Slashdot Mirror

← Back to Stories (view on slashdot.org)

Popular Wi-Fi Thermostat Full of Security Holes

Posted by Soulskill on from the building-vulnerabilities-one-appliance-at-a-time dept.

Threatpost reports: Heatmiser, a U.K.-based manufacturer of digital thermostats, is contacting its customers today about a series of security issues that could expose a Wi-Fi-connected version of its product to takeover. Andrew Tierney, a "reverse-engineer by night," whose specialty is digging up bugs in embedded systems wrote on his blog, that he initially read about vulnerabilities in another one of the company's products, NetMonitor, and decided to poke around its product line further. This led him to discover a slew of issues in the company's Wi-Fi-enabled thermostats running firmware version 1.2. The issues range from simple security missteps to critical oversights.For example, when users go to connect the thermostat via a Windows utility, it uses default web credentials and PINs. ...Elsewhere, the thermostat leaks Wi-Fi credentials, like its password, username, Service Set Identifier (SSID) and so on, when its logged in. Related: O'Reilly Radar has an interesting conversation about what companies will vie for control of the internet-of-things ecosystem.

103 comments

  1. Will this internet of things die already? by Spy+Handler · · Score: 4, Insightful

    Nobody needs a home thermometer and refrigerator connected to the internet. Gadget makers and tech press have been trying to foist this shit on us for years and nobody wants it. Let it die already.

    1. Re:Will this internet of things die already? by Anonymous Coward · · Score: 0

      Speak for yourself, I rather like my nest. Apparently a lot of people do too, and it is alive and kicking.

    2. Re:Will this internet of things die already? by camperdave · · Score: 1, Redundant

      Seriously! How long would one have to be away and kicking himself that he forgot to change the thermostat setting before having one of these new fangled ones would pay for itself?

      --
      When our name is on the back of your car, we're behind you all the way!
    3. Re:Will this internet of things die already? by AmiMoJo · · Score: 5, Insightful

      Hopefully people will exercise their legal rights to correct this kind of thing. For example, goods must be "fit for purpose" and of "reasonable quality". In other words, security must be reasonably effective.

      Could be even more interesting if you paid to have it installed.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    4. Re:Will this internet of things die already? by AmiMoJo · · Score: 1

      I want it. Internet connected air con is the greatest thing since sliced bread. I can turn it on ten minutes before I get home, or switch the heating in my car on before I go out and while it is still plugged in to the wall.

      The security is fixable. I don't see Leafs or Model Ss getting hacked left, right and centre. Nor my smart TV or air con for that matter. Maybe because I chose good manufacturers who care about security.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    5. Re:Will this internet of things die already? by phantomfive · · Score: 1

      The security is fixable.

      Don't count on it.
      That is, it probably can be fixed, but they won't be. Look at the example of this particular thermostat. If the programmers had been thinking much about security, it would have been a lot better.

      --
      "First they came for the slanderers and i said nothing."
    6. Re:Will this internet of things die already? by Firethorn · · Score: 1

      Nobody needs a home thermometer and refrigerator connected to the internet.

      Don't know about the refrigerator, and I think you meant thermostat, because a thermometer hooked up to the internet would be darn useful up here. As is many buildings have alarms hooked up to phone lines that notify you if the temperature dips below a set temperature(40-50F, typically).

      --
      I don't read AC A human right
    7. Re:Will this internet of things die already? by DarkTempes · · Score: 3, Interesting

      I'd mostly be interested in using a smart thermostat for logging.
      If I can detect HVAC performance problems just once before they lead to a dead system on a deadly hot summer day and an emergency call to a repair guy then it would easily have paid for itself in comfort.

    8. Re:Will this internet of things die already? by GNious · · Score: 3, Informative

      Seriously! How long would one have to be away and kicking himself that he forgot to change the thermostat setting before having one of these new fangled ones would pay for itself?

      Looking at the spiel from Nest, these products pay for themselves through regular use, not through exceptions:

      Auto-Schedule makes it easy to create an energy efficient schedule that can help you save up to 20% on your heating and cooling bills. All the Nest Thermostat's features combined can get you even bigger savings

      More: https://nest.com/thermostat/sa...

      Some dude, who may very well be paid by Nest, tweeted this:

      After a year using my @Nest thermostat, I've saved $326.74 / 2,651 kWh over the previous year.

      Linky: https://twitter.com/MattClippe...

      Not saying that all of the above is true, but at least it seems that they'd consider your premise incorrect.

    9. Re:Will this internet of things die already? by Anonymous Coward · · Score: 0

      That"s what SHE said!

    10. Re:Will this internet of things die already? by TrollstonButterbeans · · Score: 2

      I don't want one (now), but I disagree.

      Some day they will probably make something of this sort that I do want.

      Wouldn't be nice to automatically know what you did and didn't have in the refrigerator or make sure you turned the air conditioning off while on vacation.

      Perhaps. Perhaps not, but I imagine at some point something very useful and relevant could be made.

      --
      Priest: "Universe from nothing, no laws of physics, sped up time"+ huge discrepancies. Creationism? No. Big Bang Theory
    11. Re:Will this internet of things die already? by TrollstonButterbeans · · Score: 1

      I am glad they are discovering these security issues and addressing them. Maybe in 5 years, most of these kinds of devices will be secure.

      Anything "on the frontier" needs whacked into shape a bit.

      --
      Priest: "Universe from nothing, no laws of physics, sped up time"+ huge discrepancies. Creationism? No. Big Bang Theory
    12. Re:Will this internet of things die already? by WaffleMonster · · Score: 1

      I want it. Internet connected air con is the greatest thing since sliced bread. I can turn it on ten minutes before I get home

      If this does anything your unit is morbidly oversized.

      or switch the heating in my car on before I go out and while it is still plugged in to the wall.

      Switches are great inventions.

      I don't see Leafs or Model Ss getting hacked left, right and centre. Nor my smart TV or air con for that matter. Maybe because I chose good manufacturers who care about security.

      I'll assume you just forgot the smiley face.

    13. Re:Will this internet of things die already? by dave-man · · Score: 1

      We have a connected thermostat. The local utility uses access to shift aircon run times out of phase to reduce peak loading. We get a substantial discount on electricity as a result.

