Vulnerability affecting smart thermostats patched by Bosch


German technology manufacturer Bosch fixed a vulnerability affecting a popular line of smart thermostats in October, the company disclosed this week.

Researchers from Bitdefender discovered an issue with Bosch BCC100 thermostats last August which lets an attacker on the same network replace the device firmware with a rogue version.

Bogdan Botezatu, director of threat research and reporting at Bitdefender, told Recorded Future News that an attacker could use the vulnerability — tracked as CVE-2023-49722 — to render the device inoperable.

“By replacing its firmware, the attacker could prevent the thermostat from booting up – making it useless. While the thermostat is still on the wall, it would be impossible for the user to modify temperature and working modes,” Botezatu said.

“Additionally, a hacker could also plant a backdoor along with the original operating system of the thermostat to be able to connect to the network from the outside. The worst-case scenario allows an attacker to replace the original firmware with a Linux distribution of their choice and use this newly acquired foothold into the network to sniff traffic, pivot on other devices, and so on.”

A spokesperson for Bosch confirmed that Bitdefender notified them of the issue on August 29. They said the issue only affects Bosch Home Comfort thermostats sold in the U.S. and Canada. The thermostats are available on Amazon for about $125.

The company spent the next few weeks developing a solution and made sure that the issue was limited to that specific device. The bug carries a CVSS severity score of 8.3.

“On October 12, a software update was pushed to all affected customers,” the spokesperson said, sharing a link to an advisory released this week by the Bosch Product Security Incident Response Team.

In a report released on Thursday by Bitdefender, researchers said they began to audit popular internet of things (IoT) hardware, and smart thermostats in particular, because more consumers are turning to them for energy efficiency and environmental sustainability.

Devices like smart thermostats also have a major impact on energy conservation and cost savings at a time when energy prices are higher than normal.

The researchers found that the thermostat has a WiFi chip that communicates with the internet. It could not distinguish between malicious messages and genuine ones, allowing a hacker to “send commands to the thermostat, including writing a malicious update to the device.”

When asked what kind of attacker would target a vulnerability like this, Botezatu explained that the issue is “low-hanging fruit.”

“Easy enough to exploit, great enough in terms of impact. Opportunistic hackers would take it just to demonstrate their skills,” he said. “More focused hackers would probably use it to gain persistence on the network and use the thermostat as a pivot point to more interesting targets on the network (NAS [network attached storage], cameras).”

Bitdefender warned that in general, people should closely monitor IoT devices and “isolate them as completely as possible from the local network.”

Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

Jonathan Greig is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.


Leave a Reply

Your email address will not be published. Required fields are marked *

Previous Post

Microsoft to keep all European cloud customers’ personal data within EU

Next Post

End-of-life Cisco routers targeted by China’s Volt Typhoon group

Related Posts

Google Patches Yet Another Actively Exploited Chrome Zero-Day Vulnerability

Google has rolled out fixes to address a set of nine security issues in its Chrome browser, including a new zero-day that has been exploited in the wild. Assigned the CVE identifier CVE-2024-4947, the vulnerability relates to a type confusion bug in the V8 JavaScript and WebAssembly engine. It was reported by Kaspersky researchers Vasily Berdnikov and Boris
Read More

Critical GitHub Enterprise Server Flaw Allows Authentication Bypass

GitHub has rolled out fixes to address a maximum severity flaw in the GitHub Enterprise Server (GHES) that could allow an attacker to bypass authentication protections. Tracked as CVE-2024-4985 (CVSS score: 10.0), the issue could permit unauthorized access to an instance without requiring prior authentication. "On instances that use SAML single sign-on (SSO) authentication with the
Read More