Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security Wireless Networking

Popular Wi-Fi Thermostat Full of Security Holes 103

Threatpost reports: Heatmiser, a U.K.-based manufacturer of digital thermostats, is contacting its customers today about a series of security issues that could expose a Wi-Fi-connected version of its product to takeover. Andrew Tierney, a "reverse-engineer by night," whose specialty is digging up bugs in embedded systems wrote on his blog, that he initially read about vulnerabilities in another one of the company's products, NetMonitor, and decided to poke around its product line further. This led him to discover a slew of issues in the company's Wi-Fi-enabled thermostats running firmware version 1.2. The issues range from simple security missteps to critical oversights.For example, when users go to connect the thermostat via a Windows utility, it uses default web credentials and PINs. ...Elsewhere, the thermostat leaks Wi-Fi credentials, like its password, username, Service Set Identifier (SSID) and so on, when its logged in. Related: O'Reilly Radar has an interesting conversation about what companies will vie for control of the internet-of-things ecosystem.
This discussion has been archived. No new comments can be posted.

Popular Wi-Fi Thermostat Full of Security Holes

Comments Filter:
  • by Spy Handler ( 822350 ) on Tuesday September 23, 2014 @11:37PM (#47980699) Homepage Journal

    Nobody needs a home thermometer and refrigerator connected to the internet. Gadget makers and tech press have been trying to foist this shit on us for years and nobody wants it. Let it die already.

    • Re: (Score:2, Redundant)

      by camperdave ( 969942 )
      Seriously! How long would one have to be away and kicking himself that he forgot to change the thermostat setting before having one of these new fangled ones would pay for itself?
      • by DarkTempes ( 822722 ) on Wednesday September 24, 2014 @01:05AM (#47981007)

        I'd mostly be interested in using a smart thermostat for logging.
        If I can detect HVAC performance problems just once before they lead to a dead system on a deadly hot summer day and an emergency call to a repair guy then it would easily have paid for itself in comfort.

        • Mine's smart but not that smart.

          I've had about 3 of them. The other 2 were damaged by lightning.

          The HVAC system works with a changeover relay. Set to heat, it heats. Set to cool it cools.

          When lightning hit, the thermostat's changeover switch blew. It would attempt to cool the house on a 90-degree day by running the heater. I'd get home and the place would be 115 inside.

        • I'd mostly be interested in using a smart thermostat for logging.
          If I can detect HVAC performance problems just once before they lead to a dead system on a deadly hot summer day and an emergency call to a repair guy then it would easily have paid for itself in comfort.

          Exactly this.

          I have a Wifi connected thermostat and it has already proved more than useful.

          I live in Canada. Went on 2-week vacation to Florida in the middle of winter. Did not check email the first day.

          Next day, checked email. Furnace had been sending an email saying "high pressure switch stuck closed" for the last 7 hours. The barrage of emails started at 4:43 am. I had left the key with the neighbours and they were kind enough to let the service person inside the house. The service guy fixed the furnace

        • by Anonymous Coward

          I built a logger using an Arduino that wrote a line of text data to a flat file on the attached SD card. Periodically I'd copy the file off the SD card onto my desktop, and use Excel to review the CSV data. It helped me identify that my gas heat system was short-cycling (running for too short of a period, but many more times than needed), and with a small adjustment I was able to go from 30, 4 minute heat cycles at night to 4, 10 minute heat cycles.

          Make your own (Arduino), or buy a commercial one (http://

        • by suutar ( 1860506 )

          There is that, but if I were to want to log the internal climate of my apartment I'd want pressure and humidity too, and I'd wind up just getting one of those outdoor weather rigs and setting it up in the dining room. (The wind thing would become a "cats got up on the table and started playing" measure :)

        • by sootman ( 158191 )

          Speaking of which, why isn't shit monitorable AT ALL in its current state? My A/C gets below a certain level of freon or puron or whatever and POOF, it's out. Why do I have to have "the guy" come out and charge and arm and a leg to see that there's a leak and refill it on the first hot day of the year? Why isn't it possible for OWNERS to see the levels, even with just plain old gauges? Hell, my POOL PUMP has a pressure gauge on it, and that's a LOT less important than my HVAC system.

          • The worst part is when the repair guy can't even figure out what the problem is.

            You would think in a modern world that it would be pretty simple to add some relatively inexpensive sensors to help with diagnostics.
            I saw one slashdotter replied with a 3rd party vendor for that but I imagine it also comes with a silly monthly fee for monitoring.

      • by GNious ( 953874 ) on Wednesday September 24, 2014 @02:40AM (#47981327)

        Seriously! How long would one have to be away and kicking himself that he forgot to change the thermostat setting before having one of these new fangled ones would pay for itself?

