Before your purchase an IoT device, such as a camera, appliance, or a thermostat that is made to be remotely accessed or controlled over the internet, you should consider whether you are able to realistically care for and even feed the security needs of another IoT item. After all, it is safe to say that your IoT puppy will be chewing holes within your network defenses, bred by a vendor that belatedly and seldom patches new critical security weaknesses.
The researchers at Cisco alerted Trane, an HVAC vendor, that they had three different vulnerabilities in their ComfortLink II model of internet connect thermostats. These particular thermostats have a large LCD screen and a busy box-based computer that is connected directly into your home wireless network, which allows the device to be able to display the temperature in your home, local weather forecasts, live weather radar maps, personal photo collections, and more.
Cisco researchers have found that ComfortLink devices will allow attackers to gain remote access and even use those devices to jump off into the user’s network. Trane hasn’t responded to the requests for any comments.
One of the major issues happens to be that ComfortLink’s systems have certain credentials which have been hardcoded with passwords. So, by default, the accounts are able to be used to remotely log in to the system via SSH, which is an encrypted communication tunnel that allows users through their firewall.
The other bugs that Cisco found allowed attackers to install their own malicious software on the Trane devices, and use those to maintain a presence on the victim’s local network.
In 2015, and 2016, Trane managed to patch the most serious flaw and then patched the other two bugs as part of a standard update, but they didn’t provide their customers with any type of indication that the update was important for their protection.
So, what does that mean for the average user?
According to Craig Williams, security outreach manager at Cisco, any compromised IoT devices will allow access through the network to any other device that is on that network. To make the matter worse, no one has access to their thermostat on an OS layer, which means it has been compromised.
No one just wakes up and automatically thinks that it’s time to update the firmware for their thermostat. Normally, once the device is compromised, they will stay compromised until they are replaced. So, it gives an attacker plenty of time to go through a network.
Insecure defaults and hidden accounts aren’t unusual for IoT devices. What is more interesting is that patching vulnerable devices can be pretty difficult, and is almost impossible for the average user or for those who aren’t tech savvy.
Williams wrote an email explaining the research, stating that for companies to maintain large amounts of IoT devices on their network, there would be no way to update a device on that scale, which creates a nightmare type of scenario. The more IoT devices we see, the more security updates we will see, which will become a common problem as the lifetime of an IoT device would be greater than normal software lifespan.
You can find Cisco’s write-up on their findings online, which includes a link to the Metasploit module that the researchers developed to help system administrators to find and secure any exploitable systems on the network. It can even be used by bad guys to exploit a vulnerable system, so if you use the ComfortLink system, you should consider updating immediately before it turns into a Trane wreck.
[Featured image credit: Raconteur / Image cropped]