Slashdot Mirror

← Back to Stories (view on slashdot.org)

Trane Takes 2 Years To Remove Hard-Coded Root Passwords From IoT Thermostat (softpedia.com)

Posted by timothy on from the well-it-was-hard-coded dept.

An anonymous reader writes: It took 22 months for Trane to patch three security bugs in its ComfortLink II XL950 smart Wi-Fi thermostat product, the ComfortLink II XL950, a modern IoT device along the lines of Google Nest, which offers a simple way to manage your apartment's or building's internal temperature. Researchers contacted Trane about their three issues in April 2014, the company fixed the RCE flaws in April 2015 and recently released a firmware update at the end of January to fix the last issue. During all this time, the company barely answered emails and continued to sell an exposed product.

46 of 75 comments (clear)

  1. IOT isn't as easy as it sounds. by blueshift_1 · · Score: 1

    This has always been a severe issue with specific hardware produced by companies that aren't technology focused (and even some that are). These little debugging/service backdoors worked when there wasn't a vast resource of easy information sharing - and the device wasn't able to be accessed from anywhere. One day these product engineers will figure that out - maybe.

    1. Re:IOT isn't as easy as it sounds. by supremebob · · Score: 2

      That said, I bet that security hole would have been fixed a hell of a lot quicker if it was publically announced to the world instead of trying to report it through Trane's security inept support channels.

    2. Re:IOT isn't as easy as it sounds. by Gr8Apes · · Score: 1

      If only they made it LAN only, it would already be infinitely more secure than most of these companies are capable of making a true internet accessible IoT device. It's that simple. Besides, I don't want or need an account with some service to run something on my own network.

      --
      The cesspool just got a check and balance.
    3. Re:IOT isn't as easy as it sounds. by Brett+Buck · · Score: 2

      Trane is certainly "focused on technology". Just not computer geek technology. Do you know how to design and manufacture a long-lived air conditioning or heat pump compressor? And successfully and profitable for decades?

            Technology existed before the internet, you know.

    4. Re:IOT isn't as easy as it sounds. by Joe_Dragon · · Score: 2

      Back when the weather channel was cool and LOT8's was longer then 60sec.

    5. Re:IOT isn't as easy as it sounds. by Thud457 · · Score: 3, Interesting

      No. But I'm pretty sure I could spec out cheap crap compressors from China while riding my brand name into the dirt.

      --

      the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff

    6. Re:IOT isn't as easy as it sounds. by Anonymous Coward · · Score: 3, Informative

      "Do you know how to design and manufacture a long-lived air conditioning or heat pump compressor?"
      No, but neither does Trane (or Ingersol-Rand for that matter, who owns Trane.) They use another company's compressor now.
      Heck, they took the original compressor design they once used from GE, when they bought the division from them years ago. As a matter of fact, the only thing that Trane "owns" in their design is the coils and the cabinets. I believe the coils are actually made by Alcoa.
      "Trane" is just a brand name. It's really not any better or worse than most of the other manufacturers out there. You just pay more "'cause it's a Trane!"

      -ACAC (air conditioning anonymous coward)

    7. Re:IOT isn't as easy as it sounds. by swb · · Score: 2

      Isn't the punchline to this "No, and based on my ownership experience, neither does Trane."

    8. Re:IOT isn't as easy as it sounds. by evolutionary · · Score: 1

      True, but then you couldn't control it from the airport with your smartphone. You could argue security issues, but that would result in too many people not feeling the joy of controlling their home from anywhere in the world. Of course they forget others could too...that's besides the point, at least to those seduced by the "cool" factor. (I blame Apple...too use friendly for our own good..)

      --
      "Imagination is more important than knowledge" - Einstein
    9. Re:IOT isn't as easy as it sounds. by omnichad · · Score: 1

      For centrally managed services, that doesn't require an inbound password. That can be done by the device making outbound connections to the central server.

    10. Re:IOT isn't as easy as it sounds. by Curtman · · Score: 1

      Even harder to start one.

    11. Re:IOT isn't as easy as it sounds. by Curtman · · Score: 3, Interesting

      Over engineered crap. It definitely is worse than most other manufacturers. I learned this when the inducer motor went on my furnace. They sold a furnace with an ECM inducer motor (for efficiency sake?), then stopped making them. So now in order to replace the inducer motor you need a new circuit board, a standard less efficient than what was advertised PSC motor, and someone to completely rewire the furnace with the new wiring harness. Then you need to pay someone labour and parts markup to install the $1400 in parts which they wont sell to you because you're not "Trained in Trane".

      Fuck you Trane. I hope you get hit by a Train.

