That shiny Internet of Things thermostat might look oh-so cool on the wall, but new research from Cisco shows it could be harboring a whole host of ugly malware.
Back in April 2014, the Cisco Talos security team alerted Trane that its Wi-Fi-connected ComfortLink II thermostat had some serious security flaws. The most egregious was the hardcoding of SSH passwords in the device.
The SSH service is exposed to the network, meaning a nearby hacker who can get onto the gadget's Wi-Fi can use the credentials to login and execute code remotely. This design flaw is particularly bad news for you if the thermostat is facing the public internet, allowing anyone on the planet to potentially infiltrate the gizmo.
The other two flaws were buffer overflow vulnerabilities that could be used to gain access by sending unreasonably long data requests to the device. With trial and error, an attacker could overwrite sections of the device's memory and perform remote code execution.
Once inside the ComfortLink II, the assailant would have the ability to turn the device into a little malware store that could be used to infect other devices using the same wireless network as the so-called "smart" thermostat. It's a serious issue and you'd think Trane would want to fix it.
Not so, it seems. The Talos team sent Trane a warning in April, then another in June, and yet again in August and September. Nothing was heard from the firm.
In April 2015, one year after the first alert, Trane fixed the hardcoded password issue with a new release of the ComfortLink's firmware. Cisco then tipped off US CERT about the remaining issues. Trane eventually addressed the flaws in its code in January 2016, but didn't tell its customers that new firmware is available.
The security fixes aren't installed automatically, either: you need to download the update to an SD card, and then plug said card into the thermostat to perform the installation.
"The unfortunate truth is that few people think 'Hey! It's the first Monday of the month! I should check and see if my TV needs to be patched!'" said Alex Chiu, a threat researcher at Cisco Talos.
"As a result, IoT devices that do not have an easy-to-use notification and updating mechanism are prone to being left alone, out of date, and vulnerable to compromise. This is similar to the fact that there are unpatched systems on the internet that are still vulnerable to Shellshock and Heartbleed and will remain vulnerable for the foreseeable future."
He raises a fair point – while everyone is cock-a-hoop these days for shiny IoT devices, almost no one is updating their operating systems. Even IT managers seldom give thought to updating the office thermostat when there 101 other things requiring urgent attention on the network. ®