
Why is my Nest Thermostat talking to Facebook? - donohoe
https://twitter.com/tomasmcguinness/status/1292536538719559681
======
kogir
That looks like a snapshot from the UniFi Network manager.

Based on my experiences with UniFi gear, which I like and am running right
now, I’d take any of their DPI and threat detection stuff with a full meter
cube of salt. It doesn’t even report local network flows and traffic
statistics correctly.

~~~
PragmaticPulp
The screenshot also shows fitbit, omegele, and even IMAP4 traffic.

My first guess would be that the Nest thermostat is now occupying an IP
address that was formerly assigned to other devices. Now that the Nest
thermostat is at that address, the old packets are mistakenly attributed to
the Nest thermostat.

~~~
kogir
You’d hope they’d use MAC address instead of IP, but I fear you may well be
right.

~~~
brokensegue
you only know the IP not the MAC of the server you are communicating with over
the internet.

~~~
ponker
This is about local MAC not remote MAC

------
rsa25519
This looks like misleading FUD. I don't think it's fair to draw conclusions
based on a random Tweet like this.

I suspect this is a flaw in the DPI system rather than Nest itself. It sounds
like UniFi DPI inaccuracy is a known thing [0]. And, Omegle?? And zero bytes
downloaded?

I just don't want to repeat what happened on HN a few weeks ago with that
tweet about Apple refunds.

[0]
[https://www.reddit.com/r/Ubiquiti/comments/56b6cp/unifi_cont...](https://www.reddit.com/r/Ubiquiti/comments/56b6cp/unifi_controller_extremely_inaccurate_when_it/)

EDIT: for context, I'm taking the approach of legal systems, where what
matters is not whether someone is guilty, but whether there is sufficient
evidence for them to be treated as such. Sure, maybe they do send a few KB to
Omegle, but this tweet is nowhere close to enough evidence to make that claim

------
kop316
Is it the nest thermostat, or is it the nest app?

If its the nest app, does it offer Facebook login?

If its the nest app and has the Facebook SDK, that's why.

~~~
hetspookjee
What is the business of the Facebook SDK doing in a thermostat app? I don't
feel this explanation is sufficient.

~~~
WrtCdEvrydy
Because software engineering is expensive so the guy who wrote the app got
paid peanuts and told to implement the login in 2 hours because that's how
many "story points" were attached to the story. If you take too long, it will
show up on your performance review, so instead, I'll just drag in the random
Facebook SDK just to enable login... and your data's gone to Facebook!

Yay, Silicon Valley!

~~~
jorams
Note that the Facebook Platform Policy[1] _requires_ the use of their SDK:

> Native iOS and Android apps that implement Facebook Login must use our
> official SDKs for login.

[1]:
[https://developers.facebook.com/policy/](https://developers.facebook.com/policy/)

~~~
jjnoakes
Only if you need to use Facebook login.

I think the point is that lots of non-facebook apps could implement non-
facebook login and avoid Facebook all together but they don't for various non-
technical reasons.

~~~
jonas21
Lots of apps implement Facebook login _in addition to_ their own login because
users ask "How do I log in with Facebook?" and get upset when you tell them
they can't.

~~~
WrtCdEvrydy
I wonder how much flak you'd get for creating a "facebook login" that is just
the signup workflow... if it's not in your DB, just push it as a new record
for followup "signins"

------
Yetanfou
Apart from all the other comments here - UniFi's network monitor being
garbage, the app using the Facebook SDK for login, etc - the real reason your
thermostat or fridge or cat feeder or vacuum cleaner sends data to an
adversarial network is because it can. When you bought the device and skipped
over the small print to get it to do what you bought it for without having to
plough through half a bible's worth of legalese you, most likely
unintentionally and unknowingly, gave it permission to do stuff like that. It
would have been worded in woolly phrases about 'sharing data with partners'
for the purpose of 'improving and personalising service' and possibly to
'present targeted offers from partners' but all that is just newspeak for
milking your data for profiling and advertising purposes.

The solution is equally clear and simple: don't allow these things to access
the 'net, put them behind a firewall which only allows traffic inside your own
'controller area network'. Use a VPN to tunnel into this CAN to set your
temperature, feed the cat, mow the lawn and whatnot. If this sounds elaborate
you might want to consider doing away with all this 'smart' functionality and
just get a 'dumb' fridge/vacuum/cat/etc.

------
pwinnski
7 packets each to Facebook and Omegle. The Facebook could be related to
Facebook logins, but Omegle? Something weird is going on there.

~~~
virtuallynathan
Bad DPI data would be my guess.

~~~
jay_kyburz
Dots Per Inch?

~~~
jtsiskin
Deep Packet Inspection. They must be attributing packets incorrectly because
it makes 0 sense that the nest app is communicating with Omegle

------
duxup
>Omegle

That seems even harder to explain, at least for me ...

~~~
ccozan
Maybe because of the Nest Security Camera and sharing some codebase.

but still, impossible to explain in both cases.

~~~
duxup
It makes me think we're dealing with a misunderstanding here.

------
BlahGod420
To tell you if you're hot or not.

------
pnw_hazor
Because you invited the monster into your home.

All things Nest went into the garbage as soon as the Google purchase was
announced. It was quite disappointing.

~~~
dylan604
Why did it take that long? The stories of Nest doing weird things with data
were around before the Google purchase.

