enjoyed performing little dances in front of it and telling us to check the Canary for her masterpieces.

Other features that will be nice, especially for the DIYers, will be adding a phone tree to call neighbors or friends as opposed to escalating directly to the police or emergency services. All in in all the Canary I tested still feels a bit too beta for public consumption, but it does have the makings of a very smart connected camera that should make Dropcam sit up and take notice. As for providing home security, I’m not really sure I felt more secure with the Canary in my home, but it did give me a chance to see what went on when I wasn’t at home.

And if that makes people feel more secure, then this device could be for them.

Apartments are the home of the future. Let’s make them smart.

Would you find it creepy if your apartment owner was tracking every time you switched on a light bulb or how much energy your apartment used each evening? What about noticing every time you ran dishwasher or the noise levels next door? With about $900 dollars worth of sensors from startup Iotas, Greystar Management can track all of this information and hopes to use it save energy and prevent things like leaks.

Sce Pike, the co-founder and CEO of Iotas, came on the Internet of Things show this week to discuss her startup’s relationship with Greystar and why she’s focused on apartments as opposed single-family homes. First off, she believes that the rental market is growing faster than the single-family home market. And second, working with apartments allowed her to gather much cleaner data about energy usage than a smart home.

“When you look at the MDU space what you get is almost a lab like environment, because all the floor plans are the same. And they are much smaller,” Pike said. “And if you get entire coverage of the home … that gives you a lot of information about how this person is moving and living where if you go look at a single family home, where it’s DIY or professionally installed, you might get a Hue light installed in the living room versus the basement versus the bedroom here or a connected outlet installed there. You get so much variability of that data, so that data is not mineable in some sense.There’s no way to make sense of that data, whereas with the MDU space we’re getting intelligible data.”

When they take that MDU data and see patterns such as someone saving 14 percent on energy whereas everyone else is saving 10 percent, they could look at what that saver is doing and see if it could apply across other apartments, Pike said. They might offer other people rules to help them achieve that savings rate or incentive programs.

But given the detailed data she gathers, I had to know how she viewed questions of data ownership and privacy, especially in light of the recent FTC report that came out this month. With all this data, she might be tempted to keep it and see what other insights she could glean from it.

“Our privacy stance is that this is your data. You get to own your data. The only way we get to use your data is to help your home become your ally,” said Pike. “So your home should know who you are instead of an intruder. Your home should know when you go to bed at night that you want all of you lights outside to turn off…. We believe strongly that in the new world order of the internet of things that there should be some level of architecture that allows for people to own their data.”

For more on this topic, plus a chance to learn about the Canary home security system and the chance to win a Chamberlain MyQ connected garage door opener, listen to this week’s podcast.

[soundcloud url=”https://api.soundcloud.com/tracks/189334590″ params=”color=ff5500&auto_play=false&hide_related=false&show_comments=true&show_user=true&show_reposts=false” width=”100%” height=”166″ iframe=”true” /]

SmartThings hires ex-Googler to manage dev platform

SmartThings, Samsung’s hope for a unified smart home platform, has hired Dora Hsu, a former Google executive, as chief platform officer to lead its developer platform. Hsu, who was formerly the senior director of Google Cloud Solutions for the Google Cloud Platform business, will be responsible for getting developers to buy into SmartThings‘ and Samsung’s idea of an open ecosystem for the smart home by convincing them to use the SmartThings’ developer environment and to integrate devices into the SmartThings ecosystem.

Dora Hsu headshotSmartThings has long positioned itself as an open platform for the smart home, and after it was purchased last summer by Samsung, that hasn’t changed. In fact, Samsung Electronics president BK Yoon gave a somewhat overwrought keynote at International CES pleading for openness in the internet of things. But that openness may be hard to come by.

While Samsung’s purchase of SmartThings helped many companies finally feel comfortable with SmartThings as a mature platform, I’ve also heard from others — notably large appliance and TV vendors — that they will not integrate with a potential rival. So Hsu may have her work cut out for her in enticing developers to build for what is likely to be a large but never fully complete platform.

