#Tech

The Ecobee SmartThermostat with voice control: is Amazon’s Alexa spying on you?

Quick Background

Almost 50% of your home energy consumption is heating and cooling related according to the EPA. That’s a pretty big chunk and creates a lot of room for potential savings. Let me start off by saying, smartthermostats are great and I do own an ecobee. I live in Portland, OR, so I don’t see a lot of savings (our weather is pretty awesome!) but when I do use heat or air conditioning, I want to be the most efficient I can be.

You might also benefit financially. Many states and even some cities offer credits or incentives for buying and using smartthermostats. If you live in Oregon, check out the rebate for buying a smartthermostat from the Energy Trust of Oregon. If you’re a Portland General Electric customer, you can even get paid to use a smartthermostat! Many other utilities offer these programs, use your favorite search engine or just give them a call!

Recently there have been reports of these things spying on you; if you already have one or are looking to purchase a smartthermostat, read on to make sure it’s not or can’t.

What is a SmartThermostat

The true power of smartthermostats comes when you use a lot of heat or cooling and/or have a large home. The ecobee supports smart sensors, which allows it to monitor specific rooms for activity and temperature. Have a home office you don’t use much or want to keep the bedroom cooler/warmer when sleeping? This is probably the best feature.

Your conventional thermostat might look like this:

classic Honeywell thermostat
The classic Honeywell thermostat

The classic thermostat worked great. You set a temperature, if things got too cold, the heat turned on, too hot and you got some AC. Maybe you upgraded to a schedulable thermostat, which works on the same basic principle, but you can set times when you are home or at work and adjust the heating and cooling. There isn’t much sense in keeping a house cool or warm when you know you’re not home, unless maybe you pets or kids.

The smartthermostat takes this to the next level. In addition to having schedules, you can add smart sensors that monitor a room’s temperature and occupancy (they have motion sensors). Why does this matter?

Let’s say you have a living room that’s on the shady side of the house and your kitchen is usually sunny. You are in the living room watching TV or reading; no one is in the kitchen so there’s no need to heat or cool that space. You want the room you’re currently in to be heated or cooled. This saves energy (and money). The cool (😎) part is if you decided you want something from the kitchen or start cooking, the motion sensor triggers and heating or cooling will kick in based on your temperature preferences. So if you want 78º, it’s 76º in the living room (no need to have heat or cooling) but the kitchen is 80º and empty, no cooling would be running.

When you move into the kitchen, the AC will start and cool that room to 78º from 80º. The best part is, you don’t need to do anything, it’s all automatic hence “smart.” The various companies use different algorithms, but all basically work by averaging the temperature in a house and focusing on the room(s) that have activity in them. This use to only be possible with expensive multi-zone heating and cooling… but now no longer required! The ecobee works with most standard heating and cooling systems (even whole-home dehumidifiers).

What is a voice assistant (Alexa)

The newer generations even have built-in voice control so you don’t even have to touch the thermostat. You just say a trigger word and the temperature and it magically changes. Since they’re the same services (Alexa or Google assistant) they can also be used to look up information from the internet or even do grocery shopping. Many, including the ecobee, support Apple’s HomeKit Home app so you can use Siri to control your temperature or even get info on your house while you are away (HomeKit can work over the internet, no home required 😉). Apple, Google, and Amazon were all in the news recently when it was leaked that these voice assistant services “spy on you.”

Before you rip your thermostat off the wall, flush your phone or dawn your tinfoil hat; let’s take a deep breath and dissect what happened.

Trigger warning

All these devices work by the user manually triggering them (pressing a button) or saying a trigger word “Hey Siri,” “Hey Alexa,” or “Hey Google.” They’re usually pretty good at listening for their trigger word — then whatever you ask for, however, sometimes they accidentally trigger because they think they hear their trigger word or there is an audible tone that triggers them. Essentially the devices have microphones that are tuned with algorithms to recognize specific voice sounds — they’re not (usually) listening to words. That’s why (most of the time) if someone says “Hey ____” in a TV ad, it doesn’t trigger if you own the device. They edit out the specific frequency the device is listening for. Conversely, commands can be sent auditorally to these devices, and you can’t even hear them. This has a lot of privacy implications. More on that in a second.

