Popular Wi-Fi Thermostat Full of Security Holes 103
Threatpost reports:
Heatmiser, a U.K.-based manufacturer of digital thermostats, is contacting its customers today about a series of security issues that could expose a Wi-Fi-connected version of its product to takeover. Andrew Tierney, a "reverse-engineer by night," whose specialty is digging up bugs in embedded systems wrote on his blog, that he initially read about vulnerabilities in another one of the company's products, NetMonitor, and decided to poke around its product line further. This led him to discover a slew of issues in the company's Wi-Fi-enabled thermostats running firmware version 1.2. The issues range from simple security missteps to critical oversights.For example, when users go to connect the thermostat via a Windows utility, it uses default web credentials and PINs. ...Elsewhere, the thermostat leaks Wi-Fi credentials, like its password, username, Service Set Identifier (SSID) and so on, when its logged in.
Related: O'Reilly Radar has an interesting conversation about what companies will vie for control of the internet-of-things ecosystem.
Will this internet of things die already? (Score:5, Insightful)
Nobody needs a home thermometer and refrigerator connected to the internet. Gadget makers and tech press have been trying to foist this shit on us for years and nobody wants it. Let it die already.
Re: (Score:2)
'Tired of lazy tastebuds?' Runciter said in his familiar gravelly voice. 'Has boiled cabbage taken over your world of food? That same old, stale, flat, Monday-morning odor no matter how many dimes you put into your stove? Ubik changes all that; Ubik wakes up food flavor, puts hearty taste back where it belongs, and restores fine food smell.' On the screen a brightly colored spray can replaced Glen Runciter. 'One invisible puff-puff whisk of economically priced Ubik banishes compulsive obsessive fears that t
Re: (Score:2, Redundant)
Re:Will this internet of things die already? (Score:4, Interesting)
I'd mostly be interested in using a smart thermostat for logging.
If I can detect HVAC performance problems just once before they lead to a dead system on a deadly hot summer day and an emergency call to a repair guy then it would easily have paid for itself in comfort.
Re: (Score:1)
Oh, I thought you were interested in the opposite and you wanted it to pay for itself in pain.
Re: (Score:2)
Mine's smart but not that smart.
I've had about 3 of them. The other 2 were damaged by lightning.
The HVAC system works with a changeover relay. Set to heat, it heats. Set to cool it cools.
When lightning hit, the thermostat's changeover switch blew. It would attempt to cool the house on a 90-degree day by running the heater. I'd get home and the place would be 115 inside.
Re: (Score:2)
I'd mostly be interested in using a smart thermostat for logging.
If I can detect HVAC performance problems just once before they lead to a dead system on a deadly hot summer day and an emergency call to a repair guy then it would easily have paid for itself in comfort.
Exactly this.
I have a Wifi connected thermostat and it has already proved more than useful.
I live in Canada. Went on 2-week vacation to Florida in the middle of winter. Did not check email the first day.
Next day, checked email. Furnace had been sending an email saying "high pressure switch stuck closed" for the last 7 hours. The barrage of emails started at 4:43 am. I had left the key with the neighbours and they were kind enough to let the service person inside the house. The service guy fixed the furnace
Re: (Score:1)
Re: (Score:1)
I built a logger using an Arduino that wrote a line of text data to a flat file on the attached SD card. Periodically I'd copy the file off the SD card onto my desktop, and use Excel to review the CSV data. It helped me identify that my gas heat system was short-cycling (running for too short of a period, but many more times than needed), and with a small adjustment I was able to go from 30, 4 minute heat cycles at night to 4, 10 minute heat cycles.
