Endpoint Security , Internet of Things Security

Researchers Spot Critical Security Flaw in Bosch Thermostats

Bitdefender Finds Vulnerability in Popular IoT Device
Researchers Spot Critical Security Flaw in Bosch Thermostats
Bosch sent an over-the-air firmware update for smart thermostats in October after Bitdefender found a critical flaw. (Image: Shutterstock)

Thermostats sold across the globe by German multinational engineering company Bosch contained a flaw allowing hackers to cut power to the heating system and override the firmware, warn researchers from cybersecurity firm Bitdefender.

See Also: Securing Enterprise IoT: Advanced Threats and Strategies to Respond

Models that didn't receive a firmware update pushed over the air late last year contain a flaw allowing hackers to brick devices or replace the original firmware, Bitdefender warned. The flaw is tracked as CVE-2023-49722.

Bosch touts the affected model as a "sleek, internet-connected thermostat that offers easy all-in-one control" for home heating, ventilation, and air conditioning systems. Thermostats are the subject of a large percentage of internet of things security research due to their immediate effect on the home, said Bogdan Botezatu, director of threat research at Bitdefender.

"The more we advance with IoT and the more chips become prevalent in physical security devices, the more scared I am," he told Information Security Media Group. This particular flaw requires access to the local network and doesn't appear to have been exploited in the wild. But homeowners have already found their IoT devices turned against them - including the Milwaukee married couple in 2019 who encountered a hacker cranking the heat up to 90 degrees.

"Criminals are looking for devices that are prevalent in people's homes," Botezatu said.

A Bosch spokesman told ISMG the company reacted quickly to Bitdefender's research and pushed a firmware update on Oct. 12. "Our experts continuously monitor threats and implement prompt countermeasures," said Tim Wieland, director of North America corporate communications.

Bosch customers are fortunate their devices can receive over-the-air updates, Botezatu said, since not every IoT device has that capacity. The number of consumers who ordinarily react to a firmware update "is deeply disappointing."

Botezatu also said he draws the line at which smart devices he's willing to personally install in his home. "I wouldn't dare to install a smart lock or a smart smoke sensor," he said. But he added that he does have a smart thermostat - one that is segregated from the internet.

The flaw stemmed from the Wi-Fi chip embedded in the Bosch thermostat. It listened for messages on port 8899 and mirrored them directly to the main microcontroller. The main chip had no way of telling whether a message was benign or malicious; it only looked for correct formatting. "This allows an attacker to send commands to the thermostat, including writing a malicious update to the device," Bitdefender wrote in a Thursday blog post.

Researchers were able to prompt the device to contact the cloud for a firmware update and inject a URL containing a malicious update. "There are no validation mechanisms for firmware update authenticity," Bitdefender wrote. So long as the URL pointing to the fake firmware update conformed to certain specifications - such as the MD5 checksum and a version numbered higher than the current firmware number - the device accepted the update. The URL must point to an internet-accessible server.

Botezatu said Bitdefender is analyzing more IoT devices. "Some of them are really good," he said. "Some of them are really, really bad."

About the Author

Prajeet Nair

Prajeet Nair

Assistant Editor, Global News Desk, ISMG

Nair previously worked at TechCircle, IDG, Times Group and other publications, where he reported on developments in enterprise technology, digital transformation and other issues.

David Perera

David Perera

Editorial Director, News, ISMG

Perera is editorial director for news at Information Security Media Group. He previously covered privacy and data security for outlets including MLex and Politico.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing inforisktoday.asia, you agree to our use of cookies.