Vulnerabilities Exposed Trane Thermostats to Remote Hacking

Vulnerabilities found by a researcher in smart thermostats developed by Trane could have been exploited by remote attackers to hack into the devices and perform various actions. The vendor has taken steps to address the security flaws.

Jeff Kitson, security researcher at Trustwave, started analyzing Trane ComfortLink XL850 thermostats in December 2015. The product provides energy consumption reporting features, SMS and email alerts, and allows customers to remotely adjust heating and cooling from their computer or mobile device.

The expert discovered that the product had a weak authentication mechanism and hardcoded credentials that could have been leveraged to access the device. The vulnerabilities could have been exploited over the network and even from the Internet if the thermostat had been exposed through the router.

Kitson said there had been 24 Internet-exposed devices in December, but the number increased to roughly 50 by the time of disclosure. Most of the affected devices are located in North America.

Once attackers gain access to the device, they can obtain information on the targeted home’s heating and cooling schedule, operation mode, chat and alarm history, URLs, secret IDs, and software version. Kitson believes schedule information taken from a thermostat can allow malicious actors to determine when a home or a commercial building is empty.

“What’s more concerning than the information extraction is the fact that active commands are available that allow attackers to perform a number of dangerous operations. This includes forcing the device to maintain the maximum heating setting or disabling the device continuously thereby overriding user input,” the researcher said. “Attackers can also remove and create trusted server connections permanently disconnecting the device from the corporate command and control servers. The most obvious consequence of this would be overheating a building or damaging it by disabling the heat in winter conditions.”

Such attacks were also detailed on Sunday by two researchers at the Def Con hacking conference. Andrew Tierney and Ken Munro of Pen Test Partners created a proof-of-concept ransomware specifically designed to target smart thermostats. The malware takes control of the device and demands the payment of a ransom.

Kitson determined that version 3.1 and earlier of the firmware are affected when the device’s default configuration is not changed. The researcher initially encountered difficulties in reporting the issues to Trane, but he eventually reached the vendor, which patched the flaws and started pushing out automatic updates in early July.

This was not the first time researchers had found vulnerabilities in Trane thermostats. Earlier this year, Cisco disclosed several serious flaws its researchers discovered in Trane ComfortLink II XL950 products.

Related: Serious Vulnerabilities Found in Wireless Thermostats