The home thermostat, now one of the most common Internet of Things (IoT) device has been shown to be vulnerable by default—paving the way for information loss and even home invasion.
According Jeff Kitson, researcher at Trustwave Security, Wi-Fi connected Trane ComfortLink XL850 thermostats running firmware version 3.1 or lower are vulnerable to information disclosure and remote access due to a weak authentication mechanism and hardcoded credentials.
“The device uses a custom protocol and a predictable port number to administer remote access to virtually all of the device functions,” he explained. “When you combine hardcoded credentials with a network accessible port, you have a device ripe for attack from the network or even an attack from the Internet if the thermostat is exposed through the router.”
Once an attacker gained access they can quickly extract all information from the device including the home heating and cooling schedule, current operation mode, current temperature, chat and alarm history, serial number, active socket connections, trusted URLs, secret IDs, software version info and detailed address and installer information.
“The most obvious danger is from home invaders who can gain easy access to the wake up and work schedule for an entire household,” he said. “Knowing when a home or commercial building is intended to be empty is sensitive information. Additional dangers include combining the highly detailed service information with social engineering and access to the device in general.”
Kitson also found that the code incorporates active commands that would allow attackers to perform a number of dangerous operations. This includes forcing the device to maintain the maximum heating setting or disabling the device continuously thereby overriding user input—the results could be overheating a building or damaging it by disabling the heat in winter conditions.
Fortunately, once notified, Trane was able to remediate the vulnerabilities in a very short amount of time, thanks to the capability to update the XL850 firmware automatically for connected devices. It has been pushing out updates to customers since the beginning of July.
“Not every IoT security story results in a patch and there are bound to be many more,” Kitson said. “If you are concerned about the security of your IoT device you might consider hosting a dedicated Wi-Fi network for IoT devices that limits internet access or removes it entirely. In a worst case scenario you might want to disable network access entirely.”