Virtual Event Now Live: Zero Trust Strategies Summit! - Login for Access
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Flaws in Trane Thermostats Expose Networks to Attacks

Vulnerabilities identified by researchers at Cisco’s Talos group in smart thermostats made by Trane allow malicious hackers to gain complete control of the devices.

Vulnerabilities identified by researchers at Cisco’s Talos group in smart thermostats made by Trane allow malicious hackers to gain complete control of the devices.

Internet of Things (IoT) devices are designed to make our lives easier, but many manufacturers focus on functionality and neglect security, allowing malicious actors to abuse these products for various purposes.

A perfect example is provided by Trane, a provider of indoor comfort systems and services. Cisco reported on Monday that it took the company nearly two years to address a serious vulnerability in one of its Internet-connected thermostats.Vulnerabilities in Trane ComfortLink II thermostats

Cisco informed Trane in April 2014 of the existence of three serious vulnerabilities in the company’s ComfortLink II thermostats, devices designed to allow users to remotely control the temperature in their house or building from an Internet-connected smartphone, tablet or computer. The security bugs had been found in version 2.0.2 of the firmware.

Two of the vulnerabilities, both identified as CVE-2015-2868, affect the DSS service in Trane ComfortLink II thermostats. An attacker who can connect to the DSS service can exploit the flaws to remotely execute arbitrary code by sending a long request that causes a fixed size stack buffer to overflow.

Trane resolved these security bugs in April 2015 with the release of firmware version 4.0, but a third vulnerability, which Cisco researchers believe is the most severe issue, was only patched in late January with the release of firmware version 4.0.3.

This flaw, related to the existence of hardcoded credentials (CVE-2015-2867), allows an attacker to remotely log into the thermostat over SSH and gain complete control of the device via the BusyBox environment present on the system.

“An attacker could compromise the thermostat to conduct reconnaissance of the local network, launch both local and at-large attacks, or utilize the device as a platform for other malicious operations on the internet,” Cisco’s Alex Chiu explained in a blog post.

“While IoT devices such as smart thermostats, home lighting, and security systems bring an added level of convenience into our lives, these vulnerabilities highlight the dangers of insecure development practices,” Chiu said. “The fact that these thermostats contain a fully functional, unrestricted BusyBox environment that could be used to download files, compile code and execute arbitrary commands is a strong indication Trane is not following industry recommended, secure development practices.”

Advertisement. Scroll to continue reading.

Trane is not the only company whose thermostats have been found to contain serious vulnerabilities. Researchers demonstrated in the past couple of years that Google’s Nest thermostats had been plagued by security holes that allowed malicious actors to spy on home networks. Experts also discovered serious flaws in wireless thermostats from UK-based Heatmiser.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Threat intelligence firm Intel 471 has appointed Mark Huebeler as its COO and CFO.

Omkhar Arasaratnam, former GM at OpenSSF, is LinkedIn's first Distinguised Security Engineer

Defense contractor Nightwing has appointed Tricia Fitzmaurice as Chief Growth Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.