Slashdot Mirror

← Back to Stories (view on slashdot.org)

Popular Wi-Fi Thermostat Full of Security Holes

Posted by Soulskill on from the building-vulnerabilities-one-appliance-at-a-time dept.

Threatpost reports: Heatmiser, a U.K.-based manufacturer of digital thermostats, is contacting its customers today about a series of security issues that could expose a Wi-Fi-connected version of its product to takeover. Andrew Tierney, a "reverse-engineer by night," whose specialty is digging up bugs in embedded systems wrote on his blog, that he initially read about vulnerabilities in another one of the company's products, NetMonitor, and decided to poke around its product line further. This led him to discover a slew of issues in the company's Wi-Fi-enabled thermostats running firmware version 1.2. The issues range from simple security missteps to critical oversights.For example, when users go to connect the thermostat via a Windows utility, it uses default web credentials and PINs. ...Elsewhere, the thermostat leaks Wi-Fi credentials, like its password, username, Service Set Identifier (SSID) and so on, when its logged in. Related: O'Reilly Radar has an interesting conversation about what companies will vie for control of the internet-of-things ecosystem.

10 of 103 comments (clear)

  1. Will this internet of things die already? by Spy+Handler · · Score: 4, Insightful

    Nobody needs a home thermometer and refrigerator connected to the internet. Gadget makers and tech press have been trying to foist this shit on us for years and nobody wants it. Let it die already.

    1. Re:Will this internet of things die already? by AmiMoJo · · Score: 5, Insightful

      Hopefully people will exercise their legal rights to correct this kind of thing. For example, goods must be "fit for purpose" and of "reasonable quality". In other words, security must be reasonably effective.

      Could be even more interesting if you paid to have it installed.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    2. Re:Will this internet of things die already? by DarkTempes · · Score: 3, Interesting

      I'd mostly be interested in using a smart thermostat for logging.
      If I can detect HVAC performance problems just once before they lead to a dead system on a deadly hot summer day and an emergency call to a repair guy then it would easily have paid for itself in comfort.

    3. Re:Will this internet of things die already? by GNious · · Score: 3, Informative

      Seriously! How long would one have to be away and kicking himself that he forgot to change the thermostat setting before having one of these new fangled ones would pay for itself?

      Looking at the spiel from Nest, these products pay for themselves through regular use, not through exceptions:

      Auto-Schedule makes it easy to create an energy efficient schedule that can help you save up to 20% on your heating and cooling bills. All the Nest Thermostat's features combined can get you even bigger savings

      More: https://nest.com/thermostat/sa...

      Some dude, who may very well be paid by Nest, tweeted this:

      After a year using my @Nest thermostat, I've saved $326.74 / 2,651 kWh over the previous year.

      Linky: https://twitter.com/MattClippe...

      Not saying that all of the above is true, but at least it seems that they'd consider your premise incorrect.

    4. Re:Will this internet of things die already? by TrollstonButterbeans · · Score: 2

      I don't want one (now), but I disagree.

      Some day they will probably make something of this sort that I do want.

      Wouldn't be nice to automatically know what you did and didn't have in the refrigerator or make sure you turned the air conditioning off while on vacation.

      Perhaps. Perhaps not, but I imagine at some point something very useful and relevant could be made.

      --
      Priest: "Universe from nothing, no laws of physics, sped up time"+ huge discrepancies. Creationism? No. Big Bang Theory
    5. Re:Will this internet of things die already? by WaffleMonster · · Score: 2

      Looking at the spiel from Nest, these products pay for themselves through regular use, not through exceptions:

      A cheap programmable thermostat pays for itself quicker.

      Auto-Schedule makes it easy to create an energy efficient schedule that can help you save up to 20% on your heating and cooling bills. All the Nest Thermostat's features combined can get you even bigger savings

      I give a shit about results only seen by a few outliers... honest..

      After a year using my @Nest thermostat, I've saved $326.74 / 2,651 kWh over the previous year.

      If I were selling a product that really did all the wonderful things claimed I would want the world to know about it by providing credible evidence supporting my assertions. Instead we are treated to a bunch of people saying they saved x, y and z over last year... which is to say the least.. completely worthless.

      Patiently awaiting credible evidence...

    6. Re:Will this internet of things die already? by DarkOx · · Score: 5, Insightful

      Which is completely meaningless. My energy bills can easily vary that much over a year depending weather conditions; without me doing anything around my own behavior. $300 in the typical ~2500 ft suburban home over a the course of an entire year is indistinguishable from noise.

      --
      Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
  2. Customers for Wi-Fi enabled thermostats by Marginal+Coward · · Score: 5, Funny

    Finally! Wi-Fi enabled thermostats have found a set of customers who have a genuine need for them: security researchers. But if the thermostats were truly secure, even that small market would dry up. After all, who wants to play a game that can never be won?

    Personally, rather than buy a Wi-Fi thermostat, I've been training my cat to adjust the thermostat just before I come back after three-day weekends. In all honesty, I haven't had much luck with that so far, but I'll get the cat trained eventually, I know I will. Just gotta keep trying.

    Now that you mention it, though, I've really thought through the security implications of owning such a highly trained cat...

  3. Fire Hazard Warning by Scarletdown · · Score: 2

    Is it wise to buy a thermostat from a company calling itself Heatmiser? After all, the name is taken from a bloke who proudly declared that anything he touches, starts to melt in his clutch.

    --
    This space unintentionally left blank.
  4. You know what's great? by 93+Escort+Wagon · · Score: 2

    The way these companies pushing "the internet of things" devices are designing security into their products from the ground up. Sure, you might think, but it's so obvious to anyone that's been paying attention during the past decade that security had better be baked into these always-connected products - but you'd be wrong. So we are fortunate these companies aren't rushing their products to market while they contain trivially exploitable security holes.

    Well done, guys! Well done!

    --
    #DeleteChrome