Thanks for this Slyguy, much appreciated ans useful tips re putting them in a vlan.I am also unaware of any specific reviews regarding security. However, if you follow best practice, you can be pretty effective in securing them. Emerson Sensi is used by a log of folks I know in IT. The reason is, there is a long code printed on the back of the thermostat itself that is required to connect to it. Anyone not having that code paired to their account won't be able to connect or access it in any way.
For IoT I like to do the following;
1) Secure them on their own guest WiFi SSID. (or VLAN)
2) Secure them behind a Gryphon, under a strict USER with 'Toddler' as the policy and only permit the egress necessary for device functionality.
That way, in general, it's not going to be compromised because nothing is WAN facing other than exactly what is needed for the operation, and the device is secured on it's own VLAN (or Guest SSID)
Can you configure the thermostat remotely though ?If you work under the assumption that virtually everything is already compromised (except in a few extremely secure cases), then you will be well served. Because in fact, most things are compromised, it's just that nobody has found out about the compromise in most cases.
IoT should be specifically limited in a home for this reason. I try to limit my IoT, and when possible isolate it to specific VLANS, and always ensure a strict policy on the internet and only allow specific domains required for device operation. Working from the assumption everything is compromised.
Right now, I have a thermostat, smoke alarm and space heater in the guest bedroom as my basic IoT devices. But it is required in the cases of those devices. For example without an App, the space heater cannot be scheduled to go on and off or remotely notify me if it was left on. My thermostat is required, I use the IoT aspect of that constantly. My cameras can't talk out, internal server with cloud storage of the clips. My DVR's are restricted to traverse the WAN only during a short 45 minute window each night for programming updates. That pretty much wraps up the IoT around here.
Once again, my assumption is - it's all been compromised.