      --
      Bill Gates is a communist -- he's just more equal than the rest of us.
    14. Re:Will this internet of things die already? by Anonymous Coward · · Score: 0

      How about thermomix connect to fridge connected to recipe database? You have x,y and a, how about putting them into thermomix while I download recipe z to cook your dinner?

    15. Re:Will this internet of things die already? by Cornwallis · · Score: 1

      An Internet-connected thermostat isn't needed for this. 20 years ago our suburban Maryland home had its heat pump on a utility-controlled program - Kilowatchers - that did the same thing without the Internet. The utility was able to switch the heat pump on and off over the power lines offering the same type of discount thanks to a switch they hung on the outside compressor. It worked great. I see they have discontinued it and started this Internet crap.

    16. Re:Will this internet of things die already? by lkernan · · Score: 1

      Nobody needs a home thermometer and refrigerator connected to the internet

      But how will I know if i need to buy beer on the way home if i can't dial up my fridge?

    17. Re:Will this internet of things die already? by WaffleMonster · · Score: 2

      Looking at the spiel from Nest, these products pay for themselves through regular use, not through exceptions:

      A cheap programmable thermostat pays for itself quicker.

      Auto-Schedule makes it easy to create an energy efficient schedule that can help you save up to 20% on your heating and cooling bills. All the Nest Thermostat's features combined can get you even bigger savings

      I give a shit about results only seen by a few outliers... honest..

      After a year using my @Nest thermostat, I've saved $326.74 / 2,651 kWh over the previous year.

      If I were selling a product that really did all the wonderful things claimed I would want the world to know about it by providing credible evidence supporting my assertions. Instead we are treated to a bunch of people saying they saved x, y and z over last year... which is to say the least.. completely worthless.

      Patiently awaiting credible evidence...

    18. Re:Will this internet of things die already? by jandersen · · Score: 1

      Well, there are some things that it could be handy to have remote access to - like parking spaces - which it is not practical to have with IP4, but the big danger is the endless idiocy and frivolous crap that is inevitable going to swamp us. We've seen it over and over - television, this great tool for mass communication, and now it is 99% worthless entertainment for those hard of thinking. Then the PC and the internet: same thing. And the "internet of things" is going to be mostly hideous idiocy as well, which is a shame, because it could be a good thing.

    19. Re:Will this internet of things die already? by GoddersUK · · Score: 1

      Well it happened to Passepartout in Around the World in Eighty Days... :p

    20. Re:Will this internet of things die already? by Anonymous Coward · · Score: 0

      Seriously! How long would one have to be away and kicking himself that he forgot to change the thermostat setting before having one of these new fangled ones would pay for itself?

      Or, perhaps more to the point of this entire thread, a "smart" thermostat that gets hacked and ends up costing you 4x what it should.

      Or a logging server that gets hacked to determine if the motion sensor has been tripped in the last hour or two, indicating an empty house ripe for theft.

      And yes, dismissing these scenarios as "impossible" is exactly how the hell this kind of weak-ass security mentality spreads.

    21. Re:Will this internet of things die already? by Anonymous Coward · · Score: 0

      Hopefully people will exercise their legal rights to correct this kind of thing. For example, goods must be "fit for purpose" and of "reasonable quality". In other words, security must be reasonably effective.

      Could be even more interesting if you paid to have it installed.

      "Fit for purpose" may be defined differently when a "smart" fridge gets hacked and ruins a frat party by making all the beer warm.

      When someone ends up dying because they could not maintain their insulin at the proper temperature due to a hacked smart fridge, laws may change. Until then, expect nothing more than D-grade consumer wifi SHIT to be installed across the entire IoT landscape.

    22. Re:Will this internet of things die already? by FireFury03 · · Score: 1

      Nobody needs a home thermometer and refrigerator connected to the internet. Gadget makers and tech press have been trying to foist this shit on us for years and nobody wants it. Let it die already.

      I'm not sure that's true - this stuff hasn't really hit the mainstream yet, but the same can be said about a lot of technology early on (how long ago was the internet "only for nerds"?)

      I can certainly see a lot of uses for this stuff - my home thermostat lets me set different programs for every day, etc. but the UI isn't great and its time consuming to set. The UI deficiencies are mostly down to the fact that it has a limited display and a limited number of buttons - if I could control it from my web browser it'd be much easier to use.

      I'm not entirely sure what you'd expect from an internet connected fridge - it could be useful for stuff like dynamic power use to reduce the load on the electricity grid. But a more consumer-focussed idea would be tracking what's actually in the fridge (would require RFID labelled products or similar) - I can't count the number of times I've found myself in the supermarket and thought "I wonder if we've got any milk left?", or "Is there space in the freezer for this?" - being able to easilly check that kind of thing remotely would certainly be useful. At the moment this is all in the "nerds only" stage, but how long until it integrates with your shopping list, automatically tells you what you've run out of and is used by a large chunk of the population?

      I guess something that will hold back adoption of these technologies is that they are in devices that don't frequently get replaced - I've had my fridge for 14 years and I'm not planning on replacing it until it dies. But then the same could be said for TVs and a lot of people have recently replaced perfectly good CRTs with LCD smart TVs so at some point the jump in technology gets good enough for people to bite the bullet and upgrade.

      --
      http://blog.nexusuk.org
    23. Re:Will this internet of things die already? by FireFury03 · · Score: 1

      Hopefully people will exercise their legal rights to correct this kind of thing. For example, goods must be "fit for purpose" and of "reasonable quality". In other words, security must be reasonably effective.

      Could be even more interesting if you paid to have it installed.

      Unfortunately warranty legislation never seems to apply to software - how often do you hear people getting their money back from Microsoft because Windows is buggy (that would be a design or manufacturing flaw, which is certainly covered for physical goods).

      --
      http://blog.nexusuk.org
    24. Re:Will this internet of things die already? by AmiMoJo · · Score: 1

      There have been cases in the UK of people using the Sale of Goods Act with software. Bugs are expected, but if it fails to do the job it claims to do to a reasonable standard the SOGA applies.

      In this case firmware wouldn't really be an issue. The thing doesn't work properly. There is a login page which needs credentials and basic security, but the security is faulty. It's like a lock that is easily bypassed - if you paid more than a few quid for it you can reasonably expect more.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    25. Re:Will this internet of things die already? by hodet · · Score: 1

      Just wait for the tidal wave of the "internet of crappy things".

