Connect with us

Hi, what are you looking for?


Application Security

Vulnerabilities Exposed Trane Thermostats to Remote Hacking

Vulnerabilities found by a researcher in smart thermostats developed by Trane could have been exploited by remote attackers to hack into the devices and perform various actions. The vendor has taken steps to address the security flaws.

Vulnerabilities found by a researcher in smart thermostats developed by Trane could have been exploited by remote attackers to hack into the devices and perform various actions. The vendor has taken steps to address the security flaws.

Jeff Kitson, security researcher at Trustwave, started analyzing Trane ComfortLink XL850 thermostats in December 2015. The product provides energy consumption reporting features, SMS and email alerts, and allows customers to remotely adjust heating and cooling from their computer or mobile device.

The expert discovered that the product had a weak authentication mechanism and hardcoded credentials that could have been leveraged to access the device. The vulnerabilities could have been exploited over the network and even from the Internet if the thermostat had been exposed through the router.

Kitson said there had been 24 Internet-exposed devices in December, but the number increased to roughly 50 by the time of disclosure. Most of the affected devices are located in North America.

Once attackers gain access to the device, they can obtain information on the targeted home’s heating and cooling schedule, operation mode, chat and alarm history, URLs, secret IDs, and software version. Kitson believes schedule information taken from a thermostat can allow malicious actors to determine when a home or a commercial building is empty.

“What’s more concerning than the information extraction is the fact that active commands are available that allow attackers to perform a number of dangerous operations. This includes forcing the device to maintain the maximum heating setting or disabling the device continuously thereby overriding user input,” the researcher said. “Attackers can also remove and create trusted server connections permanently disconnecting the device from the corporate command and control servers. The most obvious consequence of this would be overheating a building or damaging it by disabling the heat in winter conditions.”

Advertisement. Scroll to continue reading.

Such attacks were also detailed on Sunday by two researchers at the Def Con hacking conference. Andrew Tierney and Ken Munro of Pen Test Partners created a proof-of-concept ransomware specifically designed to target smart thermostats. The malware takes control of the device and demands the payment of a ransom.

Kitson determined that version 3.1 and earlier of the firmware are affected when the device’s default configuration is not changed. The researcher initially encountered difficulties in reporting the issues to Trane, but he eventually reached the vendor, which patched the flaws and started pushing out automatic updates in early July.

This was not the first time researchers had found vulnerabilities in Trane thermostats. Earlier this year, Cisco disclosed several serious flaws its researchers discovered in Trane ComfortLink II XL950 products.

Related: Serious Vulnerabilities Found in Wireless Thermostats

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Application Security

While there are many routes to application security, bundles that allow security teams to quickly and easily secure applications and affect security posture in...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.