Company Responses

Here’s how the companies featured in our investigation responded.


"We take the security of our consumers extremely serious, we give several options for them to further enhance Nest’s already robust security features. We encourage strict password criteria and suggest everyone use two-factor authentication. Our team continues to bring new features to proactively deliver the most advanced security."


“In order to protect Wink customers who could be subject to phishing attacks and other threats that may result in disclosure of login credentials, Wink is taking immediate steps to implement a two-factor authentication that will make it more difficult for malicious actors to use compromised credentials. Wink users should never disclose password information to any third party.”


“At Amazon we take security seriously and leverage extensive risk detection and mitigation tools, as well as notifying customers directly on all transactional activity. Customers can enable two-factor authentication on their Amazon account to add another layer of security. When shopping on Alexa, customers can also set a Voice Code to secure their purchases. If an unapproved order is placed via Alexa or on any other Amazon end point, customers are eligible for a free return.”


In this specific demonstration, our lock followed the protocol required by the smart home hub, which means we established encrypted messaging for secure communication between the hub and the lock. However, the smart home hub was ultimately in control of all messages sent to its connected devices — and that’s where the compromise took place. We will continue to assess potential vulnerabilities like this moving forward — and, again, encourage smart home hub owners to stay alert to social engineering attacks.


At Honeywell, we take the security of our products seriously. When a homeowner installs a Honeywell thermostat and connects their app, they must be physically present in front of the thermostat for added security. Additionally, our password policy requires the password to include a minimum number of characters, including upper- and lower-case characters, to create the user account. It is always a best practice to have unique passwords for various accounts and change them periodically.