    26. Re:Will this internet of things die already? by DarkOx · · Score: 1

      Seriously how many times will it take one of these things running the heat or AC constantly either because its a badly built hunk of crap or because someone pwned it before they wish they'd have stuck with their 10 year old setback?

      --
      Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
    27. Re:Will this internet of things die already? by DarkOx · · Score: 5, Insightful

      Which is completely meaningless. My energy bills can easily vary that much over a year depending weather conditions; without me doing anything around my own behavior. $300 in the typical ~2500 ft suburban home over a the course of an entire year is indistinguishable from noise.

      --
      Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
    28. Re:Will this internet of things die already? by Anonymous Coward · · Score: 0

      I have the Honeywell wifi thermostat. Love it. I use it to remotely freeze my roommate out of the house when I'm not home and get it nice and cozy when I get back!

    29. Re:Will this internet of things die already? by Marginal+Coward · · Score: 1

      Exactly right. Give me mercury or give me death!

    30. Re:Will this internet of things die already? by Marginal+Coward · · Score: 1

      If this does anything your unit is morbidly oversized.

      Look, let's just leave the size of his unit out of this...

    31. Re:Will this internet of things die already? by Anonymous Coward · · Score: 0

      I don't lock my garbage can either, although the black vans outside my house remind me to shred everything. Admitidly, this is going to cause a big headache for IT departments, especially if it bolsters the H1-B argument. Armed security guards posted at increased frequency in the workplace, are still cheaper than IT.
      Wow, I just thought of a job I had a long time ago that didn't have armed security. OK, I made that last part up. Well, the first part too. I DO lock my garbage can up....cause that's where i live nowadays since Obama foreclosed on my house...sigh

    32. Re:Will this internet of things die already? by Anonymous Coward · · Score: 0

      I feel the same way about the whole "a 3D printer pays for itself in a year" horseshit from the True Believers.

    33. Re:Will this internet of things die already? by Slashdot+Parent · · Score: 1

      Nobody needs a home thermometer and refrigerator connected to the internet.

      I'm with you on the fridge, but I'd love to have my thermostats and hot water heater thermostat connected to the Internet.

      My family travels a lot, and it would be convenient to be able to set back my thermostat and hot water heater so that they aren't wasting so much energy while we're out of town, and then set them back to normal settings when we're an hour or two away from home. I know programmable thermostats have been around a long time, but most don't support "go into vacation mode until Sunday at 7pm".

      --
      They don't grade fathers, but if your daughter's a stripper, you fucked up. --Chris Rock
    34. Re:Will this internet of things die already? by Anonymous Coward · · Score: 0

      That's what she said, before I got the restraining order that is.

    35. Re:Will this internet of things die already? by Anonymous Coward · · Score: 0

      If I can detect HVAC performance problems just once before they lead to a dead system on a deadly hot summer day and an emergency call to a repair guy then it would easily have paid for itself in comfort.

      I'm in Canada, and I would be interested in the opposite: a failure in the middle of winter.

    36. Re:Will this internet of things die already? by Muad'Dave · · Score: 1

      ... hot water heater ...

      I installed an on-demand Rinnai water heater - I love it. I'm out in the sticks, so mine runs on propane, but it's still a lot cheaper than electricity.

      --
      Tiller's Rule: Never use a word in written form that you've only heard and never read. You will end up looking foolish.
    37. Re:Will this internet of things die already? by RabidReindeer · · Score: 1

      Mine's smart but not that smart.

      I've had about 3 of them. The other 2 were damaged by lightning.

      The HVAC system works with a changeover relay. Set to heat, it heats. Set to cool it cools.

      When lightning hit, the thermostat's changeover switch blew. It would attempt to cool the house on a 90-degree day by running the heater. I'd get home and the place would be 115 inside.

    38. Re:Will this internet of things die already? by Corporate+Gadfly · · Score: 1

      I'd mostly be interested in using a smart thermostat for logging.
      If I can detect HVAC performance problems just once before they lead to a dead system on a deadly hot summer day and an emergency call to a repair guy then it would easily have paid for itself in comfort.

      Exactly this.

      I have a Wifi connected thermostat and it has already proved more than useful.

      I live in Canada. Went on 2-week vacation to Florida in the middle of winter. Did not check email the first day.

      Next day, checked email. Furnace had been sending an email saying "high pressure switch stuck closed" for the last 7 hours. The barrage of emails started at 4:43 am. I had left the key with the neighbours and they were kind enough to let the service person inside the house. The service guy fixed the furnace (under warranty) by replacing the malfunctioning part.

      TL;DR: wifi connected thermostat ended up possibly saving the house from frozen, burst pipes.

      --
      Corporate Gadfly
      Jonathan Archer: the most beaten up Enterprise captain in Star Trek history
    39. Re:Will this internet of things die already? by LasVeganLucy · · Score: 1

      Why do you need to heat hot water?

    40. Re:Will this internet of things die already? by parkinglot777 · · Score: 1

      Or, perhaps more to the point of this entire thread, a "smart" thermostat that gets hacked and ends up costing you 4x what it should.

      Or a logging server that gets hacked to determine if the motion sensor has been tripped in the last hour or two, indicating an empty house ripe for theft.

      If and only if you are being targeted. I have no idea why a person who can hack or like to hack would go around and mess around with anyone randomly. There must be a reason why. Hacking is not something you do and expect no consequence (backfire). If you are smart enough to cover your track, then again it is even more questionable why you would go around and do it randomly? Even theft, it is not worth while to select a random house with the system to rob. Why? The theft may get only worthless junk from the house and is not worth the risk.

      And yes, dismissing these scenarios as "impossible" is exactly how the hell this kind of weak-ass security mentality spreads.

      I agree that they should not implement something and disregard the security, but your reasons is not enough for the argument. If you simply said the reason they should have better security just in case to save their behind for any security incidents, I wouldn't disagree with your reasoning.

