Heatmiser, a U.K.-based manufacturer of digital thermostats, is contacting its customers today about a series of security issues that could expose a Wi-Fi-connected version of its product to takeover.
Andrew Tierney, a “reverse-engineer by night,” whose specialty is digging up bugs in embedded systems wrote on his blog cybergibbons.com, that he initially read about vulnerabilities in another one of the company’s products, NetMonitor, and decided to poke around its product line further.
This led him to discover a slew of issues in the company’s Wi-Fi-enabled thermostats running firmware version 1.2. The issues range from simple security missteps to critical oversights.
For example, when users go to connect the thermostat via a Windows utility, it uses default web credentials and PINs.” Using a more challenging password isn’t even suggested or enforced by the device.
Elsewhere, the thermostat leaks Wi-Fi credentials, like its password, username, Service Set Identifier (SSID) and so on, when its logged in.
I also note you can see the WiFi credentials of the network they are connected to @HeatmiserUK
— cybergibbons (@cybergibbons) September 18, 2014
Tierney also found that if he wanted to, he could launch cross-site request forgery (CSRF) attacks via the device and send users links containing a malicious request. If an attacker had recently logged into the thermostat, the request would be carried out by the device.
“Once logged into the device with a certain client, other clients on the same machine can access the device as if they were logged in,” he wrote Saturday.
Other problems with the thermostat include the ability to brute force the PIN number the device uses to communicate with iPhones and Android phones, a lack of updateable firmware, and a sloppy log-in interface that could give anyone remote access to the thermostats.
Most of the issues stem from the fact that Heatmiser requires users to forward two ports in their router (80 and 8068) to the thermostat – something that provides users with remote access to the device but “also puts you at risk,” according to Tierney.
As Tierney notes, a search on Shodan, the popular search engine for Internet-connected devices, yields more than 7,000 results for “Heatmiser Wi-Fi Thermostat” devices exposed to the internet.
When contacted by Tierney, Heatmiser reported it was in the middle of investigating the vulnerabilities but until it came up with a solution, was telling users to close port 80 on their thermostat.
A tweet this morning suggests Tierney’s blog post may have ramped up the company’s investigation however, as it claims its contacting customers to inform them of the vulnerability.
A security issue has been identified on our WiFi Thermostat. We are contacting customers to inform them and are working to fix ASAP. 1/2
— Heatmiser UK (@HeatmiserUK) September 22, 2014
The problems have existed for more than a year. John-Louis Persat, a French Digital Creative Director, a/k/a TheCodingFrog, tweeted about the issues involving port 80 and informed the company back in July 2013.
For #security reason everyone using #heatmiser thermostat should block web admin to WAN access, or at least put any port other than 80
— Jean-Louis PERSAT (@TheCodingFrog) January 7, 2013
Persat even made a tool to scan for the thermostats:
@cybergibbons my old heatmiser tool 🙂 @HeatmiserUK pic.twitter.com/sVw0KUYGWb
— Jean-Louis PERSAT (@TheCodingFrog) September 22, 2014
When reached Monday, Martyn Kay, a Director at Heatmiser, insisted the company was working on a fix.
“We are actively working on a solution and whilst we don’t have a timeframe for this, it is an important priority for us and hope to have this rectified very soon.”