    12. Re:IOT isn't as easy as it sounds. by rmdingler · · Score: 1
      That's not your inducer moter... it is your blower motor, reponsible for moving air with a squirrel cage through the ductwork in your home.

      The inducer motor is to force or draw combustion gases through the heat exchanger and out the roof vent. ECM motors are frequently unreliable, and expensive to replace, but you can replace one with a PSC motor and relays without changing out the circuit board.

      --
      Happiness in intelligent people is the rarest thing I know.

      Ernest Hemingway

    13. Re:IOT isn't as easy as it sounds. by Curtman · · Score: 1

      No. It's he inducer motor. If it was the blower motor I could just get a new motor and install it myself. Trust me, I've learned a lot about this furnace since I was suckered into buying it.

    14. Re:IOT isn't as easy as it sounds. by Curtman · · Score: 1

      Also.. Everything except the actual motor is made out of plastic. You cannot remove the impeller from the shaft of the motor without breaking it. Once it's broken it cannot be repaired to work reliably at 3000RPM. Even if you could replace it with an equivalent PSC motor and relays, the circuit board communicates with the inducer motor which is no longer there so it will never light the burner even though the pressure switch is closed.

    15. Re:IOT isn't as easy as it sounds. by rmdingler · · Score: 1
      We've had a metric ton of problems with the ECM blower motors. Many of the first renditions came with the old boards modified, so that there was still a place to install a PSC motor when the very expensive oem motor failed prematurely. In some cases, you were forced to purchase the motor and control module as one unit.

      The general movement toward increasingly more efficient equipment forces manufacturers to modify proven technology to eke out higher efficiency plateaus, but the savings enjoyed from an upgrade (80% to 90% AFUE furnace) is often offset by more expensive and less available replacement parts.

      --
      Happiness in intelligent people is the rarest thing I know.

      Ernest Hemingway

    16. Re:IOT isn't as easy as it sounds. by Gr8Apes · · Score: 1

      (I blame Apple...too use friendly for our own good..)

      I'd blame the ISPs that make it so darn difficult to connect directly to your own machines. As for everything else, it truly can be simple, but the manufacturers see $s and want you to pay them more, forever.

      --
      The cesspool just got a check and balance.
    17. Re:IOT isn't as easy as it sounds. by Curtman · · Score: 1

      Even on boards without those terminals, you could if you wanted use relays to switch speeds powered by the EAC terminal which is powered any time the fan is on. Except the circuit board is so "smart", that it cant tell how fast the blower motor is spinning anymore and assumes it has failed.

    18. Re:IOT isn't as easy as it sounds. by Curtman · · Score: 1

      I'm sure there's a cool factor that means something to somebody. But when you live in a climate that is -40 degrees (celsius and fahrenheit) at times, having your thermostat email you when the furnace has failed is definitely more than cool, it can save you thousands of dollars.

    19. Re: IOT isn't as easy as it sounds. by corychristison · · Score: 1

      I think he means lack of non-static IP addresses (especially in North America).

    20. Re: IOT isn't as easy as it sounds. by corychristison · · Score: 1

      Sure, but it definitely doesn't need inbound network access. It shouldn't beed UPnP as the theromostat should simply be polling requests from the central servers.

      It could even be used to send a message to your email (outbound connection).

      Why these devices require inbound connections at all simply doesn't make sense to me.

    21. Re:IOT isn't as easy as it sounds. by AmiMoJo · · Score: 1

      It's basically an impossible situation for security researchers. If they report it only to the manufacturer it can take years to be fixed. If they report it with a note that they will go public in a month they get sued or arrested. If they just report it publicly they are accused of being irresponsible.

      When I find an security flaw, if the company has a bug bounty programme or formal submission process I report it to them with a note that I'll post it publicly in a month unless they ask me to do otherwise. If they don't have any kind of formal vulnerability reporting scheme in place I send them and anonymous email with details, and then make it public with a throwaway account on a suitable forum or whatever seems appropriate.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    22. Re:IOT isn't as easy as it sounds. by jbengt · · Score: 1

      First, you're talking about their residential lines. Nobody makes small, off-the-shelf refrigeration systems in the US anymore. Everybody makes them in Asia. (I think there's one manufacturer making them in Africa.)
      Trane's commercial lines are considered middle-of-the-road: Not the high quality equipment that costs too much for the typical cheap budget, and not the piece of crap that will get the submittal rejected by the specifying engineer.
      You are right, though, about branding, though by no means is that limited to Trane. Everyone keeps getting bought and sold and outsourcing their components - to the point that naming different models from different manufacturers in the spec can give you a choice of buying the exact same item with different labels.

