Slashdot Mirror

← Back to Stories (view on slashdot.org)

Trane Takes 2 Years To Remove Hard-Coded Root Passwords From IoT Thermostat (softpedia.com)

Posted by timothy on from the well-it-was-hard-coded dept.

An anonymous reader writes: It took 22 months for Trane to patch three security bugs in its ComfortLink II XL950 smart Wi-Fi thermostat product, the ComfortLink II XL950, a modern IoT device along the lines of Google Nest, which offers a simple way to manage your apartment's or building's internal temperature. Researchers contacted Trane about their three issues in April 2014, the company fixed the RCE flaws in April 2015 and recently released a firmware update at the end of January to fix the last issue. During all this time, the company barely answered emails and continued to sell an exposed product.

2 of 75 comments (clear)

  1. Re:IOT isn't as easy as it sounds. by Anonymous Coward · · Score: 3, Informative

    "Do you know how to design and manufacture a long-lived air conditioning or heat pump compressor?"
    No, but neither does Trane (or Ingersol-Rand for that matter, who owns Trane.) They use another company's compressor now.
    Heck, they took the original compressor design they once used from GE, when they bought the division from them years ago. As a matter of fact, the only thing that Trane "owns" in their design is the coils and the cabinets. I believe the coils are actually made by Alcoa.
    "Trane" is just a brand name. It's really not any better or worse than most of the other manufacturers out there. You just pay more "'cause it's a Trane!"

    -ACAC (air conditioning anonymous coward)

  2. Re:I don't understand technology anymore by Curtman · · Score: 3, Informative

    No its not. "Legacy" thermostats were essentially a few relays and some operator controls. 24VAC is fed to the thermostat terminal "R" from the furnace or air handler. When it wants the fan to run, it switches 24V to its terminal "G", when it wants heat it puts 24V on terminal "W", Cooling is terminal "Y".

    These new "communicating" thermostats are a CANBUS network similar but much more poorly documented than the OBD one in your car. However it does things like send you an email when the furnace is failing, or when the temperature in your house has fallen to where you might have to worry about freezing pipes etc. It can tell you that it failed to ignite several times so you might want to book service before it fails completely.

    I wish there was some online presence for people hacking these things. Inside my Lennox iComfort thermostat I found an SD card containing an OS called "MQX RTOS", and a i.MX287 processor.