When it comes to the tools to court developers, Hsu may have better luck. SmartThings last month updated its Integrated Developer Environment so it runs smoother and faster, and I expect more updates to come. Hsu’s experience at Google heading up the technical teams that managed some of the cloud business will certainly help here.

SmartThings CEO Alex Hawkinson said that developers can expect more investment from SmartThings in the platform, beyond just making it faster. That will include adding analytics, certification and more. “We will also be making investments in certification, marketing, and monetization support to help developers and device makers to reach significant numbers of new customers through SmartThings,” he told me in an email. “The goal is to not just help developers to rapidly innovate, but to also help them to improve the lives of many consumers while building a great business in the process.”

Hsu will essentially build the business and infrastructure to create SmartThings’ App store model. So far SmartThings supports over 150 devices, with more in the works. It doesn’t disclose the number of developers working on the platform.

Hsu reports directly to Hawkinson, and is based in the SmartThings HQ in Palo Alto, California, with her new role effective immediately.

Surveys say: It takes two years to recoup the cost of a Nest

If you’re thinking about paying $250 for the Nest thermostat, know that the resplendent regulator saves customers average of $131-$145 a year, according to a series of studies done by Nest and two other organizations. The studies were performed by Nest in 41 states with 1,500 users, by the Energy Trust of Oregon and by Vectren, a utility company based in Indiana covering 600 homes.

Each study was a bit different, but in general they found that customers saved 10 percent to 12 percent on their heating bills and 15 percent on their cooling bills. Previously Nest has gone with the standard guesstimate published by many thermostat providers and the EPA, which was that a properly programmed thermostat could save a consumer 20 percent on their energy bills.

As someone who works from home and thus doesn’t get to take advantage of the away setting, I can certainly say that installing a Nest (nor an Ecobee) has not let to huge savings, so I have long been suspicious of that 20 percent number. I also tend to keep my home “near boiling” in the summer according to the HVAC folks I speak to, which also means that my savings don’t come in anywhere near the higher range.

But it’s precisely those variables that make it hard to know how much you can expect to save from installing a pricey connected thermostat. In the case of Nest, the value comes from the learning algorithms and proximity sensors that figure out what temperature you like your home at and your schedule, which then start crafting the appropriate schedule that saves energy and keeps you comfortable.

So if you leave your home on a regular basis and your thermostat can take advantage of that to learn and adapt a schedule that cuts the heating or cooling during the day and at night, you may find yourself on the higher end of those savings — or even surpassing them. Or if you’re like me, you might find yourself not even hitting the low end of that average.

However, what’s nice is that as these connected thermostats become integrated with other devices in the home, it becomes about not just saving money on HVAC, but also about convenience from tying the messages from your thermostat to your other appliances. For example, because my Nest knows I’m away, it also can tell my lights. And if I’m away for multiple days, it tells my lights to randomly start going on and off to mimic me being home as a security feature.

If I had a connected appliance, it might also tell it when my utility was charging higher rates for energy, thus stopping me from doing laundry when it costs more. For many, those savings are a bit further in the future, but the nice thing about a connected device is that further savings may be just a software update away.

Here’s how GE plans to make your older appliances smart

GE Appliance is sending out 20,000 Wi-Fi modules to let customers connect older refrigerators to the Wink smart home system, according to a Wink executive who will work with the appliance maker.

In an interview last month Brett Worthington, VP and general manager at Wink, let slip that the shipment would occur as part of a Wink software and hardware update that adds a ton of sensor capabilities. GE Appliance customers with refrigerators purchased after 2009 can plug the modules into the RJ45 ports on their appliances in order to connect them to the Wink system.

The RJ45 port is a networking port more familiar to routers or switches, but it can be found on newer appliances. Wink owners might be familiar with it, because they currently attach the Rheem connected water heater module to their water heaters the same way.

The GE Connect box won’t cover every model of fridge that GE has made since 2009 — only select models with the port. And so far, this is only a pilot program for those few households, with the goal of getting those 20,000 users to connect their fridges, register them and then tell GE what they think.