Make your own (Arduino), or buy a commercial one (http://
Re: (Score:2)
There is that, but if I were to want to log the internal climate of my apartment I'd want pressure and humidity too, and I'd wind up just getting one of those outdoor weather rigs and setting it up in the dining room. (The wind thing would become a "cats got up on the table and started playing" measure :)
Re: (Score:2)
Speaking of which, why isn't shit monitorable AT ALL in its current state? My A/C gets below a certain level of freon or puron or whatever and POOF, it's out. Why do I have to have "the guy" come out and charge and arm and a leg to see that there's a leak and refill it on the first hot day of the year? Why isn't it possible for OWNERS to see the levels, even with just plain old gauges? Hell, my POOL PUMP has a pressure gauge on it, and that's a LOT less important than my HVAC system.
Re: (Score:2)
The worst part is when the repair guy can't even figure out what the problem is.
You would think in a modern world that it would be pretty simple to add some relatively inexpensive sensors to help with diagnostics.
I saw one slashdotter replied with a 3rd party vendor for that but I imagine it also comes with a silly monthly fee for monitoring.
Re:Will this internet of things die already? (Score:4, Informative)
Seriously! How long would one have to be away and kicking himself that he forgot to change the thermostat setting before having one of these new fangled ones would pay for itself?
Looking at the spiel from Nest, these products pay for themselves through regular use, not through exceptions:
Auto-Schedule makes it easy to create an energy efficient schedule that can help you save up to 20% on your heating and cooling bills. All the Nest Thermostat's features combined can get you even bigger savings
More: https://nest.com/thermostat/sa... [nest.com]
Some dude, who may very well be paid by Nest, tweeted this:
After a year using my @Nest thermostat, I've saved $326.74 / 2,651 kWh over the previous year.
Linky: https://twitter.com/MattClippe... [twitter.com]
Not saying that all of the above is true, but at least it seems that they'd consider your premise incorrect.
Re: (Score:3)
Looking at the spiel from Nest, these products pay for themselves through regular use, not through exceptions:
A cheap programmable thermostat pays for itself quicker.
Auto-Schedule makes it easy to create an energy efficient schedule that can help you save up to 20% on your heating and cooling bills. All the Nest Thermostat's features combined can get you even bigger savings
I give a shit about results only seen by a few outliers... honest..
After a year using my @Nest thermostat, I've saved $326.74 / 2,651 kWh over the previous year.
If I were selling a product that really did all the wonderful things claimed I would want the world to know about it by providing credible evidence supporting my assertions. Instead we are treated to a bunch of people saying they saved x, y and z over last year... which is to say the least.. completely worthless.
Patiently awaiting credible evidence...
Re:Will this internet of things die already? (Score:5, Insightful)
Which is completely meaningless. My energy bills can easily vary that much over a year depending weather conditions; without me doing anything around my own behavior. $300 in the typical ~2500 ft suburban home over a the course of an entire year is indistinguishable from noise.
Re: (Score:2)
Re: (Score:2)
Or, perhaps more to the point of this entire thread, a "smart" thermostat that gets hacked and ends up costing you 4x what it should.
Or a logging server that gets hacked to determine if the motion sensor has been tripped in the last hour or two, indicating an empty house ripe for theft.
If and only if you are being targeted. I have no idea why a person who can hack or like to hack would go around and mess around with anyone randomly. There must be a reason why. Hacking is not something you do and expect no consequence (backfire). If you are smart enough to cover your track, then again it is even more questionable why you would go around and do it randomly? Even theft, it is not worth while to select a random house with the system to rob. Why? The theft may get only worthless junk from the
Re: (Score:2)
Seriously how many times will it take one of these things running the heat or AC constantly either because its a badly built hunk of crap or because someone pwned it before they wish they'd have stuck with their 10 year old setback?
Re: (Score:1)
Exactly right. Give me mercury or give me death!
Re:Will this internet of things die already? (Score:5, Insightful)
Hopefully people will exercise their legal rights to correct this kind of thing. For example, goods must be "fit for purpose" and of "reasonable quality". In other words, security must be reasonably effective.
Could be even more interesting if you paid to have it installed.
Re: (Score:2)
Anything "on the frontier" needs whacked into shape a bit.
Re: (Score:2)
Hopefully people will exercise their legal rights to correct this kind of thing. For example, goods must be "fit for purpose" and of "reasonable quality". In other words, security must be reasonably effective.
