Cisco’s threat intelligence arm Talos has uncovered three vulnerabilities in Trane’s ComfortLink II thermostats that could grant hackers complete control of the devices and allow for code injection and execution.
The first vulnerability was caused by the use of hardcoded passwords for a particular background service.
These credentials could then be used to remotely log into the system and take full control over SSH, by granting access to a fully functioning BusyBox environment, a toolkit for embedded Linux OSes.
The remaining two vulnerabilities relate to the device’s DSS ("Dirty Sock Syndrome") service, which monitors the odour levels coming from the heating unit's pump system.
These vulnerabilities cause buffer overflows, resulting in portions of memory being potentially overwritten to values of the attacker’s choosing, and allowing the execution of arbitrary code.
Trane have since released firmware version 4.0.3 to address these vulnerabilities.
For those that have deployed these thermostats but cannot update the firmware, Talos recommends to block SSH traffic to and from the devices to reduce the risk of compromise.
“The fact that these thermostats contain a fully functional, unrestricted BusyBox environment that could be used to download files, compile code and execute arbitrary commands is a strong indication Trane is not following industry recommended, secure development practices," Talos threat researcher Alex Chiu said in the disclosure blog post.
“While IoT devices such as smart thermostats, home lighting, and security systems bring an added level of convenience to our lives, these vulnerabilities highlight the dangers of insecure development practices.”