        Looking at the spiel from Nest, these products pay for themselves through regular use, not through exceptions:

        Auto-Schedule makes it easy to create an energy efficient schedule that can help you save up to 20% on your heating and cooling bills. All the Nest Thermostat's features combined can get you even bigger savings

        More: https://nest.com/thermostat/sa... [nest.com]

        Some dude, who may very well be paid by Nest, tweeted this:

        After a year using my @Nest thermostat, I've saved $326.74 / 2,651 kWh over the previous year.

        Linky: https://twitter.com/MattClippe... [twitter.com]

        Not saying that all of the above is true, but at least it seems that they'd consider your premise incorrect.

        • Looking at the spiel from Nest, these products pay for themselves through regular use, not through exceptions:

          A cheap programmable thermostat pays for itself quicker.

          Auto-Schedule makes it easy to create an energy efficient schedule that can help you save up to 20% on your heating and cooling bills. All the Nest Thermostat's features combined can get you even bigger savings

          I give a shit about results only seen by a few outliers... honest..

          After a year using my @Nest thermostat, I've saved $326.74 / 2,651 kWh over the previous year.

          If I were selling a product that really did all the wonderful things claimed I would want the world to know about it by providing credible evidence supporting my assertions. Instead we are treated to a bunch of people saying they saved x, y and z over last year... which is to say the least.. completely worthless.

          Patiently awaiting credible evidence...

        • by DarkOx ( 621550 ) on Wednesday September 24, 2014 @06:35AM (#47982113) Journal

          Which is completely meaningless. My energy bills can easily vary that much over a year depending weather conditions; without me doing anything around my own behavior. $300 in the typical ~2500 ft suburban home over a the course of an entire year is indistinguishable from noise.

      • Well it happened to Passepartout in Around the World in Eighty Days... :p
      • by DarkOx ( 621550 )

        Seriously how many times will it take one of these things running the heat or AC constantly either because its a badly built hunk of crap or because someone pwned it before they wish they'd have stuck with their 10 year old setback?

    • by AmiMoJo ( 196126 ) * on Wednesday September 24, 2014 @12:27AM (#47980865) Homepage Journal

      Hopefully people will exercise their legal rights to correct this kind of thing. For example, goods must be "fit for purpose" and of "reasonable quality". In other words, security must be reasonably effective.

      Could be even more interesting if you paid to have it installed.

      • I am glad they are discovering these security issues and addressing them. Maybe in 5 years, most of these kinds of devices will be secure.

        Anything "on the frontier" needs whacked into shape a bit.
      • Hopefully people will exercise their legal rights to correct this kind of thing. For example, goods must be "fit for purpose" and of "reasonable quality". In other words, security must be reasonably effective.

        Could be even more interesting if you paid to have it installed.

        Unfortunately warranty legislation never seems to apply to software - how often do you hear people getting their money back from Microsoft because Windows is buggy (that would be a design or manufacturing flaw, which is certainly covered for physical goods).

        • by AmiMoJo ( 196126 ) *

          There have been cases in the UK of people using the Sale of Goods Act with software. Bugs are expected, but if it fails to do the job it claims to do to a reasonable standard the SOGA applies.

          In this case firmware wouldn't really be an issue. The thing doesn't work properly. There is a login page which needs credentials and basic security, but the security is faulty. It's like a lock that is easily bypassed - if you paid more than a few quid for it you can reasonably expect more.

    • by AmiMoJo ( 196126 ) *

      I want it. Internet connected air con is the greatest thing since sliced bread. I can turn it on ten minutes before I get home, or switch the heating in my car on before I go out and while it is still plugged in to the wall.

      The security is fixable. I don't see Leafs or Model Ss getting hacked left, right and centre. Nor my smart TV or air con for that matter. Maybe because I chose good manufacturers who care about security.

      • The security is fixable.

        Don't count on it.
        That is, it probably can be fixed, but they won't be. Look at the example of this particular thermostat. If the programmers had been thinking much about security, it would have been a lot better.

      • I want it. Internet connected air con is the greatest thing since sliced bread. I can turn it on ten minutes before I get home

        If this does anything your unit is morbidly oversized.

        or switch the heating in my car on before I go out and while it is still plugged in to the wall.

        Switches are great inventions.

        I don't see Leafs or Model Ss getting hacked left, right and centre. Nor my smart TV or air con for that matter. Maybe because I chose good manufacturers who care about security.

        I'll assume you just forgot the smiley face.

    • Nobody needs a home thermometer and refrigerator connected to the internet.

