So you may have heard that recently I had to blow a bunch of money on a new air conditioner.
One of the very small silver linings that I was looking forward to, or so I thought, was the idea that with my entire system being replaced, I could finally get one of those cool smart thermostats that you can control from your phone and whatnot. I talked about it with the people who replaced my AC and although apparently they’re not big fans of the super-popular Nest thermostat, they instead had a Honeywell model that was said to have most of the same features and was a little bit cheaper to boot…
I say that with some frustration because two weeks later, I can’t actually use any of the smart features of my new smart thermostat.
Why?
Because Honeywell opted to not follow the security standards for connecting their thermostats to wifi!
More specifically, the thermostat uses WPA2 encryption … the most common form of wifi encryption in use right now … except that whereas normally WPA2 allows for a passphrase of 64 characters, Honeywell for some reason limits WPA2 passphrases in their thermostats to only 32 characters.
And guess whose wifi password is 58 characters long?! Mine!
So I reached out to Honeywell via their website, thinking that either A) maybe there was a firmware update that I could apply to fix this … though not sure how I would download it, or more likely B) maybe this was just a problem with older models of their thermostats and they could recommend a different one that my guy could swap this one out for…
No. Such. Luck.
It kind of shocks me that a company as big as Honeywell would take such a lackadaisical approach towards security. I mean, as the Internet of Things (I still hate that name!) grows by leaps and bounds, we’re always hearing of new compromises where thousands of devices at a time get added to gigantic botnets. And really, it’s a standard … so why would they expect users to just make shorter passwords because they didn’t feel like following it???
I suppose the easy solution would be for me to follow the rep above’s instructions and shorten my wifi password, but I’m not going to do that. For starters, it would be a huge pain in the ass to update the passwords for every device around the house connected to my wifi, and also, I shouldn’t have to do that to add a new IOT device that’s supposed to be making my life easier!
I guess I could also go back to my AC installer and try to explain to him why his preferred thermostat doesn’t work for me, and when I contacted Honeywell that was actually going to be my plan, but unfortunately knowing that this is an issue that plagues every thermostat that Honeywell makes, I know that he’s not going to have anything to change it out with anyways, and he hates Nest so if I twist his arm to give me one of those, it’s just going to make troubleshooting issues down the road a nightmare.
Ultimately I think what I’ve decided to do is just leave unconnected thermostats lie for the time being.
Eventually I want to upgrade the wifi in our house to a Ubiquiti router and access points, and from what I can tell those support setting up multiple SSIDs … at that point, I can actually make a completely separate VLAN just for IOT devices to keep them away from my servers and everything else … so I suppose my plan will be to do that, and just for this stupid Honeywell thermostat, I’ll create one SSID with a less secure passphrase that’s only 32 characters long so that the thermostat can actually use it.
Until then, I’ve got this swell red alert light that won’t turn off unless I disable it altogether to remind me that my new smart thermostat isn’t nearly as smart as it claims to be… 🙁
If anyone is curious for reference, the thermostat I have is a Honeywell Wi-Fi VisionPRO 8000 – part #TH8321WF1001.
And if anyone from Honeywell happens to stumble across this blog post, please for the love of god ask your developers why they aren’t following security standards for something as simple as this! If I were you, it’d make me wonder what other corners they’ve been cutting, too… 😯