Endpoint Security , Internet of Things Security
Researchers Spot Critical Security Flaw in Bosch Thermostats
Bitdefender Finds Vulnerability in Popular IoT DeviceThermostats sold across the globe by German multinational engineering company Bosch contained a flaw allowing hackers to cut power to the heating system and override the firmware, warn researchers from cybersecurity firm Bitdefender.
See Also: MDR Executive Report
Models that didn't receive a firmware update pushed over the air late last year contain a flaw allowing hackers to brick devices or replace the original firmware, Bitdefender warned. The flaw is tracked as CVE-2023-49722.
Bosch touts the affected model as a "sleek, internet-connected thermostat that offers easy all-in-one control" for home heating, ventilation, and air conditioning systems. Thermostats are the subject of a large percentage of internet of things security research due to their immediate effect on the home, said Bogdan Botezatu, director of threat research at Bitdefender.
"The more we advance with IoT and the more chips become prevalent in physical security devices, the more scared I am," he told Information Security Media Group. This particular flaw requires access to the local network and doesn't appear to have been exploited in the wild. But homeowners have already found their IoT devices turned against them - including the Milwaukee married couple in 2019 who encountered a hacker cranking the heat up to 90 degrees.
"Criminals are looking for devices that are prevalent in people's homes," Botezatu said.
A Bosch spokesman told ISMG the company reacted quickly to Bitdefender's research and pushed a firmware update on Oct. 12. "Our experts continuously monitor threats and implement prompt countermeasures," said Tim Wieland, director of North America corporate communications.
Bosch customers are fortunate their devices can receive over-the-air updates, Botezatu said, since not every IoT device has that capacity. The number of consumers who ordinarily react to a firmware update "is deeply disappointing."
Botezatu also said he draws the line at which smart devices he's willing to personally install in his home. "I wouldn't dare to install a smart lock or a smart smoke sensor," he said. But he added that he does have a smart thermostat - one that is segregated from the internet.
The flaw stemmed from the Wi-Fi chip embedded in the Bosch thermostat. It listened for messages on port 8899 and mirrored them directly to the main microcontroller. The main chip had no way of telling whether a message was benign or malicious; it only looked for correct formatting. "This allows an attacker to send commands to the thermostat, including writing a malicious update to the device," Bitdefender wrote in a Thursday blog post.
Researchers were able to prompt the device to contact the cloud for a firmware update and inject a URL containing a malicious update. "There are no validation mechanisms for firmware update authenticity," Bitdefender wrote. So long as the URL pointing to the fake firmware update conformed to certain specifications - such as the MD5 checksum and a version numbered higher than the current firmware number - the device accepted the update. The URL must point to an internet-accessible server.
Botezatu said Bitdefender is analyzing more IoT devices. "Some of them are really good," he said. "Some of them are really, really bad."