      Don't know about the refrigerator, and I think you meant thermostat, because a thermometer hooked up to the internet would be darn useful up here. As is many buildings have alarms [temperaturealert.com] hooked up to phone lines that notify you if the temperature dips below a set temperature(40-50F, typically).

    • I don't want one (now), but I disagree.

      Some day they will probably make something of this sort that I do want.

      Wouldn't be nice to automatically know what you did and didn't have in the refrigerator or make sure you turned the air conditioning off while on vacation.

      Perhaps. Perhaps not, but I imagine at some point something very useful and relevant could be made.
    • We have a connected thermostat. The local utility uses access to shift aircon run times out of phase to reduce peak loading. We get a substantial discount on electricity as a result.

    • by lkernan ( 561783 )

      Nobody needs a home thermometer and refrigerator connected to the internet

      But how will I know if i need to buy beer on the way home if i can't dial up my fridge?

    • Well, there are some things that it could be handy to have remote access to - like parking spaces - which it is not practical to have with IP4, but the big danger is the endless idiocy and frivolous crap that is inevitable going to swamp us. We've seen it over and over - television, this great tool for mass communication, and now it is 99% worthless entertainment for those hard of thinking. Then the PC and the internet: same thing. And the "internet of things" is going to be mostly hideous idiocy as well, w

    • Nobody needs a home thermometer and refrigerator connected to the internet. Gadget makers and tech press have been trying to foist this shit on us for years and nobody wants it. Let it die already.

      I'm not sure that's true - this stuff hasn't really hit the mainstream yet, but the same can be said about a lot of technology early on (how long ago was the internet "only for nerds"?)

      I can certainly see a lot of uses for this stuff - my home thermostat lets me set different programs for every day, etc. but the UI isn't great and its time consuming to set. The UI deficiencies are mostly down to the fact that it has a limited display and a limited number of buttons - if I could control it from my web brows

    • by hodet ( 620484 )

      Just wait for the tidal wave of the "internet of crappy things".

    • Nobody needs a home thermometer and refrigerator connected to the internet.

      I'm with you on the fridge, but I'd love to have my thermostats and hot water heater thermostat connected to the Internet.

      My family travels a lot, and it would be convenient to be able to set back my thermostat and hot water heater so that they aren't wasting so much energy while we're out of town, and then set them back to normal settings when we're an hour or two away from home. I know programmable thermostats have been around a long time, but most don't support "go into vacation mode until Sunday at 7pm"

      • ... hot water heater ...

        I installed an on-demand Rinnai water heater - I love it. I'm out in the sticks, so mine runs on propane, but it's still a lot cheaper than electricity.

      • Why do you need to heat hot water?
        • Why do you need to heat hot water?

          Because if you don't heat hot water periodically, its temperature will eventually cool down until it reaches equilibrium with the ambient temperature in the room. It's this extraneous heating that I'd be trying to avoid with a smart hot water heater. It's wasteful to use energy to maintain 50 gallons of 110 degree water when nobody is home to use it.

    • You know it's funny that I was talking about this the other day with my wife. We were watching Gremlins 2, and that movie, made in the 80's, talks about "smart buildings" and all the items that were networked together. A lot of the ideas in that movie, although seemed strange in the 80's are here. ...but they're still strange.
  • by Marginal Coward ( 3557951 ) on Tuesday September 23, 2014 @11:54PM (#47980741)

    Finally! Wi-Fi enabled thermostats have found a set of customers who have a genuine need for them: security researchers. But if the thermostats were truly secure, even that small market would dry up. After all, who wants to play a game that can never be won?

    Personally, rather than buy a Wi-Fi thermostat, I've been training my cat to adjust the thermostat just before I come back after three-day weekends. In all honesty, I haven't had much luck with that so far, but I'll get the cat trained eventually, I know I will. Just gotta keep trying.

    Now that you mention it, though, I've really thought through the security implications of owning such a highly trained cat...

    • I've got a question, what possible motivation could anyone have for hacking my thermostat?
      • There's probably no good reason. But there's probably somebody out there who is at least as malicious as my cat.

        • And that is solved by airgapping my thermostat either by removing its wifi settings or setting up a local wifi network. I've got a spare router sitting in a box and I don't even have any connected devices to need a dedicated network. I'm just not seeing any reason that any effort at malice here wouldn't be exponentially more time consuming that what it would take to thwart it.
      • Haven't you seen Mission Impossible? They want to hack your thermostat to bypass your infrared motion sensors.
  • by Scarletdown ( 886459 ) on Wednesday September 24, 2014 @12:01AM (#47980765) Journal

    Is it wise to buy a thermostat from a company calling itself Heatmiser? After all, the name is taken from a bloke who proudly declared that anything he touches, starts to melt in his clutch. [youtube.com]

  • by 93 Escort Wagon ( 326346 ) on Wednesday September 24, 2014 @12:59AM (#47980989)

    The way these companies pushing "the internet of things" devices are designing security into their products from the ground up. Sure, you might think, but it's so obvious to anyone that's been paying attention during the past decade that security had better be baked into these always-connected products - but you'd be wrong. So we are fortunate these companies aren't rushing their products to market while they contain trivially exploitable security holes.

