Vulnerabilities identified by researchers at Cisco’s Talos group in smart thermostats made by Trane allow malicious hackers to gain complete control of the devices.
Internet of Things (IoT) devices are designed to make our lives easier, but many manufacturers focus on functionality and neglect security, allowing malicious actors to abuse these products for various purposes.
A perfect example is provided by Trane, a provider of indoor comfort systems and services. Cisco reported on Monday that it took the company nearly two years to address a serious vulnerability in one of its Internet-connected thermostats.
Cisco informed Trane in April 2014 of the existence of three serious vulnerabilities in the company’s ComfortLink II thermostats, devices designed to allow users to remotely control the temperature in their house or building from an Internet-connected smartphone, tablet or computer. The security bugs had been found in version 2.0.2 of the firmware.
Two of the vulnerabilities, both identified as CVE-2015-2868, affect the DSS service in Trane ComfortLink II thermostats. An attacker who can connect to the DSS service can exploit the flaws to remotely execute arbitrary code by sending a long request that causes a fixed size stack buffer to overflow.
Trane resolved these security bugs in April 2015 with the release of firmware version 4.0, but a third vulnerability, which Cisco researchers believe is the most severe issue, was only patched in late January with the release of firmware version 4.0.3.
This flaw, related to the existence of hardcoded credentials (CVE-2015-2867), allows an attacker to remotely log into the thermostat over SSH and gain complete control of the device via the BusyBox environment present on the system.
“An attacker could compromise the thermostat to conduct reconnaissance of the local network, launch both local and at-large attacks, or utilize the device as a platform for other malicious operations on the internet,” Cisco’s Alex Chiu explained in a blog post.
“While IoT devices such as smart thermostats, home lighting, and security systems bring an added level of convenience into our lives, these vulnerabilities highlight the dangers of insecure development practices,” Chiu said. “The fact that these thermostats contain a fully functional, unrestricted BusyBox environment that could be used to download files, compile code and execute arbitrary commands is a strong indication Trane is not following industry recommended, secure development practices.”
Trane is not the only company whose thermostats have been found to contain serious vulnerabilities. Researchers demonstrated in the past couple of years that Google’s Nest thermostats had been plagued by security holes that allowed malicious actors to spy on home networks. Experts also discovered serious flaws in wireless thermostats from UK-based Heatmiser.