Security Experts:

Connect with us

Hi, what are you looking for?



Flaws in Trane Thermostats Expose Networks to Attacks

Vulnerabilities identified by researchers at Cisco’s Talos group in smart thermostats made by Trane allow malicious hackers to gain complete control of the devices.

Vulnerabilities identified by researchers at Cisco’s Talos group in smart thermostats made by Trane allow malicious hackers to gain complete control of the devices.

Internet of Things (IoT) devices are designed to make our lives easier, but many manufacturers focus on functionality and neglect security, allowing malicious actors to abuse these products for various purposes.

A perfect example is provided by Trane, a provider of indoor comfort systems and services. Cisco reported on Monday that it took the company nearly two years to address a serious vulnerability in one of its Internet-connected thermostats.Vulnerabilities in Trane ComfortLink II thermostats

Cisco informed Trane in April 2014 of the existence of three serious vulnerabilities in the company’s ComfortLink II thermostats, devices designed to allow users to remotely control the temperature in their house or building from an Internet-connected smartphone, tablet or computer. The security bugs had been found in version 2.0.2 of the firmware.

Two of the vulnerabilities, both identified as CVE-2015-2868, affect the DSS service in Trane ComfortLink II thermostats. An attacker who can connect to the DSS service can exploit the flaws to remotely execute arbitrary code by sending a long request that causes a fixed size stack buffer to overflow.

Trane resolved these security bugs in April 2015 with the release of firmware version 4.0, but a third vulnerability, which Cisco researchers believe is the most severe issue, was only patched in late January with the release of firmware version 4.0.3.

This flaw, related to the existence of hardcoded credentials (CVE-2015-2867), allows an attacker to remotely log into the thermostat over SSH and gain complete control of the device via the BusyBox environment present on the system.

“An attacker could compromise the thermostat to conduct reconnaissance of the local network, launch both local and at-large attacks, or utilize the device as a platform for other malicious operations on the internet,” Cisco’s Alex Chiu explained in a blog post.

“While IoT devices such as smart thermostats, home lighting, and security systems bring an added level of convenience into our lives, these vulnerabilities highlight the dangers of insecure development practices,” Chiu said. “The fact that these thermostats contain a fully functional, unrestricted BusyBox environment that could be used to download files, compile code and execute arbitrary commands is a strong indication Trane is not following industry recommended, secure development practices.”

Trane is not the only company whose thermostats have been found to contain serious vulnerabilities. Researchers demonstrated in the past couple of years that Google’s Nest thermostats had been plagued by security holes that allowed malicious actors to spy on home networks. Experts also discovered serious flaws in wireless thermostats from UK-based Heatmiser.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.