    41. Re:Will this internet of things die already? by Anonymous Coward · · Score: 0

      how about ComfortGuard (http://mycomfortguard.com/) which will not only alert you of potential HVAC equipment failures, but also equipment inefficiencies (over / undercharged compressors, dirty air filters, wrong fan speed taps, etc)?

      disclaimer - I work for Emerson White-Rodgers.

    42. Re:Will this internet of things die already? by BringsApples · · Score: 1

      You know it's funny that I was talking about this the other day with my wife. We were watching Gremlins 2, and that movie, made in the 80's, talks about "smart buildings" and all the items that were networked together. A lot of the ideas in that movie, although seemed strange in the 80's are here. ...but they're still strange.

      --
      Politics; n. : A religion whereby man is god.
    43. Re:Will this internet of things die already? by Slashdot+Parent · · Score: 1

      Why do you need to heat hot water?

      Because if you don't heat hot water periodically, its temperature will eventually cool down until it reaches equilibrium with the ambient temperature in the room. It's this extraneous heating that I'd be trying to avoid with a smart hot water heater. It's wasteful to use energy to maintain 50 gallons of 110 degree water when nobody is home to use it.

      --
      They don't grade fathers, but if your daughter's a stripper, you fucked up. --Chris Rock
    44. Re:Will this internet of things die already? by Jeremiah+Cornelius · · Score: 1

      'Tired of lazy tastebuds?' Runciter said in his familiar gravelly voice. 'Has boiled cabbage taken over your world of food? That same old, stale, flat, Monday-morning odor no matter how many dimes you put into your stove? Ubik changes all that; Ubik wakes up food flavor, puts hearty taste back where it belongs, and restores fine food smell.' On the screen a brightly colored spray can replaced Glen Runciter. 'One invisible puff-puff whisk of economically priced Ubik banishes compulsive obsessive fears that the entire world is turning into clotted milk, worn-out tape recorders and obsolete iron-cage elevators, plus other, further, as-yet-unglimpsed manifestations of decay. You see, world deterioration of this regressive type is a normal experience of many half-lifers, especially in the early stages when ties to the real reality are still very strong. A sort of lingering universe is retained as a residual charge, experienced as a pseudo environment but highly unstable and unsupported by any ergic substructure. This is particularly true when several memory systems are fused, as in the case of you people. But with today's new, more- powerful- than- ever Ubik, all this is changed!'

      --
      "Flyin' in just a sweet place,
      Never been known to fail..."
    45. Re:Will this internet of things die already? by Anonymous Coward · · Score: 0

      Holy fuck , you people in Canada get vacations?!!

    46. Re:Will this internet of things die already? by Anonymous Coward · · Score: 1

      I built a logger using an Arduino that wrote a line of text data to a flat file on the attached SD card. Periodically I'd copy the file off the SD card onto my desktop, and use Excel to review the CSV data. It helped me identify that my gas heat system was short-cycling (running for too short of a period, but many more times than needed), and with a small adjustment I was able to go from 30, 4 minute heat cycles at night to 4, 10 minute heat cycles.

      Make your own (Arduino), or buy a commercial one (http://www.onsetcomp.com/). It does the data collection well, and exposes no internet-of-things security holes. You don't need a thermostat connected to the net.

    47. Re:Will this internet of things die already? by Anonymous Coward · · Score: 0

      I'm not sure where you live, or how much you're spending on your energy bills, but $300 for our 2400 sq. ft home would cover 2 of the hottest months of the year (July and August of this year were right at $300, combined, for electricity). And we live in Austin, TX (very hot summers, generally highs in the 90's and 100's most of the summer, lows in the 80's; but very mild winters, so our natural gas bill for heating is basically noise in our situation...the hot water heater uses a base amount every month, and the heater maybe adds $20-$40 for the whole winter, depending on how cold it gets).

      We did have our house inspected and upgraded for insulation, weather stripping, etc. as part of an energy saving program a few years ago, and that brought out costs down a lot.

      And yes, we have a Nest. And it does save us quite a bit of money, mostly for the daily stuff (scheduled cooling and the auto-away in particular helps out a lot, and being able to schedule the house fan to run periodically at night allows us to keep the temp higher, since it keeps the house balanced out, instead of some areas being too hot even though the temp at the thermostat is fine).

      We also get paid to be part of Austin Energy's "Rush Hour" program (helps them even out the power demand on really hot days). Last year they sent us a check for $75 (haven't received this years yet, since we're still in summer conditions here).

      Our Nest has easily saved enough to pay for it (and quite a bit more) since we got it (2.5 years ago).

    48. Re:Will this internet of things die already? by Slim_Jack · · Score: 1

      Thanks to America printing dollars faster than toilet paper Canadians can come down and live like kings on their [less devalued] currency

    49. Re:Will this internet of things die already? by Anonymous Coward · · Score: 0

      "Nobody needs a home thermometer and refrigerator connected to the internet. Gadget makers and tech press have been trying to foist this shit on us for years and nobody wants it. Let it die already."

      I agree. We don't need every electrical/electronic item in our lives connected to the internet! Especially stupid are the TV sets with a camera and microphone so you can be watched and listened to whenever someone wants to do so. I don't like the idea of cars with a GPS that reports its position constantly. And Onstar and similar systems are nothing but a cell phone installed in your car that you can't control. Onstar can be turned on remotely without the car owners knowledge as can any so called "smart phone".

      The more devices you have that are connected to the internet, the more of what little privacy you have left these days is lost.

      JUST SAY NO!!

    50. Re:Will this internet of things die already? by Anonymous Coward · · Score: 1

      Oh, I thought you were interested in the opposite and you wanted it to pay for itself in pain.

    51. Re:Will this internet of things die already? by suutar · · Score: 1

      There is that, but if I were to want to log the internal climate of my apartment I'd want pressure and humidity too, and I'd wind up just getting one of those outdoor weather rigs and setting it up in the dining room. (The wind thing would become a "cats got up on the table and started playing" measure :)

    52. Re:Will this internet of things die already? by sootman · · Score: 1

      Speaking of which, why isn't shit monitorable AT ALL in its current state? My A/C gets below a certain level of freon or puron or whatever and POOF, it's out. Why do I have to have "the guy" come out and charge and arm and a leg to see that there's a leak and refill it on the first hot day of the year? Why isn't it possible for OWNERS to see the levels, even with just plain old gauges? Hell, my POOL PUMP has a pressure gauge on it, and that's a LOT less important than my HVAC system.