Wink will help build applications for connected refrigerators, and Worthington says the company has come up with a few ideas, such as virtual sticky notes that could remind people of their grocery lists or meetings on their phones — or even a note to a spouse or child about what is okay or not okay to eat from the fridge that day. Other ideas include notifications if the door is ajar or whether or not the ice maker is full. Worthington didn’t say much beyond that.

But the pilot is worth noting, not just because GE is such a huge player, but also because Whirlpool is teaming up to work with Wink and may also be looking for ideas for retrofits.

As I’ve said before, I’m a huge fan of smarter homes and smart appliances, but I’m a relatively frugal person who isn’t going to toss out my current dishwasher, refrigerator, oven or washer and dryer just so I can purchase one with Wi-Fi. And GE, which recently launched a line of new smart appliances, is well aware of that issue, which is why taking advantage of an existing port and attaching a module makes sense. It’s a strategy that Xiaomi seems to be following in China, too.

Meanwhile, I’ll wait to hear more from GE Appliance on this issue. I only wish I had a GE fridge with its own networking port. Sadly, it’s a Samsung, and I couldn’t see anything resembling an ethernet jack.

With exec departures and reorg, Nest is growing up

About a year ago, Google said it would pay $3.2 billion for Nest, a company that had sold fewer than a million connected thermostats and fewer than 440,000 connected smoke detectors — which it would later have to stop selling because its most innovative feature might also prove deadly in a fire. That was a lot of money for a company that had a lot of potential, but was still facing a lawsuit from a giant in the thermostat world, and was trying to sell a pricey product that the mainstream market wasn’t quite sure it understood.

Now, as it reorganizes in the wake of what looks to be the surprise departure of two executives, the company is doing what it has to do to prove that $3.2 billion price tag. Google didn’t buy Nest for its beautiful thermostat — it bought into Tony Fadell’s vision of a connected home full of better products that would learn from users and improve their lives. Along the way, if it helped Google get into hardware and collect vast amounts of data that might one day help solve energy crises or improve computer vision, that’s all to the good.

Greg Duffy DropCam Mobilize 2013

Greg Duffy, CEO, DropCam Mobilize 2013 (c) 2013 Pinar Ozger [email protected]

But to do that, Nest has to get big — moving beyond thermostats, smoke detectors and cameras. That requires a lot of discipline. So when I saw reports of a culture clash leading to the departure of Greg Duffy, the former CEO of Dropcam on Friday evening, it didn’t surprise me. The report alleged a “culture of meetings,” and Duffy appeared to confirm his departure via a tweet. Duffy wasn’t the only one who left: Nest’s VP of Technology Yoky Matsuoka also left, reportedly heading for a role at Twitter.

This did surprise me, as a Nest employee and official spokeswoman offered to have Matsuoka come to my house to fix my Nest as part of a joke, on a call with me on Thursday. I doubt they would have offered that in jest if her departure was common knowledge at that time. In an article about memos acquired by Tech Crunch after the loss of the two executives, several issues stand out, but all of them point to a company trying to scale up to become a multi-billion-dollar business relatively quickly.

The first thing that jumps out is the crazy work schedule — employees were being asked to work Saturdays until April or May, tied to an ambitious product release schedule for Project Quartz and Black Quartz, which TechCrunch says are two camera updates. Nest’s competition in the smart home space is offering not just cameras, but security systems with embedded sensors and learning systems that can learn who is in your home and react accordingly. I don’t know what Project Quartz and Black Quartz are at this time, but I can look at the market and say that while easy to use, Dropcam’s products aren’t particularly noteworthy compared to other Wi-Fi cameras out there, and bigger names are getting in the game every day.

The work schedule is one thing, and something that I would imagine would prompt a lot of angst, but the second element of the memos was a reorganization dividing the hardware side of the business and the software and services side of the business. Other roles are getting reorganized as well, with what appear to be clearer reporting lines and a definitive “management” layer.

So will this help Nest build the products it needs to sell tens of millions of connected gadgets, and design dozens of devices over the years?