Slashdot Mirror


Trane Takes 2 Years To Remove Hard-Coded Root Passwords From IoT Thermostat (softpedia.com)

An anonymous reader writes: It took 22 months for Trane to patch three security bugs in its ComfortLink II XL950 smart Wi-Fi thermostat product, the ComfortLink II XL950, a modern IoT device along the lines of Google Nest, which offers a simple way to manage your apartment's or building's internal temperature. Researchers contacted Trane about their three issues in April 2014, the company fixed the RCE flaws in April 2015 and recently released a firmware update at the end of January to fix the last issue. During all this time, the company barely answered emails and continued to sell an exposed product.

1 of 75 comments (clear)

  1. Rending of garments to commence! by Brett+Buck · · Score: -1, Troll

    Oh My GOD! A possibly exploitable-if-you-know-or-bother-to-look-for-it bug in a device that will change the room temperature! On something that doesn't really need to be connected to the internet in the first place, and would slightly inconvenience you if it were pwn'ed! Bring back the guillotine because this is worse than 9/11!

          If you are super-paranoid, just pull the ethernet cable, then you can live your life without the existential dread of coming home to a 78 degree house.