    23. Re:IOT isn't as easy as it sounds. by bozzy · · Score: 1

      Fuck you Trane. I hope you get hit by a Train.

      And forced to listen to the band Train...

      --
      playmoney.me - The free alternative to paper board game play money
    24. Re:IOT isn't as easy as it sounds. by jbengt · · Score: 1

      The trend is for single phase motors to go ECM for any application where the speed needs to be adjustable or variable. This is a fact of life for all types and brands of equipment. 10 years ago, we had a job where dozens of ECM motors had to be replaced not long after being installed. The manufacturers seem to have caught on and now use motors that can handle the electronic switching better, so there's very few early failures anymore.
      The other trend in appliances is to add digital electronics that fail easily and require wholesale board replacement when they fail. I guess the warranty expenses are worth it to the manufacturers compared to making (buying from an outsourced supplier) something better.
      So, while I feel your pain, it is not Trane leading the way here, they're following the market trends.

    25. Re: IOT isn't as easy as it sounds. by Gr8Apes · · Score: 1

      Not only lack of non-static IPs, but worse than that, ISPs that actively engage in port blocking because "servers" aren't allowed on their networks. That's dropped off some thanks to games and other PTP applications, but many still filter a set of ports and as of a few years ago will block or degrade large externally originated sources.

      --
      The cesspool just got a check and balance.
    26. Re:IOT isn't as easy as it sounds. by Curtman · · Score: 1

      The problem isn't the switch to ECM. It's that they didn't make replacements for when they broke. So repairing a broken ECM inducer motor requires me to replace almost every electronic component in the furnace along with the associated labour costs to do it, even though I'm fully capable of doing it myself. They will not sell them to me.

  2. Re:Rending of garments to commence! by Gr8Apes · · Score: 3, Insightful

    I would be more concerned about the sub 32 degree house

    --
    The cesspool just got a check and balance.
  3. Re:They have your money... by Gr8Apes · · Score: 1

    How many thermostat controllers do you need?

    Apparently more than I thought I would, as I'm looking at buying my 6th and 7th ones, and possibly another 3.

    --
    The cesspool just got a check and balance.
  4. The flip side to "its hard to stop a Trane" by laurencetux · · Score: 1

    its also hard to get a train GOING.

    Im sure the actual patch writing time was minimal but

    15 different managers had to be consulted/bribed to sign off on the code
    there were 50 different meetings to sort out what the bugs were exactly
    somebody had to be assigned the task of writing the code (and this was a busy person)
    the code had to be audited for serious bugs like nonPC variables
    then it had to be tested
    and packaged for deployment

    do i need to go on??

    1. Re:The flip side to "its hard to stop a Trane" by Anonymous Coward · · Score: 1

      I worked there in IT. It's not "Hard to Stop a TRANE", especially once Ingersoll Rand got involved. With the great majority of IT outsourced it's amazing they can get anything done at all !

  5. Sounds like it's time for a certification by Anonymous Coward · · Score: 1

    At what point is a professional body going to be setup so that we can get a certification like "Ain't Totally F'd Up" for any device that connects to the interwebs?!?

    Surely someone has some kind of idea of how to do interweb connected things anti-ass-backwards (and stop calling me Shirley).

  6. Would you like to play a game.. by evolutionary · · Score: 3, Interesting

    Okay, this is just too hilarious. It's like the movie "War Games" when the computer engineer left his dead son's name as a password before he disappeared. This sort of thing tends to happen when a non-engineer want to ensure absolute control in a quick dirty way. Of course anyone with any foresight (AKA IT/Engineering professionals or even Philosophers/Historians I expect) would have pointed out how easy a back door this would be. We already have tons of historical precedence. And then take two years to undo it? Probably a 3rd party pointed out they could be sued for negligence and said "get this fixed...now". The usual reactive crap when sales/iron grip overrides good judgement for short terms savings. Of course why anyone would want a device like this in their home giving people a potential back door for any hacker to get in through the Internet and play poltergist is slightly puzzling. People need to learn that "Convenience comes at the price of Security". Kind of sounds like: "With Great Power comes great responsibility". Of course nobody seems to learn from either phrase. And here's another one: "Those who forget their history are doomed to repeat it"...whoops...too late...

    --
    "Imagination is more important than knowledge" - Einstein
  7. Re:I don't understand technology anymore by stabiesoft · · Score: 1

    I imagine it does some of the same stuff my new lennox one does. Health checks etc. Mine for example validates temp outside before kicking in the compressor to avoid destroying it. Also checks static pressures in air flow to check filter flow rate. Keeps track of any error codes thrown by other units (furnace, A/C, etc). And I imagine the trane is also like the lennox. Don't give it your wifi password and it will not go on the interwebs. I like the extra stuff my Tstat can do, but do not want it on the WAN/LAN, so I just don't set it up.

