Do you have a digital thermostat in your home?
Are you confident that it has been configured securely, and cannot be exploited by remote hackers?
Maybe now is a good time to check that the latest gadgetry you’ve introduced to your home is safe, after digital thermostat manufacturer Heatmiser contacted its customers, informing them that their devices are vulnerable to attacks which could leak their WiFi credentials.
As ThreatPost describes, the vulnerabilities were brought to Heatmiser’s attention by bug hunter Andrew Tierney who documented the various problems he found with the devices, and discovered over 7000 vulnerable thermostats connected to the net.
The digital thermostats make the cardinal mistake of shipping with default usernames and passwords (both “admin” - imaginative, eh?) and an access PIN of “1234”.
Disappointingly, at no point is a stronger password or PIN advised, let alone enforced.
That would be bad enough, but further examination by Tierney uncovered a method by which it was possible to access any of the device’s administration pages, regardless of whether the username and password had been guessed or not.
In a mastery of understatement, the researcher summed up this particular flaw as “really not good.”
Tierney also discovered that once logged into a Heatmiser device, he discovered that the user’s username, password, WiFi SSID and WiFi password “are all filled into the form and can be viewed easily by examine the source of the webpage.”
During his investigations, Tierney uncovered that the devices were vulnerable to a number of threats including cross-site request forgery (CSRF) attacks.
Tierney informed Heatmiser of the issues he uncovered, and the firm has now emailed its customers a brief security advisory.
Part of the email reads:
A security issue has been identified on our WiFi Thermostat and as a valued customer we want you to be aware so that steps can be taken to secure your heating system.
The security issue is related to the web browser access of your heating system.
It has been identified that if certain steps are carried out, the username and password to your system can be obtained therefore allowing remote access of your system.
We are working as quickly as possible to resolve this issue but in the meantime would ask that you remove the port forwarding to your WiFi Thermostat in your router. This means that remote web browser access won’t work but you will be able to use the SmartPhone App. If you aren’t sure how to do this, please call us on 01254 669090 option 2 so that we can assist you.
Until Heatmiser fixes the vulnerabilities, the most sensible thing to do may be to disable port 80 on your thermostat and disable its WiFi capability.