Vulnerabilities found by a researcher in smart thermostats developed by Trane could have been exploited by remote attackers to hack into the devices and perform various actions. The vendor has taken steps to address the security flaws.
Jeff Kitson, security researcher at Trustwave, started analyzing Trane ComfortLink XL850 thermostats in December 2015. The product provides energy consumption reporting features, SMS and email alerts, and allows customers to remotely adjust heating and cooling from their computer or mobile device.
The expert discovered that the product had a weak authentication mechanism and hardcoded credentials that could have been leveraged to access the device. The vulnerabilities could have been exploited over the network and even from the Internet if the thermostat had been exposed through the router.
Kitson said there had been 24 Internet-exposed devices in December, but the number increased to roughly 50 by the time of disclosure. Most of the affected devices are located in North America.
Once attackers gain access to the device, they can obtain information on the targeted home’s heating and cooling schedule, operation mode, chat and alarm history, URLs, secret IDs, and software version. Kitson believes schedule information taken from a thermostat can allow malicious actors to determine when a home or a commercial building is empty.
“What’s more concerning than the information extraction is the fact that active commands are available that allow attackers to perform a number of dangerous operations. This includes forcing the device to maintain the maximum heating setting or disabling the device continuously thereby overriding user input,” the researcher said. “Attackers can also remove and create trusted server connections permanently disconnecting the device from the corporate command and control servers. The most obvious consequence of this would be overheating a building or damaging it by disabling the heat in winter conditions.”
Such attacks were also detailed on Sunday by two researchers at the Def Con hacking conference. Andrew Tierney and Ken Munro of Pen Test Partners created a proof-of-concept ransomware specifically designed to target smart thermostats. The malware takes control of the device and demands the payment of a ransom.
Kitson determined that version 3.1 and earlier of the firmware are affected when the device’s default configuration is not changed. The researcher initially encountered difficulties in reporting the issues to Trane, but he eventually reached the vendor, which patched the flaws and started pushing out automatic updates in early July.
This was not the first time researchers had found vulnerabilities in Trane thermostats. Earlier this year, Cisco disclosed several serious flaws its researchers discovered in Trane ComfortLink II XL950 products.
Related: Serious Vulnerabilities Found in Wireless Thermostats

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Vulnerabilities in Honda eCommerce Platform Exposed Customer, Dealer Data
- Barracuda Urges Customers to Replace Hacked Email Security Appliances
- Google Patches Third Chrome Zero-Day of 2023
- ChatGPT Hallucinations Can Be Exploited to Distribute Malicious Code Packages
- AntChain, Intel Create New Privacy-Preserving Computing Platform for AI Training
- Several Major Organizations Confirm Being Impacted by MOVEit Attack
- Verizon 2023 DBIR: Human Error Involved in Many Breaches, Ransomware Cost Surges
- Ransomware Group Used MOVEit Exploit to Steal Data From Dozens of Organizations
Latest News
- Consolidate Vendors and Products for Better Security
- Pharmaceutical Giant Eisai Takes Systems Offline Following Ransomware Attack
- Vulnerabilities in Honda eCommerce Platform Exposed Customer, Dealer Data
- North Korean Hackers Blamed for $35 Million Atomic Wallet Crypto Theft
- Cisco Patches Critical Vulnerability in Enterprise Collaboration Solutions
- Barracuda Urges Customers to Replace Hacked Email Security Appliances
- Android’s June 2023 Security Update Patches Exploited Arm GPU Vulnerability
- BBC, British Airways, Novia Scotia Among First Big-Name Victims in Global Supply-Chain Hack