    Well done, guys! Well done!

  • When the "Internet of things" became another M$ phrase I just thought cr*p, as I had to learn of it, to be safe. I like to be ahead of the game and a fairly good computer user till recently.

    A story...

    I use a ASUS R66U router and doing a whois, damn if Asuswrt-Merlin wasn't on my system; is was open to where I had my pants down on the Internet. Merlin did send me a note (to a private computer that had no web pages to view) to take care of the problem but his software was the cause.

    Follow my post and see I su

    • Come again?
      • by msauve ( 701917 )
        I think his lead foil hat has affected his brain.
      • Come again?

        I'm sorry I don't write comments well but it doesn't stop me. I have many excuses but the truth is I should just stop posting.
        Sorry for wasting your time.

    • So much wrong here...

      1.) I'm a fan of Padavan's firmware myself, but it looks like it's only available for the 65u and not the 66u. Asus is actually pretty good about keeping the stock firmware up to date even on the relatively old n56u, so even stock isn't necessarily a bad deal. TomatoUSB and DD-WRT also install on this router. There were plenty of options if you were doing it yourself. If Merlin did you wrong, sticking with it is a fool's errand.

      2.) Either you installed the Merlin firmware on your router

      • I can't quote your replies.some text problem but I do apologize Mr. Merlin; just today it hit me that a Xoom tablet was stolen by the same people;
        a lack of security on my part, I kept the wifi passwords the same. It was my fault for not changing passwords as soon as it was stolen.

        As for Swat, well time will tell.

        Geek Squad, I downloaded their private book on "how to fix computers" it was all common knowledge looking for problems, a waste of money and an embarrassment if they park in front of my place.

        Purch

        • I can't quote your replies.some text problem but I do apologize Mr. Merlin

          No problem, but I'm not Merlin, or affiliated with him at all - just have had positive experiences with the firmware.

          just today it hit me that a Xoom tablet was stolen by the same people;

          So a known group of people both stole a tablet from you and modified your router? That sounds rather interesting, to say the least.

          a lack of security on my part, I kept the wifi passwords the same. It was my fault for not changing passwords as soon as it was stolen.

          Well, for it to be an actual security risk, the thieves would have to have not only your tablet, but your address. Now that could make sense if you had a break-in where it was stolen, but it again seems to be a rather unique set of fugitives who would break-and-en

  • ... the $%&^ out of exploiters.

    I mean my front door is highly exploitable with simple tools, but if you do it we throw you in a cage. On average it's pretty effective.

    • by jd2112 ( 1535857 )

      ... the $%&^ out of exploiters.

      I mean my front door is highly exploitable with simple tools, but if you do it we throw you in a cage. On average it's pretty effective.

      Your local police is probably at least somewhat capable of investigating and prosecuting a physical break-in but hacking your thermostat is almost certainly beyond their ability to investigate and even if they could the perpetrator is almost certainly outside their jurisdiction.

  • Really, is anybody surprised by this at all?

    Companies rush to get these products out the door, and are both designing it to be easy for the consumer and themselves.

    So they take shortcuts, utterly fail to think about real security, and themselves become security holes.

    This is why I won't buy things like a wifi thermostat, and why I think the internet of things will prove to be a terrible idea as we get inundated with products which have such crappy security they shouldn't exist.

    So screw your fancy thermostat

  • Connectivity and I/O features that aren't inherently necessary should be "hardware off" by default, and the end user should be made fully aware of any known or "it would be prudent to assume they are there" non-obvious risks of turning them on.

    One of the best features an "Internet-enabled" thermostat can have is a hardware "Internet on/off" switch, along with hard-to-miss warning on the packaging that hooking your device up to the Internet has risks some of which are not yet known.

    After reading such a warni

  • Clearly, a heated issue that will always drop in the end.

  • If the manufacturers wouldn't be so clingy, many of these problems would go away. They COULD embed a tiny web server in the device and just have it sit on the LAN. Ideally it would also have a very simple protocol to talk to (or at least a proper web API). But they insist on having the things connect to their server 'in the cloud'. Not just offer that, insist on it.

    I won't even consider installing such a thing until it willingly confines itself to my LAN. If I want remote access, it will go through another

"I am, therefore I am." -- Akira

Working...