I bought a Nest thermostat, a long time ago, before it was acquired by Google.
It was a pretty good piece of hardware. Then, as usual, the geniuses from Google
fucked it up. If that was only that, it would just have been expected. They
started requiring a Google Home account to access the API, severed tons of nice
integrations that were allowing to control it from anything.
Classic Google.
After a little while, when they finally cut the cord on Work-With-Nest API, I
decided it was time to remove the Nest from Internet. Google does not need to
know when I'm home, or how much I heat it. That's none of their business.
So I went with a classic MAC to IP assignation in my router, then add some
firewall rules to prevent it from accessing the net. I had in mind that I would
hack something to control it from the LAN later on.
But then I noticed I could not ping it anymore. I went to look at the Nest to
check its network settings. It stated it was not connected to the Wifi. Strange,
since my router actually reported an unknown client, with a MAC address I have
never seen before. Then, looking at what that IP was doing, I was suprised that
it was actually connecting using HTTPS to a plain IP, directly, without DNS.
This IP was obviously in a subnet part of Google autonomous system.
So this little fucker realized it was banned, spoofed its MAC address to obtain
a different IP, lied on the fact it was not connected at all, while sending some
encrypted bullshit to Google.
Let me tell you that it got disconnected immediately and I changed the Wifi
password. I'm fairly confident this version of Nest does not have any other mean
to communicate. But I would not be so sure with more recent models. I will soon
replace it with something simpler, with just a Z-Wave or Zigbee interface.
If you have a Nest, do yourself a favor, and trash this shit, alongside with
anything coming from Google.
Google is indeed evil.
text/gemini; charset=utf-8This content has been proxied by September (3851b).