‘Heatmiser smart thermostats are vulnerable to attacks’ – update

By admin On Sep 22, 2014

Spread the love

The ‘smart’ thermostats of the British company Heatmiser are extremely vulnerable, according to a security researcher due to poor security. The devices can be attacked in various ways.

The manufacturer indicates in the manual of its thermostats, which can be accessed via WiFi, that ports 80 and 8068 must be opened on a router in order to be able to access the device externally. Port 8068 is mainly used by Heatmiser equipment, making the thermostats easy to find through port scans, security researcher Cybergibbon writes on his blog.

Subsequently, many systems with default usernames and passwords, such as ‘admin/admin’, are easy to enter because the manufacturer does not force the user to choose their own combination. Heatmiser’s apps can also be cracked: they are secured with a PIN code, which can be retrieved via a brute force attack. Access is not blocked after a certain number of attempts. Because the PIN is a maximum of four characters, it takes up to 10,000 attempts to retrieve it, which should be successful within an hour and a half.

Furthermore, Wi-Fi passwords and login data are sent unencrypted via http and the authentication mechanism based on javascript is insufficiently secured at various levels. The web interface is also vulnerable to cross site request forgery. Any website that a user opens can execute commands on the thermostat’s web interface.

According to Cybergibbon, Heatmiser has made numerous rookie mistakes while developing its firmware. In addition, there is no direct option for the end user to easily upgrade the firmware: after contacting the helpdesk, the user can receive a hardware programmer by post against payment of a deposit, after which the thermostat has to be removed from the wall in order to replace it with new ones. to provide firmware. A number of thermostat users report that various errors can also be found in newer firmware versions.

Heatmiser commented know that it is working on new firmware to fix the mentioned issues. The firmware will be offered to affected customers. The company states that users should block web access via port 80 for the time being pending the new firmware.

Update 14:33: Heatmiser’s response added and update process explained in more detail.