      --
      Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.
    53. Re:Will this internet of things die already? by DarkTempes · · Score: 1

      The worst part is when the repair guy can't even figure out what the problem is.

      You would think in a modern world that it would be pretty simple to add some relatively inexpensive sensors to help with diagnostics.
      I saw one slashdotter replied with a 3rd party vendor for that but I imagine it also comes with a silly monthly fee for monitoring.

    54. Re:Will this internet of things die already? by Anonymous Coward · · Score: 0

      You know what's even smarter? A non internet connected tankless "unlimited" water heater, they take up allot less space, only needing to be mounted on the wall and proide an endless amount of hot water no matter how long you take a shower. Because it's tankles it doesn't waste anything when not needed.

  2. Customers for Wi-Fi enabled thermostats by Marginal+Coward · · Score: 5, Funny

    Finally! Wi-Fi enabled thermostats have found a set of customers who have a genuine need for them: security researchers. But if the thermostats were truly secure, even that small market would dry up. After all, who wants to play a game that can never be won?

    Personally, rather than buy a Wi-Fi thermostat, I've been training my cat to adjust the thermostat just before I come back after three-day weekends. In all honesty, I haven't had much luck with that so far, but I'll get the cat trained eventually, I know I will. Just gotta keep trying.

    Now that you mention it, though, I've really thought through the security implications of owning such a highly trained cat...

    1. Re: Customers for Wi-Fi enabled thermostats by Anonymous Coward · · Score: 0

      Hmmm, practicing standup on /.?
      Don't quit your day job.

    2. Re: Customers for Wi-Fi enabled thermostats by LookIntoTheFuture · · Score: 1

      Hmmm, practicing standup on /.? Don't quit your day job.

      At least he had the guts to log in.

      --
      Brave Sir Robin ran away. ("No!") Bravely ran away away. ("I didn't!")
    3. Re: Customers for Wi-Fi enabled thermostats by Anonymous Coward · · Score: 0

      At least he had the guts to log in.

      When did AC-shaming become a thing?

    4. Re: Customers for Wi-Fi enabled thermostats by ihtoit · · Score: 1

      haha, bazinga!

      AC Shaming: the new Black

      --
      Political debates have me rolling my eyes so much I think I got optical whiplash. I should sue. - Foamy The Squirrel
    5. Re: Customers for Wi-Fi enabled thermostats by amalcolm · · Score: 1

      It made me smile. Maybe you have no sense of homour?

      --
      Time for bed, said Zebedee - boing
    6. Re: Customers for Wi-Fi enabled thermostats by Marginal+Coward · · Score: 1

      Thanks for sticking up for me, but I didn't actually have much to lose. My philosophy is: when life throws you tomatoes, make tomato paste.

    7. Re: Customers for Wi-Fi enabled thermostats by Anonymous Coward · · Score: 0

      Haha, yeah, why don't you tell us your real name and where you work?

    8. Re: Customers for Wi-Fi enabled thermostats by Anonymous Coward · · Score: 0

      In the late 90s. IOW there have been pretty much always that 1% who fails to get that AC posting is a legitimate feature and that it already comes with a visibility price-tag. The saddest side of it is that there are folks who apologize if they post anything as an AC.

    9. Re:Customers for Wi-Fi enabled thermostats by internerdj · · Score: 1

      I've got a question, what possible motivation could anyone have for hacking my thermostat?

    10. Re:Customers for Wi-Fi enabled thermostats by Marginal+Coward · · Score: 1

      There's probably no good reason. But there's probably somebody out there who is at least as malicious as my cat.

    11. Re:Customers for Wi-Fi enabled thermostats by internerdj · · Score: 1

      And that is solved by airgapping my thermostat either by removing its wifi settings or setting up a local wifi network. I've got a spare router sitting in a box and I don't even have any connected devices to need a dedicated network. I'm just not seeing any reason that any effort at malice here wouldn't be exponentially more time consuming that what it would take to thwart it.

    12. Re:Customers for Wi-Fi enabled thermostats by Marginal+Coward · · Score: 1

      You don't understand...my cat has a *LOT* of time on her paws...

    13. Re:Customers for Wi-Fi enabled thermostats by grep+$+dev.job0 · · Score: 1

      Haven't you seen Mission Impossible? They want to hack your thermostat to bypass your infrared motion sensors.

  3. Fire Hazard Warning by Scarletdown · · Score: 2

    Is it wise to buy a thermostat from a company calling itself Heatmiser? After all, the name is taken from a bloke who proudly declared that anything he touches, starts to melt in his clutch.

    --
    This space unintentionally left blank.
    1. Re:Fire Hazard Warning by sjames · · Score: 1

      He's too much!

  4. 'internet of things' needs to be redefined by Anonymous Coward · · Score: 0

    to 'internet of very bad ideas'

  5. You know what's great? by 93+Escort+Wagon · · Score: 2

    The way these companies pushing "the internet of things" devices are designing security into their products from the ground up. Sure, you might think, but it's so obvious to anyone that's been paying attention during the past decade that security had better be baked into these always-connected products - but you'd be wrong. So we are fortunate these companies aren't rushing their products to market while they contain trivially exploitable security holes.

    Well done, guys! Well done!

    --
    #DeleteChrome
  6. avois Asuswrt-Merlin if it's a choice. by Trax3001BBS · · Score: 1

    When the "Internet of things" became another M$ phrase I just thought cr*p, as I had to learn of it, to be safe. I like to be ahead of the game and a fairly good computer user till recently.

    A story...

    I use a ASUS R66U router and doing a whois, damn if Asuswrt-Merlin wasn't on my system; is was open to where I had my pants down on the Internet. Merlin did send me a note (to a private computer that had no web pages to view) to take care of the problem but his software was the cause.

    Follow my post and see I supported and had open Internet lines, they were hacked and for two months my system belonged to someone else. Sometimes I could access it, other times nada, so kept it on for those up times and continued to contact Charter.com who suggested I might learn more or even call the Geek Squad, a slap in the face.

    I even ordered another computer system from Newegg as mine was fairly dead, due to the free Internet users that took over my system.

