One of the most common internet of things (IoT) devices, the house thermostat, has been shown to be vulnerable by default—paving the way for information loss and even home invasion.
According to Trustwave security researcher Jeff Kitson, Wi-Fi connected Trane ComfortLink XL850 thermostats running firmware version 3.1 or lower are vulnerable to information disclosure and remote access due to a weak authentication mechanism and hardcoded credentials.
“The device uses a custom protocol and a predictable port number to administer remote access to virtually all of the device functions,” he explained in a blog. “When you combine hardcoded credentials with a network accessible port, you have a device ripe for attack from the network or even an attack from the Internet if the thermostat is exposed through the router.”
Once an attacker has gained access they can quickly extract all information from the device including the home heating and cooling schedule, current operation mode, current temperature, chat and alarm history, serial number, active socket connections, trusted URLs, secret IDs, software version info and detailed address and installer information.
The Trane residential Comfortlink XL850 thermostat supports Wi-Fi connectivity, and the company partnered with Nexia to provide a monthly service where customers can use either a website or a mobile app to remotely control their home’s heating and cooling schedule and set the temperature whenever they please. The devices seem to be concentrated in North America where IoT is popular and both Trane and Nexia are located.
“The most obvious danger is from home invaders who can gain easy access to the wake up and work schedule for an entire household,” he said. “Knowing when a home or commercial building is intended to be empty is sensitive information. Additional dangers include combining the highly detailed service information with social engineering and access to the device in general.”
Kitson also found that the code incorporates active commands that would allow attackers to perform a number of dangerous operations. This includes forcing the device to maintain the maximum heating setting or disabling the device continuously thereby overriding user input—the results could be overheating a building or damaging it by disabling the heat in winter conditions.
Fortunately, once notified, Trane was able to remediate the vulnerabilities in a very short amount of time, thanks to the capability to update the XL850 firmware automatically for connected devices. It has been pushing out updates to customers since the beginning of July.
“Not every IoT security story results in a patch and there are bound to be many more,” Kitson said. “If you are concerned about the security of your IoT device you might consider hosting a dedicated Wi-Fi network for IoT devices that limits internet access or removes it entirely. In a worst case scenario you might want to disable network access entirely.”
Photo © IRGOOFY