Could be even more interesting if you paid to have it installed.
Unfortunately warranty legislation never seems to apply to software - how often do you hear people getting their money back from Microsoft because Windows is buggy (that would be a design or manufacturing flaw, which is certainly covered for physical goods).
Re: (Score:2)
There have been cases in the UK of people using the Sale of Goods Act with software. Bugs are expected, but if it fails to do the job it claims to do to a reasonable standard the SOGA applies.
In this case firmware wouldn't really be an issue. The thing doesn't work properly. There is a login page which needs credentials and basic security, but the security is faulty. It's like a lock that is easily bypassed - if you paid more than a few quid for it you can reasonably expect more.
Re: (Score:2)
I want it. Internet connected air con is the greatest thing since sliced bread. I can turn it on ten minutes before I get home, or switch the heating in my car on before I go out and while it is still plugged in to the wall.
The security is fixable. I don't see Leafs or Model Ss getting hacked left, right and centre. Nor my smart TV or air con for that matter. Maybe because I chose good manufacturers who care about security.
Re: (Score:2)
The security is fixable.
Don't count on it.
That is, it probably can be fixed, but they won't be. Look at the example of this particular thermostat. If the programmers had been thinking much about security, it would have been a lot better.
Re: (Score:2)
I want it. Internet connected air con is the greatest thing since sliced bread. I can turn it on ten minutes before I get home
If this does anything your unit is morbidly oversized.
or switch the heating in my car on before I go out and while it is still plugged in to the wall.
Switches are great inventions.
I don't see Leafs or Model Ss getting hacked left, right and centre. Nor my smart TV or air con for that matter. Maybe because I chose good manufacturers who care about security.
I'll assume you just forgot the smiley face.
Re: (Score:1)
If this does anything your unit is morbidly oversized.
Look, let's just leave the size of his unit out of this...
Re: (Score:2)
Nobody needs a home thermometer and refrigerator connected to the internet.
Don't know about the refrigerator, and I think you meant thermostat, because a thermometer hooked up to the internet would be darn useful up here. As is many buildings have alarms [temperaturealert.com] hooked up to phone lines that notify you if the temperature dips below a set temperature(40-50F, typically).
Re: (Score:3)
Some day they will probably make something of this sort that I do want.
Wouldn't be nice to automatically know what you did and didn't have in the refrigerator or make sure you turned the air conditioning off while on vacation.
Perhaps. Perhaps not, but I imagine at some point something very useful and relevant could be made.
Re: (Score:1)
We have a connected thermostat. The local utility uses access to shift aircon run times out of phase to reduce peak loading. We get a substantial discount on electricity as a result.
Re: (Score:2)
Re: (Score:1)
Nobody needs a home thermometer and refrigerator connected to the internet
But how will I know if i need to buy beer on the way home if i can't dial up my fridge?
Re: (Score:2)
Well, there are some things that it could be handy to have remote access to - like parking spaces - which it is not practical to have with IP4, but the big danger is the endless idiocy and frivolous crap that is inevitable going to swamp us. We've seen it over and over - television, this great tool for mass communication, and now it is 99% worthless entertainment for those hard of thinking. Then the PC and the internet: same thing. And the "internet of things" is going to be mostly hideous idiocy as well, w
Re: (Score:2)
Nobody needs a home thermometer and refrigerator connected to the internet. Gadget makers and tech press have been trying to foist this shit on us for years and nobody wants it. Let it die already.
I'm not sure that's true - this stuff hasn't really hit the mainstream yet, but the same can be said about a lot of technology early on (how long ago was the internet "only for nerds"?)
I can certainly see a lot of uses for this stuff - my home thermostat lets me set different programs for every day, etc. but the UI isn't great and its time consuming to set. The UI deficiencies are mostly down to the fact that it has a limited display and a limited number of buttons - if I could control it from my web brows
Re: (Score:2)
Just wait for the tidal wave of the "internet of crappy things".
