Slashdot Mirror
Popular Wi-Fi Thermostat Full of Security Holes
Threatpost reports:
Heatmiser, a U.K.-based manufacturer of digital thermostats, is contacting its customers today about a series of security issues that could expose a Wi-Fi-connected version of its product to takeover. Andrew Tierney, a "reverse-engineer by night," whose specialty is digging up bugs in embedded systems wrote on his blog, that he initially read about vulnerabilities in another one of the company's products, NetMonitor, and decided to poke around its product line further. This led him to discover a slew of issues in the company's Wi-Fi-enabled thermostats running firmware version 1.2. The issues range from simple security missteps to critical oversights.For example, when users go to connect the thermostat via a Windows utility, it uses default web credentials and PINs. ...Elsewhere, the thermostat leaks Wi-Fi credentials, like its password, username, Service Set Identifier (SSID) and so on, when its logged in.
Related: O'Reilly Radar has an interesting conversation about what companies will vie for control of the internet-of-things ecosystem.
Nobody needs a home thermometer and refrigerator connected to the internet. Gadget makers and tech press have been trying to foist this shit on us for years and nobody wants it. Let it die already.
Finally! Wi-Fi enabled thermostats have found a set of customers who have a genuine need for them: security researchers. But if the thermostats were truly secure, even that small market would dry up. After all, who wants to play a game that can never be won?
Personally, rather than buy a Wi-Fi thermostat, I've been training my cat to adjust the thermostat just before I come back after three-day weekends. In all honesty, I haven't had much luck with that so far, but I'll get the cat trained eventually, I know I will. Just gotta keep trying.
Now that you mention it, though, I've really thought through the security implications of owning such a highly trained cat...
Is it wise to buy a thermostat from a company calling itself Heatmiser? After all, the name is taken from a bloke who proudly declared that anything he touches, starts to melt in his clutch.
This space unintentionally left blank.
The way these companies pushing "the internet of things" devices are designing security into their products from the ground up. Sure, you might think, but it's so obvious to anyone that's been paying attention during the past decade that security had better be baked into these always-connected products - but you'd be wrong. So we are fortunate these companies aren't rushing their products to market while they contain trivially exploitable security holes.
Well done, guys! Well done!
#DeleteChrome
When the "Internet of things" became another M$ phrase I just thought cr*p, as I had to learn of it, to be safe. I like to be ahead of the game and a fairly good computer user till recently.
A story...
I use a ASUS R66U router and doing a whois, damn if Asuswrt-Merlin wasn't on my system; is was open to where I had my pants down on the Internet. Merlin did send me a note (to a private computer that had no web pages to view) to take care of the problem but his software was the cause.
Follow my post and see I supported and had open Internet lines, they were hacked and for two months my system belonged to someone else. Sometimes I could access it, other times nada, so kept it on for those up times and continued to contact Charter.com who suggested I might learn more or even call the Geek Squad, a slap in the face.
I even ordered another computer system from Newegg as mine was fairly dead, due to the free Internet users that took over my system.
Now this hacker found or added ( there's no telling but I might have to explain that to a court) that offended them so they reported me to 911, I had Swat looking for my drives that I hid earlier as the hacker himself bragged so much he posted his name, I had him for slander -Swat, I have no clue what they were looking for. I was a neutral in my own house and watched Swat search my place (very professional).
No charges yet but time will tell.
My story is to say you must be better now, your systems are hackable; this thermostat is controlled by your computer, so from thermostat to computer.
Be better, I had never been hacked till this time (35 years) and had no clue - maybe Asuswrt-Merlin was watching for a hole, I had damn threads on my system and Merlin's job was to block their entry. He lost I don't trust his software anymore.
... the $%&^ out of exploiters.
I mean my front door is highly exploitable with simple tools, but if you do it we throw you in a cage. On average it's pretty effective.
I am afraid we are using technology where technology is not needed.