    Now this hacker found or added ( there's no telling but I might have to explain that to a court) that offended them so they reported me to 911, I had Swat looking for my drives that I hid earlier as the hacker himself bragged so much he posted his name, I had him for slander -Swat, I have no clue what they were looking for. I was a neutral in my own house and watched Swat search my place (very professional).

    No charges yet but time will tell.

    My story is to say you must be better now, your systems are hackable; this thermostat is controlled by your computer, so from thermostat to computer.

    Be better, I had never been hacked till this time (35 years) and had no clue - maybe Asuswrt-Merlin was watching for a hole, I had damn threads on my system and Merlin's job was to block their entry. He lost I don't trust his software anymore.

    1. Re:avois Asuswrt-Merlin if it's a choice. by bigfinger76 · · Score: 1

      Come again?

    2. Re: avois Asuswrt-Merlin if it's a choice. by Anonymous Coward · · Score: 0

      Can someone translate this?

      Wait so, Merlin is a wizard and you don't trust him no more? Wtf.

    3. Re: avois Asuswrt-Merlin if it's a choice. by Anonymous Coward · · Score: 0

      RMerlin is a fellow who publishes a lightly modified firmware for Asus routers. This is what he is referencing, though I. Think the gist is he had a virus on his computer and felt the firewall should have protected him outright.

    4. Re:avois Asuswrt-Merlin if it's a choice. by msauve · · Score: 1

      I think his lead foil hat has affected his brain.

      --
      "National Security is the chief cause of national insecurity." - Celine's First Law
    5. Re:avois Asuswrt-Merlin if it's a choice. by Voyager529 · · Score: 1

      So much wrong here...

      1.) I'm a fan of Padavan's firmware myself, but it looks like it's only available for the 65u and not the 66u. Asus is actually pretty good about keeping the stock firmware up to date even on the relatively old n56u, so even stock isn't necessarily a bad deal. TomatoUSB and DD-WRT also install on this router. There were plenty of options if you were doing it yourself. If Merlin did you wrong, sticking with it is a fool's errand.

      2.) Either you installed the Merlin firmware on your router, or your saying that the Merlin firmware was installed without your consent - the sentence is unclear. If you installed it intentionally, did you not lock it down? If it was installed without your consent (seems like a particularly interesting virus that would do that...), why not blame the individual flashing router firmware maliciously, instead of the individual who makes the aftermarket alternative? Wouldn't the correct software to blame be the one that allowed itself to be flashed without your knowledge?

      3.) If your router was flashed with Merlin, wouldn't the correct response be to either flash it back to stock, or purchase a new router?

      4.) Charter may have told you to call the Geek Squad, because their responsibility for getting your devices online essentially ends at the modem. If your computer was as compromised as you say it was, they weren't going to send a tech out to fix your computer. Saying to talk to "your friendly neighborhood computer guy" is wildly varying in its quality, and they'd be hard pressed to correctly point you in their direction anyway. As much as the Geek Squad isn't generally liked here (and with good reason), it's at least a company big enough that Best Buy locations are easy to find, and they'd have at least some idea that they will repair your computer, certainly moreso than anywhere else.

      5.) Why buy a new computer instead of reformatting the one you had? If it's the "free Internet users", you'd find your internet slower, at worst. If it's a case of malicious hacking, they're probably not on your wi-fi.

      6.) If the hackers were offended by the contents of your hard disk, how did they communicate this with you? If they reported you to the feds, you can first get the hackers on some sort of variant trespassing or criminal mischief (IANAL; point is that they committed crimes as a part of submitting the fraudulent report). Did the local PD really send in a SWAT team as an avenue of first resort for a computer crime? Did the hacker stick solely to secondary hard disks besides your system drive? If you pulled them out so the hacker couldn't get to it, while I wouldn't recommend this under ordinary circumstances, why didn't you simply hand over the drives to the LEOs? They were offline and contained data that incriminated someone else and basically cleared you, right?

      So, to sum up your story: you had a router that was flashed with aftermarket firmware without your consent, or possibly with your consent, but either way was configured to leave lots of ports open and leave your system vulnerable (i.e. not its default configuration). You didn't notice this until two months later. Your first move was to call your cable company, and when they said "get your computer fixed", you bought a new computer, but not a new router, and reinstalled the stock software on neither. The hacker planted nefarious data on your computer and bragged about it on that drive, thus leaving clear evidence that it was planted by them, not acquired by you, and no charges have been filed...and this is a cautionary tale not to have a wi-fi connected thermostat.

      Every system that can be accessed by a legitimate user can be accessed by an illegitimate user because the correct user must be able to access it themselves. Thus, any system can be fooled by sufficiently impersonating the legitimate user. This has been true since the beginning of computing. It will be true until the end of computing.

    6. Re:avois Asuswrt-Merlin if it's a choice. by Anonymous Coward · · Score: 0

      *Initiate dialect translator: crackpot -> English*

      Looks like he was surfing porn, got that lame 'FBI has locked your system' virus, bought a new PC because he's 'smart' like that, got into an argument with some script-kiddy on IRC, told the script-kiddy his real name and address, had his parents' basement searched by police, and blames Microsoft for everything.

    7. Re:avois Asuswrt-Merlin if it's a choice. by Trax3001BBS · · Score: 1

      I can't quote your replies.some text problem but I do apologize Mr. Merlin; just today it hit me that a Xoom tablet was stolen by the same people;
      a lack of security on my part, I kept the wifi passwords the same. It was my fault for not changing passwords as soon as it was stolen.

      As for Swat, well time will tell.

      Geek Squad, I downloaded their private book on "how to fix computers" it was all common knowledge looking for problems, a waste of money and an embarrassment if they park in front of my place.

      Purchasing a new computer; I feel tazers are useful for other things - I'm on a borrowed laptop at this time, no video card I own works, I figured my vid's were tazed.
      A new vid card almost demands a dual vid computer to me.

      Time will tell how things work out. - to repeat when my laptop was stolen I neglect to change passwords, Just today it was a face slap moment -,a stupid security situation over looked on my part,

    8. Re:avois Asuswrt-Merlin if it's a choice. by Trax3001BBS · · Score: 1

      Come again?

      I'm sorry I don't write comments well but it doesn't stop me. I have many excuses but the truth is I should just stop posting.
      Sorry for wasting your time.

