A team of researchers have discovered an easy hack that could be abused for surveillance of homeowners.
Grant Hernandez and Yier Jin from the University of Central Florida, working with independent researcher Daniel Buentello, revealed their findings at this week's BlackHat security conference in Las Vegas.
The simple act of holding down the power button and inserting a USB flash drive allowed the team to enter the thermostat's developer mode, wherein they could acquire information about the owner's routine – such as when they are in/out – which, it is feared, could be sold to thieves.
Read more: An in-depth look at Nest and home automation
Hackers could also use the developer function to spam other devices or form a malicious botnet.
"Entering into that mode allows you to upload your own code, your custom code, which allows you to attack existing code, implant your own and reboot normally, but maybe have something else running in the background," Hernandez said.
"We have access to the device on the highest level, and we can send stuff that Nest sends to us as well."
The overlooking of physical hacks comes as a surprise considering previous praise for Nest's resistance to wireless hacking. Buentello said there was a risk of someone buying up devices, tampering with them, and then selling them back to innocent customers.