Can’t say we are all that surprised with yet another security vulnerability on an Internet of Things (IoT) device. Heatmiser, a UK manufacturer of digital thermostats, has issued a warning to its customers regarding its Wi-Fi enabled thermostats running firmware 1.2. Andrew Tierney, a reverse engineer specializing in digging up bugs in embedded systems, discovered the security issues after reading about problems in another Heatmiser product no longer on the market.
When a user connects to the thermostat using a Windows utility, it uses default credentials and PINs (“admin” as a username and “1234” as the PIN). When logged into one of the devices, the thermostat also leaks WiFi credentials such as username and password and the wireless SSID. The administrative page is also easily accessible on the web. For example, if logged into a thermostat at work, everyone at the office, without having login credentials, could easily access the thermostat simply by visiting the page.
Tierney found that he could also launch a cross-site request forgery attack to trick users of the thermostat into executing malicious actions. His recommendation for preventing these security vulnerabilities from occurring on the device is to stop port-forwarding to both port 80 and 8068. You no longer have remote control of the thermostat using this method but would still be able to access the device from inside your house.
This particular model of Heatmiser’s thermostat can be activated by almost anyone, according to Tierney. This doesn’t help the fact that industry experts say there is a growing pattern involving personal devices and security, reverting us back to the poor security practices that were prevalent in the ‘90s.
Another security researcher claims to have notified Heatmiser of the issue months ago, apparently without success. Heatmiser says they are working on the issue, and echoes Tierney’s advice to remove the port forwarding to the WiFi thermostat in the router. This would disable remote web browser access but would still allow users to control thermostats from their smartphone app.