  8. Oh yeh by djent · · Score: 1

    "there's nothing like a Trane" unless it's a nest. Damn good thing.

  9. Chew chew by Impy+the+Impiuos+Imp · · Score: 2

    > It took 22 months

    "Nothing Starts a Trane(tm)"

    --
    (-1: Post disagrees with my already-settled worldview) is not a valid mod option.
  10. Re:I don't understand technology anymore by Curtman · · Score: 3, Informative

    No its not. "Legacy" thermostats were essentially a few relays and some operator controls. 24VAC is fed to the thermostat terminal "R" from the furnace or air handler. When it wants the fan to run, it switches 24V to its terminal "G", when it wants heat it puts 24V on terminal "W", Cooling is terminal "Y".

    These new "communicating" thermostats are a CANBUS network similar but much more poorly documented than the OBD one in your car. However it does things like send you an email when the furnace is failing, or when the temperature in your house has fallen to where you might have to worry about freezing pipes etc. It can tell you that it failed to ignite several times so you might want to book service before it fails completely.

    I wish there was some online presence for people hacking these things. Inside my Lennox iComfort thermostat I found an SD card containing an OS called "MQX RTOS", and a i.MX287 processor.

  11. Re:Rending of garments to commence! by rmdingler · · Score: 1
    With the focus of late on the latest, greatest, and ever more complicated, your potential points of failure increase.

    Now, something short of a power outage is enough to freeze your water pipes... say a wifi outage or low voltage interruption to the Nest.

    Buy some insurance. Wire in an Accustat as a backup that kicks heat on at 10 degrees Celsius.

    --
    Happiness in intelligent people is the rarest thing I know.

    Ernest Hemingway

  12. Re:Rending of garments to commence! by Gr8Apes · · Score: 1

    Or, don't use a Nest to begin with. Why on earth does Google need to know the temperature settings in my house at any given time?

    --
    The cesspool just got a check and balance.
  13. Re:They have your money... by Gr8Apes · · Score: 1

    Mansion? Who said they were all for one house? I've replaced a lot of these over the years, I'm pretty sure the number is higher than what I stated, I just recall changing out at least 5. As for the last 3, I would use them for single room zone controls. I've been looking at the duct work, and believe that I can actually use them to control the heat better and only cool/heat the areas I wish.

    --
    The cesspool just got a check and balance.
  14. Thats a special kind of pathetic by Revek · · Score: 1

    Seriously? what kind of noob idiots are they?

  15. Re:I don't understand technology anymore by CharlieG · · Score: 1

    Unless (like my den) someone decided to save a few bucks (basically the price of the transformer and a relay) and installed a high voltage thermostat, and then you have 110 volts right on the stat. You'd think...
    Has caused me enough issues that I think come this spring, I'll do it (Dad would be laughing - he was an HVAC mechanic, and would do it 'whenever' - and of course, I don't have a spare relay...)

    --
    -- 73 de KG2V For the Children - RKBA! "You are what you do when it counts" - the Masso
  16. Re:I don't understand technology anymore by Frederic54 · · Score: 1

    Oh nice, I worked with Precise/MQX and its RTCS stack, I implemented SNMP v2c for our products running this OS.

    --
    "Science will win because it works." - Stephen Hawking
  17. Re:Rending of garments to commence! by jbengt · · Score: 1

    Most of those points wouldn't be controlled by the thermostat (I would hope), but by the internal controls in the equipment. Even if they were accessible thru the thermostat, you shouldn't be able to change things like the anti-short cycle timer or the compressor low ambient lock-out.

  18. Re:I don't understand technology anymore by Curtman · · Score: 1

    Every manufacturer seems to be doing it now at least in the higher end models. Lennox has iComfort, Trane has this POS from the topic, Carrier has Infinity. The thermostats are connected to the furnace with 4 wires. R = 24v, C = Common, "i+", and "i-". There's those same terminals at the Air Conditioner. The gas valve has Tx and Rx blinky lights, the blower motor too. The thermostat reads the outdoor temp from the air conditioner's thermistor through the bus, all sorts of sensors in the furnace are readable in the thermostat, CFM of the blower, pressure in the ductwork, supply and return temperatures, etc..

  19. Re:I don't understand technology anymore by Curtman · · Score: 1

    This patent is the best reference I've found so far. It's all proprietary though, Lennox thermostats won't work on a Carrier furnace or air conditioner, etc. And the software seems to be really terrible on all of them.