    9. Re:avois Asuswrt-Merlin if it's a choice. by Voyager529 · · Score: 1

      I can't quote your replies.some text problem but I do apologize Mr. Merlin

      No problem, but I'm not Merlin, or affiliated with him at all - just have had positive experiences with the firmware.

      just today it hit me that a Xoom tablet was stolen by the same people;

      So a known group of people both stole a tablet from you and modified your router? That sounds rather interesting, to say the least.

      a lack of security on my part, I kept the wifi passwords the same. It was my fault for not changing passwords as soon as it was stolen.

      Well, for it to be an actual security risk, the thieves would have to have not only your tablet, but your address. Now that could make sense if you had a break-in where it was stolen, but it again seems to be a rather unique set of fugitives who would break-and-enter, steal your tablet, root it in order to extract your wi-fi passwords, and then use that to plant data on your hard disk via a LAN and reconfigure your router.

      As for Swat, well time will tell.

      Yes, but given the cost of an actual SWAT team, the cops would have to know you've got data, and feel that sending a set of garden variety police officers is too hazardous...which again would lend credence to the thought that it should have actually happened already; if you're a threat requiring a SWAT team, waiting for months seems like a bad idea.

      Geek Squad, I downloaded their private book on "how to fix computers" it was all common knowledge looking for problems, a waste of money and an embarrassment if they park in front of my place.

      Whether the Geek Squad is a quality service or not is not the reason Charter recommended them to you. The guy at Charter telling you to have the Geek Squad take a look at your computer is less of a risk to his job than "have the random neighborhood computer guy take care of it for you".

      Purchasing a new computer; I feel tazers are useful for other things

      What does a tazer have to do with anything at all?

      I'm on a borrowed laptop at this time, no video card I own works, I figured my vid's were tazed.

      So let me get this straight...your router was hacked, a tablet was stolen, illicit data was planted on your hard disk and...your video card is broken? I must be missing something.

      A new vid card almost demands a dual vid computer to me.

      So your existing computer had a video card fail, but it was a dual head video card, and it failed, so instead of adding a new video card to a computer that was handling two screens just fine, you needed a new one because it "almost demands a dual vid computer"? Or, you didn't have a dual head video card, and you were worried that your computer couldn't handle two monitors? I've got 15 year old computers that are capable of that. No matter how I try to make this sentence work, I cannot. Now don't get me wrong, if you just wanted a new computer, then rock on; I'm glad you purchased one. Blaming the purchase of a new computer on the fact that the video card in the old one died, however, still doesn't make much sense to me.

      Time will tell how things work out.

      Ultimately yes, but just letting time pass you by isn't the greatest method, either. Don't rush into something, but to be completely frank, there's still plenty of your story that I can't make sense out of.

      to repeat when my laptop was stolen I neglect to change passwords, Just today it was a face slap moment -,a stupid security situation over looked on my part

      I'll assume that when you use the term 'laptop' here you meant 'tablet', since you referred to a Xoom earlier. That being said, I don't think it matters. Either your assessment of what happened wasn't quite on base, or if it was, changing the wi-fi password wouldn't have helped you much anyway.

  7. It would be nice if we could just prosecute ... by cascadingstylesheet · · Score: 1

    ... the $%&^ out of exploiters.

    I mean my front door is highly exploitable with simple tools, but if you do it we throw you in a cage. On average it's pretty effective.

    1. Re:It would be nice if we could just prosecute ... by Anonymous Coward · · Score: 0

      ... the $%&^ out of exploiters.

      I mean my front door is highly exploitable with simple tools, but if you do it we throw you in a cage. On average it's pretty effective.

      While I agree with you, the sentences aren't exactly lenient against hacking these days. You would be lucky to escape even an accusation and not land in some "terrorist" watch list.

      Oh, and good luck affording your defense against this proposed "zero tolerance" law of yours when it's YOUR NAT IP address that shows up in the audit trail. Even defending a false accusation can be costly when it falls under the area of no leniency.

    2. Re:It would be nice if we could just prosecute ... by Anonymous Coward · · Score: 0

      Do people get these harsh sentences for hacking an individual's network? Sure, you hit up some defence computers and you're going to be hung drawn and quartered, but some shmo's home network? Not so much, I don't think.

    3. Re:It would be nice if we could just prosecute ... by jd2112 · · Score: 1

      ... the $%&^ out of exploiters.

      I mean my front door is highly exploitable with simple tools, but if you do it we throw you in a cage. On average it's pretty effective.

      Your local police is probably at least somewhat capable of investigating and prosecuting a physical break-in but hacking your thermostat is almost certainly beyond their ability to investigate and even if they could the perpetrator is almost certainly outside their jurisdiction.

      --
      Any insufficiently advanced magic is indistinguishable from technology.
    4. Re:It would be nice if we could just prosecute ... by Anonymous Coward · · Score: 0

      Your local police is probably at least somewhat capable of investigating and prosecuting a physical break-in but hacking your thermostat is almost certainly beyond their ability to investigate and even if they could the perpetrator is almost certainly outside their jurisdiction.

      You would think that was true, but local police do very little in response to a simple burglary.

    5. Re:It would be nice if we could just prosecute ... by Anonymous Coward · · Score: 0

      I saw an article about this earlier today.

      http://www.seattlepi.com/local/komo/article/Leaked-memo-SPD-ignoring-most-N-Seattle-5776456.php

      I could add my own anecdote, but the cops actually came and took a report. I'm not sure what they can do. I suppose they could have checked all the pawn shops in town. There probably weren't too many PCs in pawnshops in the mid '80s, but there were probably plenty of pawn shops to check in some of which weren't even in the mid-sized city where I lived at the time.

      Of course I never saw any of my shiat again.

  8. Technology not needed in thermostats by Anonymous Coward · · Score: 0

    I am afraid we are using technology where technology is not needed. Are we really that lazy that we cannot set our own thermostat? I typically buy a $30 thermostat and it last about 10 years. It does not need batteries, or a WiFi connection, or is a potential target for hackers. When I am cold I set it up, when I am hot I set it down. When I go away, I set it to a energy saving level. I would say I can do this without any help from a smart thermostat. The same goes for my appliances which seem to work well set at one setting all the time. I never have wanted to communicate with any of these appliances while I was out. I guess some technology addicts need to find ways to add more complexity to a simple task. But that's not me.