Wireless gizmos are becoming very common since they mean you don't need to dig holes in your walls to run the cables.
I have 2 wireless thermostats - the wireless isn't used to set them remotely, it is used for them to communicate with the boiler. On the whole they work pretty well (and yes, I'm sure the protocol is so trivial that someone could probably sit outside my house and turn the boiler on/off if they cared enough). That said, if I could point my browser at the thermostat instead of having to fiddle with a UI that has a limited display and only a few buttons, that'd be pretty useful.
I have a wireless doorbell too. It has to be said that this doesn't work so well because the range isn't great - it certainly won't reach my office. Again, probably really insecure and someone who cared enough could probably make my doorbell ring remotely.
As we get more and more wireless gizmos like this, having them all use common infrastructure, such as the wifi network, rather than communicating using their own point-to-point links is probably a pretty sensible idea - it cuts interference between devices as well as extending the range (by virtue of the wifi network usually covering the entire house anyway, so being able to relay the traffic, possibly via multiple access points). The problem here is twofold:
1. Moving from proprietary protocols to a standard protocol like wifi suddenly means off-the-shelf hardware and software can be used to attack the devices. The old proprietary devices were really insecure too, but no one cared enough to engineer hardware to attack them - now your phone or laptop comes with the hardware you need.
2. These wifi-enabled devices are more powerful and can therefore do nefarious things that the older devices couldn't do - i.e. attacking an old wireless thermostat allowed you to turn the boiler on and off, attacking a new one lets you send spam, etc.
http://blog.nexusuk.org
Really, is anybody surprised by this at all?
Companies rush to get these products out the door, and are both designing it to be easy for the consumer and themselves.
So they take shortcuts, utterly fail to think about real security, and themselves become security holes.
This is why I won't buy things like a wifi thermostat, and why I think the internet of things will prove to be a terrible idea as we get inundated with products which have such crappy security they shouldn't exist.
So screw your fancy thermostats and all of your other crap. Until I see a lot more evidence vendors have any care or ability to implement security, I just treat these things like they've been implemented by indifferent and incompetent people.
Because, really, they probably have been.
I consider this story not remarkable because there was a security hole, I consider it remarkable because people believed there wouldn't be.
Lost at C:>. Found at C.
Connectivity and I/O features that aren't inherently necessary should be "hardware off" by default, and the end user should be made fully aware of any known or "it would be prudent to assume they are there" non-obvious risks of turning them on.
One of the best features an "Internet-enabled" thermostat can have is a hardware "Internet on/off" switch, along with hard-to-miss warning on the packaging that hooking your device up to the Internet has risks some of which are not yet known.
After reading such a warning, most consumers would (I hope) leave the "Internet" feature off except when they really needed it.
Another "nice feature" that all consumer-grade Internet devices that aren't designed to be on 24x7 should have is a "front-end gatekeeper." This "front end gatekeeper" should be an extremely simple device that did nothing more than turn on access to what is behind the gate for a specified period of time under specific conditions - basically, a very blunt "time lock" that opens when you present an valid credential then closes after a pre-determined time. This "front end gatekeeper" should not be programmable except at the console or over a dedicated (i.e. non-Internet) communications channel. This "front end gatekeeper" should be so simple that it can be mathematically proven to be bug-free provided that there are no hardware issues.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
IoT = Internet of Turds.
Internet of Turds^H^H^H^H^H SPIES.
"Flyin' in just a sweet place,
Never been known to fail..."
Clearly, a heated issue that will always drop in the end.
If the manufacturers wouldn't be so clingy, many of these problems would go away. They COULD embed a tiny web server in the device and just have it sit on the LAN. Ideally it would also have a very simple protocol to talk to (or at least a proper web API). But they insist on having the things connect to their server 'in the cloud'. Not just offer that, insist on it.
I won't even consider installing such a thing until it willingly confines itself to my LAN. If I want remote access, it will go through another server that then uses the simple and well documented API to pass the commands along.