Recent findings by cybersecurity firm Bitdefender reveal a critical flaw in thermostats sold globally by the German multinational engineering company Bosch. This vulnerability allows hackers to manipulate the heating system and override firmware, posing a significant security risk for homeowners.
Key Points:
- Unpatched Models at Risk: Thermostats that did not receive a firmware update distributed over the air in the late previous year are susceptible to exploitation. The flaw is identified as CVE-2023-49722.
- Firmware Override: The vulnerability enables hackers to brick devices or replace the original firmware, potentially disrupting home heating, ventilation, and air conditioning systems.
- IoT Security Concerns: Thermostats, as integral components of the Internet of Things (IoT), are a focal point for security research due to their immediate impact on households.
Insights from Bitdefender:
Bitdefender’s Director of Threat Research, Bogdan Botezatu, emphasizes the growing security challenges associated with IoT devices. The flaw requires access to the local network but has not been exploited in the wild so far.
Quotes from Botezatu:
“The more we advance with IoT and the more chips become prevalent in physical security devices, the more scared I am.”
“Criminals are looking for devices that are prevalent in people’s homes.”
Bosch’s Response:
Bosch responded promptly to Bitdefender’s research, issuing a firmware update on Oct. 12. Tim Wieland, Director of North America Corporate Communications, assured that the company’s experts continuously monitor threats and implement countermeasures.
Over-the-Air Updates:
Bitdefender highlights the advantage Bosch customers have with devices capable of receiving over-the-air updates, a feature not universal among IoT devices. However, the firm expresses disappointment in the relatively low number of consumers who typically respond to firmware updates.
Technical Details of the Flaw:
The vulnerability originated from the Wi-Fi chip embedded in the Bosch thermostat. It listened on port 8899, mirroring messages directly to the main microcontroller. The flaw allowed attackers to send malicious commands, including writing a harmful firmware update to the device.
Bitdefender’s Analysis:
Researchers demonstrated the ability to prompt the device to contact the cloud for a firmware update, responding with a URL containing a malicious update. The lack of validation mechanisms for firmware update authenticity makes the device susceptible to accepting updates from malicious sources.
Bitdefender concludes that their analysis extends beyond Bosch thermostats, examining various IoT devices with varying levels of security.