Researchers show that thermostats can go rogue, keeping you cool while spying


Cybersecurity researchers from Bitdefender have discovered a vulnerability in a smart Bosch BCC100 thermostat, which lets hackers replace the firmware with another of their liking.

The Bosch BCC100 thermostat has a 5-inch screen, connects to your Wi-Fi, and is a powerful hub controlling home climate devices. Thermostats have a major impact on energy conservation and associated cost savings while making homes noticeably more comfortable.

During a security audit, Bitdefender researchers revealed a vulnerability that affected some device versions. They demonstrated that it was possible to upgrade the device with custom firmware and compromise it.

The thermostat has two microcontrollers. One implements the Wi-Fi functionality and acts as a network gateway, and the other, STM32F103, “is the brain of the device and implements the main logic.” The first Wi-Fi chip acts as a gateway/proxy, passing data via the UART (Universal Asynchronous Receiver/Transmitter) protocol.

“We have discovered that the Wi-Fi chip also listens on TCP port 8899 on the LAN, and will mirror any message received on that port directly to the main microcontroller through the UART data bus. This means that, if formatted correctly, the microcontroller can’t distinguish malicious messages from genuine ones sent by the cloud server. This allows an attacker to send commands to the thermostat, including writing a malicious update to the device,” the researchers said.

So they did that. After finding the communication server and easy-to-imitate unmasked JSON payloads, they sent the “device/update” command on port 8899, letting the device know there was a new update.

This prompts the thermostat to ask the cloud server for details about the update. Even though no update is available and the server responds with an error, the device will accept a forged response containing the update details.

Researchers added a URL, which must be internet-accessible. The thermostat checks if prerequisites match, such as the size and hashes of the update, and if the version is higher than the current one. After the device receives the file, it performs the upgrade.

“At this point, the device is considered totally compromised,” Bitdefender writes. “There are no validation mechanisms for firmware update authenticity.”

Researchers contacted the vendor and submitted a full report on August 29th, 2023. Two and a half months later, the fix was deployed.

While a thermostat is not a very powerful computing device, attackers could still exploit it for privacy invasion, damage to home devices, unauthorized access, energy waste or sabotage, denial of service attacks, or other malicious deeds.

Researchers advise homeowners to closely monitor IoT devices and isolate them from the local network entirely. This can be done by setting up a dedicated network exclusively for IoT devices. Also, they recommend checking for newer firmware and considering home security solutions.

Thermostats are among the IoT devices that make cyber pros the most nervous. Cybernews has reported on the reasons why cybersecurity professionals tend to avoid smart devices altogether.