Re: (Score:2)
Nobody needs a home thermometer and refrigerator connected to the internet.
I'm with you on the fridge, but I'd love to have my thermostats and hot water heater thermostat connected to the Internet.
My family travels a lot, and it would be convenient to be able to set back my thermostat and hot water heater so that they aren't wasting so much energy while we're out of town, and then set them back to normal settings when we're an hour or two away from home. I know programmable thermostats have been around a long time, but most don't support "go into vacation mode until Sunday at 7pm"
Re: (Score:2)
... hot water heater ...
I installed an on-demand Rinnai water heater - I love it. I'm out in the sticks, so mine runs on propane, but it's still a lot cheaper than electricity.
Re: (Score:1)
Re: (Score:2)
Why do you need to heat hot water?
Because if you don't heat hot water periodically, its temperature will eventually cool down until it reaches equilibrium with the ambient temperature in the room. It's this extraneous heating that I'd be trying to avoid with a smart hot water heater. It's wasteful to use energy to maintain 50 gallons of 110 degree water when nobody is home to use it.
Re: (Score:2)
Customers for Wi-Fi enabled thermostats (Score:5, Funny)
Finally! Wi-Fi enabled thermostats have found a set of customers who have a genuine need for them: security researchers. But if the thermostats were truly secure, even that small market would dry up. After all, who wants to play a game that can never be won?
Personally, rather than buy a Wi-Fi thermostat, I've been training my cat to adjust the thermostat just before I come back after three-day weekends. In all honesty, I haven't had much luck with that so far, but I'll get the cat trained eventually, I know I will. Just gotta keep trying.
Now that you mention it, though, I've really thought through the security implications of owning such a highly trained cat...
Re: (Score:2)
Hmmm, practicing standup on /.?
Don't quit your day job.
At least he had the guts to log in.
Re: (Score:2)
haha, bazinga!
AC Shaming: the new Black
Re: (Score:1)
Thanks for sticking up for me, but I didn't actually have much to lose. My philosophy is: when life throws you tomatoes, make tomato paste.
Re: (Score:1)
Re: (Score:2)
Re: (Score:1)
There's probably no good reason. But there's probably somebody out there who is at least as malicious as my cat.
Re: (Score:2)
Re: (Score:1)
You don't understand...my cat has a *LOT* of time on her paws...
Re: (Score:1)
Fire Hazard Warning (Score:3)
Is it wise to buy a thermostat from a company calling itself Heatmiser? After all, the name is taken from a bloke who proudly declared that anything he touches, starts to melt in his clutch. [youtube.com]
Re: (Score:2)
He's too much!
You know what's great? (Score:3)
The way these companies pushing "the internet of things" devices are designing security into their products from the ground up. Sure, you might think, but it's so obvious to anyone that's been paying attention during the past decade that security had better be baked into these always-connected products - but you'd be wrong. So we are fortunate these companies aren't rushing their products to market while they contain trivially exploitable security holes.
Well done, guys! Well done!
avois Asuswrt-Merlin if it's a choice. (Score:2)
When the "Internet of things" became another M$ phrase I just thought cr*p, as I had to learn of it, to be safe. I like to be ahead of the game and a fairly good computer user till recently.
A story...
I use a ASUS R66U router and doing a whois, damn if Asuswrt-Merlin wasn't on my system; is was open to where I had my pants down on the Internet. Merlin did send me a note (to a private computer that had no web pages to view) to take care of the problem but his software was the cause.
Follow my post and see I su
Re: (Score:1)
Re: (Score:2)
Re: (Score:2)
Come again?
I'm sorry I don't write comments well but it doesn't stop me. I have many excuses but the truth is I should just stop posting.
Sorry for wasting your time.
Re: (Score:2)
So much wrong here...
1.) I'm a fan of Padavan's firmware myself, but it looks like it's only available for the 65u and not the 66u. Asus is actually pretty good about keeping the stock firmware up to date even on the relatively old n56u, so even stock isn't necessarily a bad deal. TomatoUSB and DD-WRT also install on this router. There were plenty of options if you were doing it yourself. If Merlin did you wrong, sticking with it is a fool's errand.