    1. Re: Technology not needed in thermostats by Anonymous Coward · · Score: 0

      If your only comment is "I don't need technology to be happy," then I humbly suggest you're wasting your time on this site. This isn't "News For Luddites."

    2. Re:Technology not needed in thermostats by FireFury03 · · Score: 1

      I am afraid we are using technology where technology is not needed.

      Wireless gizmos are becoming very common since they mean you don't need to dig holes in your walls to run the cables.

      I have 2 wireless thermostats - the wireless isn't used to set them remotely, it is used for them to communicate with the boiler. On the whole they work pretty well (and yes, I'm sure the protocol is so trivial that someone could probably sit outside my house and turn the boiler on/off if they cared enough). That said, if I could point my browser at the thermostat instead of having to fiddle with a UI that has a limited display and only a few buttons, that'd be pretty useful.

      I have a wireless doorbell too. It has to be said that this doesn't work so well because the range isn't great - it certainly won't reach my office. Again, probably really insecure and someone who cared enough could probably make my doorbell ring remotely.

      As we get more and more wireless gizmos like this, having them all use common infrastructure, such as the wifi network, rather than communicating using their own point-to-point links is probably a pretty sensible idea - it cuts interference between devices as well as extending the range (by virtue of the wifi network usually covering the entire house anyway, so being able to relay the traffic, possibly via multiple access points). The problem here is twofold:
      1. Moving from proprietary protocols to a standard protocol like wifi suddenly means off-the-shelf hardware and software can be used to attack the devices. The old proprietary devices were really insecure too, but no one cared enough to engineer hardware to attack them - now your phone or laptop comes with the hardware you need.
      2. These wifi-enabled devices are more powerful and can therefore do nefarious things that the older devices couldn't do - i.e. attacking an old wireless thermostat allowed you to turn the boiler on and off, attacking a new one lets you send spam, etc.

      --
      http://blog.nexusuk.org
  9. Surprised?? by Anonymous Coward · · Score: 0

    Not sure what news worthiness this issue is. Though it would be great to find that companies didn't put security in the back seat, that's the resality I have seen too often. Then again, I don't think most consumers really see security as very important either . So not much incentive by companies to make security a priority. Welcome to the Swiss chese of things.

  10. Who is surprised? by gstoddart · · Score: 1

    Really, is anybody surprised by this at all?

    Companies rush to get these products out the door, and are both designing it to be easy for the consumer and themselves.

    So they take shortcuts, utterly fail to think about real security, and themselves become security holes.

    This is why I won't buy things like a wifi thermostat, and why I think the internet of things will prove to be a terrible idea as we get inundated with products which have such crappy security they shouldn't exist.

    So screw your fancy thermostats and all of your other crap. Until I see a lot more evidence vendors have any care or ability to implement security, I just treat these things like they've been implemented by indifferent and incompetent people.

    Because, really, they probably have been.

    I consider this story not remarkable because there was a security hole, I consider it remarkable because people believed there wouldn't be.

    --
    Lost at C:>. Found at C.
  11. Except that you're wrong. by Anonymous Coward · · Score: 0

    Network connected thermostats are helpful in many situations. My primary home has Nest thermostats, as does my vacation home. When away from either, the units switch to Away mode automatically. When traveling, I'm able to set the thermostat from Away mode back to a comfortable temperature. This saves energy when I'm away, yet still allows for a comfortable return.

    Don't like it or don't need it? Don't buy it. But don't be so high and mighty that you presume that NO one needs this.

  12. Be careful with "The Internet of Things" by davidwr · · Score: 1

    Connectivity and I/O features that aren't inherently necessary should be "hardware off" by default, and the end user should be made fully aware of any known or "it would be prudent to assume they are there" non-obvious risks of turning them on.

    One of the best features an "Internet-enabled" thermostat can have is a hardware "Internet on/off" switch, along with hard-to-miss warning on the packaging that hooking your device up to the Internet has risks some of which are not yet known.

    After reading such a warning, most consumers would (I hope) leave the "Internet" feature off except when they really needed it.

    Another "nice feature" that all consumer-grade Internet devices that aren't designed to be on 24x7 should have is a "front-end gatekeeper." This "front end gatekeeper" should be an extremely simple device that did nothing more than turn on access to what is behind the gate for a specified period of time under specific conditions - basically, a very blunt "time lock" that opens when you present an valid credential then closes after a pre-determined time. This "front end gatekeeper" should not be programmable except at the console or over a dedicated (i.e. non-Internet) communications channel. This "front end gatekeeper" should be so simple that it can be mathematically proven to be bug-free provided that there are no hardware issues.

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
  13. Re:Fuck IoT!! by Jeremiah+Cornelius · · Score: 1

    IoT = Internet of Turds.

    Internet of Turds^H^H^H^H^H SPIES.

    --
    "Flyin' in just a sweet place,
    Never been known to fail..."
  14. Fucking port forwards by Anonymous Coward · · Score: 0

    Any product that requires a port forward should be eliminated. The proper method would be for the device to connect OUT to a service mutually connected to by the controlling device. Then, of course, we need to be concerned with the security of the service itself and the protocol to identify the controlling device and the devices to be controlled. Port forwarding is like hanging your dick out the window for the entire Internet to have a whack at. At least in theory a corporately-run and monitored service would have better firewalls and update systems.

    1. Re:Fucking port forwards by Anonymous Coward · · Score: 0

      BangBroPortFoward.mpg FTW!

  15. Thermosat + wifi? by danknight48 · · Score: 1

    Clearly, a heated issue that will always drop in the end.

  16. Clingy corps by sjames · · Score: 1

    If the manufacturers wouldn't be so clingy, many of these problems would go away. They COULD embed a tiny web server in the device and just have it sit on the LAN. Ideally it would also have a very simple protocol to talk to (or at least a proper web API). But they insist on having the things connect to their server 'in the cloud'. Not just offer that, insist on it.

    I won't even consider installing such a thing until it willingly confines itself to my LAN. If I want remote access, it will go through another server that then uses the simple and well documented API to pass the commands along.