Check out the video for a more in-depth description of the problem, but the short of it is that most smart thermostats (and a lot of smarthome devices) rely on someone else’s servers in order for them to be accessed remotely. And because of this, “remotely” doesn’t just mean when you’re out of the house, but inside the house as well. If the “smart” device company ever goes out of business or decides to stop supporting whatever you own, then you effectively will no longer have an internet-enabled thing.
This isn’t true for all devices. Some do not require servers-that-are-elsewhere (or “the cloud” as it’s known) so that they can operate. But a surprising amount do, and that’s something to consider when buying an appliance, thermostat, Echo, or full home automation system. Will the company running those servers still be around in 5 years? In 10 or 20 years? And even if they’re in business, will they support it? With something like the Amazon Echo, that’s not much of a concern. But with a $250 thermostat from a “new” company it could be a factor.
How would one check if their device(s) are guilty of using said setup? Specifically a recently acquired smart thermostat, hot tub interface, and home alarm system? Should I assume, since the remote control of these devices depends upon use of an app, that they all do that? Less worried about ADT going out of business than the thermostat people and the hot tub manufacturer…
I know your post is nine months old but I only just saw it now :-) so since you are responsible for this burning concern now taking up real estate in my brain, please fix it.
Generally speaking, if you can use the app outside of your house to control the appliance (or etc.) without having set up any kind of port forwarding on your home router, then the data is going through an intermediary. For reasons of security (unless you specifically set it up otherwise) traffic can only go out through your router (which usually includes a firewall as well). Same with your phone or other remote device.
So the only way they can communicate is by both contacting a server somewhere that allows the traffic in from each, and can relay messages between the two devices. In theory this could be secure from snooping if encryption is used by both (e.g.) your phone and your smart thermostat, with the third party being unaware of the encryption key. However, in reality the company running that server probably wants to collect data on all of its users as well as providing other services, so it would at best be encrypted between your phone and their server, and your smart thermostat and their server. They’ll still see all of it.
And certainly if they go out of business or decide to stop supporting it, you’re boned.
Guess what? Hot tub company did indeed stop supporting app, so no more smart tub, or warming it up from bed. The vendor that sold the actual unit apologized and gave a few months worth of free chemicals, but it really sucks. Between the stonework and electric to prepare the space along with the actual purchase that thing cost over 10k. More people should be mad about this.