2.) Either you installed the Merlin firmware on your router
Re: (Score:2)
I can't quote your replies.some text problem but I do apologize Mr. Merlin; just today it hit me that a Xoom tablet was stolen by the same people;
a lack of security on my part, I kept the wifi passwords the same. It was my fault for not changing passwords as soon as it was stolen.
As for Swat, well time will tell.
Geek Squad, I downloaded their private book on "how to fix computers" it was all common knowledge looking for problems, a waste of money and an embarrassment if they park in front of my place.
Purch
Re: (Score:2)
I can't quote your replies.some text problem but I do apologize Mr. Merlin
No problem, but I'm not Merlin, or affiliated with him at all - just have had positive experiences with the firmware.
just today it hit me that a Xoom tablet was stolen by the same people;
So a known group of people both stole a tablet from you and modified your router? That sounds rather interesting, to say the least.
a lack of security on my part, I kept the wifi passwords the same. It was my fault for not changing passwords as soon as it was stolen.
Well, for it to be an actual security risk, the thieves would have to have not only your tablet, but your address. Now that could make sense if you had a break-in where it was stolen, but it again seems to be a rather unique set of fugitives who would break-and-en
It would be nice if we could just prosecute ... (Score:2)
... the $%&^ out of exploiters.
I mean my front door is highly exploitable with simple tools, but if you do it we throw you in a cage. On average it's pretty effective.
Re: (Score:2)
... the $%&^ out of exploiters.
I mean my front door is highly exploitable with simple tools, but if you do it we throw you in a cage. On average it's pretty effective.
Your local police is probably at least somewhat capable of investigating and prosecuting a physical break-in but hacking your thermostat is almost certainly beyond their ability to investigate and even if they could the perpetrator is almost certainly outside their jurisdiction.
Re: (Score:2)
I am afraid we are using technology where technology is not needed.
Wireless gizmos are becoming very common since they mean you don't need to dig holes in your walls to run the cables.
I have 2 wireless thermostats - the wireless isn't used to set them remotely, it is used for them to communicate with the boiler. On the whole they work pretty well (and yes, I'm sure the protocol is so trivial that someone could probably sit outside my house and turn the boiler on/off if they cared enough). That said, if I could point my browser at the thermostat instead of having to fiddl
Who is surprised? (Score:2)
Really, is anybody surprised by this at all?
Companies rush to get these products out the door, and are both designing it to be easy for the consumer and themselves.
So they take shortcuts, utterly fail to think about real security, and themselves become security holes.
This is why I won't buy things like a wifi thermostat, and why I think the internet of things will prove to be a terrible idea as we get inundated with products which have such crappy security they shouldn't exist.
So screw your fancy thermostat
Be careful with "The Internet of Things" (Score:1)
Connectivity and I/O features that aren't inherently necessary should be "hardware off" by default, and the end user should be made fully aware of any known or "it would be prudent to assume they are there" non-obvious risks of turning them on.
One of the best features an "Internet-enabled" thermostat can have is a hardware "Internet on/off" switch, along with hard-to-miss warning on the packaging that hooking your device up to the Internet has risks some of which are not yet known.
After reading such a warni
Thermosat + wifi? (Score:2)
Clearly, a heated issue that will always drop in the end.
Clingy corps (Score:2)
If the manufacturers wouldn't be so clingy, many of these problems would go away. They COULD embed a tiny web server in the device and just have it sit on the LAN. Ideally it would also have a very simple protocol to talk to (or at least a proper web API). But they insist on having the things connect to their server 'in the cloud'. Not just offer that, insist on it.
I won't even consider installing such a thing until it willingly confines itself to my LAN. If I want remote access, it will go through another
Re: (Score:2)
IoT = Internet of Turds.
Internet of Turds^H^H^H^H^H SPIES.