Vulnerabilities in a Trane smart thermostat allowed the device to login with a default password and execute arbitrary code via a buffer overflow attack. It took more than a year to find a solution.
According to the timeline of the Talos security team at Cisco, the first vulnerability was reported to US company Trane in April 2014. The company had used a pre-programmed default password in its ComfortLink II thermostat, which allowed an attacker to log into the device remotely via an SSL connection. It was also possible to overwrite specific memory segments via two buffer overflow vulnerabilities, potentially allowing arbitrary code execution. However, Trane only released a fix for two of the three vulnerabilities in April 2015 and made another round of updates in January to also fix the latter problem.
The Cisco team was unable to find out if Trane had notified its customers of patch availability. This is problematic, as the vulnerabilities could allow an attacker to use the thermostat to further penetrate a user’s home network and use the device to proliferate malware. The researchers add that the problem is that ‘smart’ devices often do not have an update mechanism and that users are often not aware of manually updating these types of systems. Trane only sells the ComfortLink II thermostats in the US, according to its site.