Digital thermostats from Heatmiser are wide open to takeover thanks to default login credentials and myriad other security flaws.
The UK-based manufacturer has promised to develop a fix. Pending the arrival of a patch, users are advised to disable the device's Wi-Fi capability.
The security flaws were discovered by Andrew Tierney, a reverse engineer who specialises in locating flaws in embedded computing kit. Tierney began probing for flaws in Heatmiser's Wi-Fi-enabled thermostats after reading about problems in another (old and discontinued) Heatmiser product, NetMonitor.
Tierney discovered that when users connect the thermostat via a Windows utility it uses default usernames and PINs ("admin” with an access PIN of “1234”). When logged into one of the devices, the thermostat reveals Wi-Fi login credentials (password and username) and Service Set Identifier (SSID). And the admin page is easily accessible over the net, regardless of whether or not the accessor has guessed the username and password. To cap everything, the device is vulnerable to cross-site request forgery (CSRF) attacks which means that "that if I log in to my thermostat at work, anyone else in my workplace can access my thermostat simply by visiting the page without any need for credentials," Tierney explains.
The security researcher discovered that more than 7,000 potentially vulnerable internet-connected thermostats using the Shodan search engine.
"If you want a thermostat that can’t be activated by just about anyone, then I would suggest returning your Heatmiser Wi-Fi thermostat," Tierney concludes. "My recommendation would be to stop port-forwarding to both port 80 and 8068. You will lose remote control, but would still be able to access the thermostat from inside you house."
In response, Heatmiser has contacted its customers, acknowledging some of the problems and promising to improve security of the devices.
A security issue has been identified on our WiFi Thermostat… It has been identified that if certain steps are carried out, the username and password to your system can be obtained therefore allowing remote access of your system.
We are working as quickly as possible to resolve this issue but in the meantime would ask that you remove the port forwarding to your WiFi Thermostat in your router. This means that remote web browser access won’t work but you will be able to use the SmartPhone App.
"A security issue has been identified on our WiFi Thermostat. We are contacting customers to inform them and are working to fix ASAP," HeatmiserUK explained in an update to its official Twitter account.
French security researcher Jean-Louis Perstat responded to this by stating that he'd notified Heatmiser about security problems in its kit months ago, apparently without success.
Screenshots of Heatmiser's currently insecure setup and other commentary can be found in a blog post by security veteran Graham Cluley here. ®