These things sometimes randomly trigger and all three of these companies have people that listen to the accidental trigger and try and figure out what happened so they can make the devices better and not trigger accidentally in the future. So, random people may be listening to conversations or other things in your house during an accidental trigger.

Device triggers -> records what’s happening around it (perhaps a conversation at dinner)-> is sent to the company’s servers -> deemed accidental -> sent to someone to figure out what happened.

This means someone may be listening to your private conversations. In all three cases, these people were mostly contractors hired as 3rd parties (aka cheap labor). This may or may not have been disclosed in the ‘small print’ terms of service most people don’t read, but people were pretty shocked to learn this. All three companies have corrected this and most seem to be making it more obvious whether or not you share these clips with them.

In kinda does get scary though

Remember those inaudible tones discussed just moments ago? In theory, advertisers (or evil hackers, New York Times may be paywalled) could broadcast a tone the device could hear and trigger a lookup or ‘pingback‘ that they could use to track you or spy on you (UC Berkeley paper [Go Bears! 🐻] or paper mirror). That’s some next-level shit! Popular Mechanics has a less techy explanation. Is there a fix for this always listening?… glad we’re on the same page!

Lobotomy

One sure-fire way to prevent these things from listening to you is to physically remove the microphone. A less extreme way would be to just disable Alexa in the settings (recommended). If you want to partake in some hardware hacking or want to better understand how these things work, keep going!

I really wanted to use the ecobee for thermostating, but had no intention to use the voice assistant features so I decided to physically disable the microphones.

ecobee thermostat
Yes, the previous paint was that hilarious… the ecobee was quite a bit smaller than its predecessor
  • Exterior sound holes for internal microphones
  • We could likely tape over these, but if we wanted it easy, we’d just disable Alexa
  • The microphones are protected by 4 Torx screws
  • 1 of 4 of the outer defenses
screws and screw driver
  • They are easily defeated by a T6 screwdriver
  • Andrew 1, ecobee 0
  • Targets acquired
  • Ok, not really, those ribbon cables connect to the microphones
  • Hiding in plain sight, how clever
  • Ahhhh there are still two!!
  • Because they are ribbon cables, we can simply detach the ribbon
  • The black clip pops up to release the ribbon, or you just break it off like me #coolkids
  • Do the same for the other side, and we’d be done
  • With the ribbons detached from the logic board, the mics are useless, but if we wanted it easy we’d just disable Alexa
  • This is no coming back from this, once you clip it, #itbedead
  • If you simply disconnect, you can later reconnect and use Alexa
  • This a shot of the back, because why not?
  • There’s a backup battery and what looks to be a speaker: ahhhh IT SPEAKS!

Ecobee4 (newer generations)

This is the OG ecobee 4 (Model: EB-STATE4-01). If you buy a current-generation ecobee4 (Model: EB-STATE5-01) the process should be pretty similar, though the internals have changed a bit.

Thanks to our friends at the FCC, we have internal photos courtesy of FCCid.io of the (current) ecobee4.

https://fccid.io/WR92221123114/Internal-Photos/Internal-Photos-4310334
ecobee4 (current-gen) with what appears to be the same mic ribbon cables

You can always purchase the ecobee3 lite without voice assistant (and no microphones) if you’d like.

Did you purchase the ecobee4 and physically disable the microphones? If so, drop me a note!

Final Thoughts

Ok, so this was just a bit of a fun hardware hacking project. There is, however, evidence we need to be concerned with all the microphones popping up in devices. I’ll be writing more on this in the future. In the meantime, save some money (and energy) and get a smartthermostat, don’t enable the voice assistant and if you’re paranoid or just looking for a fun 10 min hardware hack, cut off the mics at the source.

Happy hacking!

A quick side note: I’m going to start including PDF’s of pages I web link to. Things on the internet tend to disappear, and there’s not worse than finding something, being interested in the context and finding linked pages no longer exist. They’ll be called “WebLinkArchive_article title.”

About the author:

Andrew lives in Portland, OR and has worked in tech for over 15 years. With a foundation in philosophy, political theory, and communications, he is an avid thinker & tinkerer, constantly learning and exploring the world around us.

Originally published on andrewjneumann.com and is best viewed in person. Support | About Andrew | About Site | Feedback

Creative Commons License This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License © 2019.