Vulnerability affecting smart thermostats patched by Bosch

Avatar

German technology manufacturer Bosch fixed a vulnerability affecting a popular line of smart thermostats in October, the company disclosed this week.

Researchers from Bitdefender discovered an issue with Bosch BCC100 thermostats last August which lets an attacker on the same network replace the device firmware with a rogue version.

Bogdan Botezatu, director of threat research and reporting at Bitdefender, told Recorded Future News that an attacker could use the vulnerability — tracked as CVE-2023-49722 — to render the device inoperable.

“By replacing its firmware, the attacker could prevent the thermostat from booting up – making it useless. While the thermostat is still on the wall, it would be impossible for the user to modify temperature and working modes,” Botezatu said.

“Additionally, a hacker could also plant a backdoor along with the original operating system of the thermostat to be able to connect to the network from the outside. The worst-case scenario allows an attacker to replace the original firmware with a Linux distribution of their choice and use this newly acquired foothold into the network to sniff traffic, pivot on other devices, and so on.”

A spokesperson for Bosch confirmed that Bitdefender notified them of the issue on August 29. They said the issue only affects Bosch Home Comfort thermostats sold in the U.S. and Canada. The thermostats are available on Amazon for about $125.

The company spent the next few weeks developing a solution and made sure that the issue was limited to that specific device. The bug carries a CVSS severity score of 8.3.

“On October 12, a software update was pushed to all affected customers,” the spokesperson said, sharing a link to an advisory released this week by the Bosch Product Security Incident Response Team.

In a report released on Thursday by Bitdefender, researchers said they began to audit popular internet of things (IoT) hardware, and smart thermostats in particular, because more consumers are turning to them for energy efficiency and environmental sustainability.

Devices like smart thermostats also have a major impact on energy conservation and cost savings at a time when energy prices are higher than normal.

The researchers found that the thermostat has a WiFi chip that communicates with the internet. It could not distinguish between malicious messages and genuine ones, allowing a hacker to “send commands to the thermostat, including writing a malicious update to the device.”

When asked what kind of attacker would target a vulnerability like this, Botezatu explained that the issue is “low-hanging fruit.”

“Easy enough to exploit, great enough in terms of impact. Opportunistic hackers would take it just to demonstrate their skills,” he said. “More focused hackers would probably use it to gain persistence on the network and use the thermostat as a pivot point to more interesting targets on the network (NAS [network attached storage], cameras).”

Bitdefender warned that in general, people should closely monitor IoT devices and “isolate them as completely as possible from the local network.”

NewsTechnology
Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

Jonathan Greig is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.

 

Total
0
Shares
Previous Post

Microsoft to keep all European cloud customers’ personal data within EU

Next Post

End-of-life Cisco routers targeted by China’s Volt Typhoon group

Related Posts

North Korean Kimsuky Hackers Use Russian Email Addresses for Credential Theft Attacks

The North Korea-aligned threat actor known as Kimsuky has been linked to a series of phishing attacks that involve sending email messages that originate from Russian sender addresses to ultimately conduct credential theft. "Phishing emails were sent mainly through email services in Japan and Korea until early September," South Korean cybersecurity company Genians said. "Then, from mid-September,
Avatar
Read More