Slashdot Mirror
Trane Takes 2 Years To Remove Hard-Coded Root Passwords From IoT Thermostat (softpedia.com)
An anonymous reader writes: It took 22 months for Trane to patch three security bugs in its ComfortLink II XL950 smart Wi-Fi thermostat product, the ComfortLink II XL950, a modern IoT device along the lines of Google Nest, which offers a simple way to manage your apartment's or building's internal temperature. Researchers contacted Trane about their three issues in April 2014, the company fixed the RCE flaws in April 2015 and recently released a firmware update at the end of January to fix the last issue. During all this time, the company barely answered emails and continued to sell an exposed product.
That said, I bet that security hole would have been fixed a hell of a lot quicker if it was publically announced to the world instead of trying to report it through Trane's security inept support channels.
I would be more concerned about the sub 32 degree house
The cesspool just got a check and balance.
Trane is certainly "focused on technology". Just not computer geek technology. Do you know how to design and manufacture a long-lived air conditioning or heat pump compressor? And successfully and profitable for decades?
Technology existed before the internet, you know.
Back when the weather channel was cool and LOT8's was longer then 60sec.
No. But I'm pretty sure I could spec out cheap crap compressors from China while riding my brand name into the dirt.
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
"Do you know how to design and manufacture a long-lived air conditioning or heat pump compressor?"
No, but neither does Trane (or Ingersol-Rand for that matter, who owns Trane.) They use another company's compressor now.
Heck, they took the original compressor design they once used from GE, when they bought the division from them years ago. As a matter of fact, the only thing that Trane "owns" in their design is the coils and the cabinets. I believe the coils are actually made by Alcoa.
"Trane" is just a brand name. It's really not any better or worse than most of the other manufacturers out there. You just pay more "'cause it's a Trane!"
-ACAC (air conditioning anonymous coward)
Isn't the punchline to this "No, and based on my ownership experience, neither does Trane."
Okay, this is just too hilarious. It's like the movie "War Games" when the computer engineer left his dead son's name as a password before he disappeared. This sort of thing tends to happen when a non-engineer want to ensure absolute control in a quick dirty way. Of course anyone with any foresight (AKA IT/Engineering professionals or even Philosophers/Historians I expect) would have pointed out how easy a back door this would be. We already have tons of historical precedence. And then take two years to undo it? Probably a 3rd party pointed out they could be sued for negligence and said "get this fixed...now". The usual reactive crap when sales/iron grip overrides good judgement for short terms savings. Of course why anyone would want a device like this in their home giving people a potential back door for any hacker to get in through the Internet and play poltergist is slightly puzzling. People need to learn that "Convenience comes at the price of Security". Kind of sounds like: "With Great Power comes great responsibility". Of course nobody seems to learn from either phrase. And here's another one: "Those who forget their history are doomed to repeat it"...whoops...too late...
"Imagination is more important than knowledge" - Einstein
Over engineered crap. It definitely is worse than most other manufacturers. I learned this when the inducer motor went on my furnace. They sold a furnace with an ECM inducer motor (for efficiency sake?), then stopped making them. So now in order to replace the inducer motor you need a new circuit board, a standard less efficient than what was advertised PSC motor, and someone to completely rewire the furnace with the new wiring harness. Then you need to pay someone labour and parts markup to install the $1400 in parts which they wont sell to you because you're not "Trained in Trane".
Fuck you Trane. I hope you get hit by a Train.
> It took 22 months
"Nothing Starts a Trane(tm)"
(-1: Post disagrees with my already-settled worldview) is not a valid mod option.
No its not. "Legacy" thermostats were essentially a few relays and some operator controls. 24VAC is fed to the thermostat terminal "R" from the furnace or air handler. When it wants the fan to run, it switches 24V to its terminal "G", when it wants heat it puts 24V on terminal "W", Cooling is terminal "Y".
These new "communicating" thermostats are a CANBUS network similar but much more poorly documented than the OBD one in your car. However it does things like send you an email when the furnace is failing, or when the temperature in your house has fallen to where you might have to worry about freezing pipes etc. It can tell you that it failed to ignite several times so you might want to book service before it fails completely.
I wish there was some online presence for people hacking these things. Inside my Lennox iComfort thermostat I found an SD card containing an OS called "MQX RTOS", and a i.MX287 processor.