Industrial monolith sold hackable thermostats, says expert

Trane's Comfortlink XL850 was vulnerable to hacking, making it possible for burglars to access customers' private data and determine if owners were home or not

Industrial monolith sold hackable thermostats, says expert
Torbjörn Arvidson

Commonly installed Trane thermostats were vulnerable to hacking for a while, says a security firm. The Internet of Things-connected gadgets had been liable to provide burglar-friendly, private information because their authentication system was weak and they use hardcoded credentials, Trustwave claims in its SpiderLabs blog.

Trane is an Ingersoll Rand brand that specializes in heating, ventilation and air conditioning systems (HVAC). Ireland-based Ingersoll Rand is a “$13 billion global business,” it proclaims on its website.

+ Also on Network World: Experts to IoT makers: Bake in security +

The Trane-branded, residentially oriented Comfortlink XL850 thermostat was the culprit, SpiderLabs says. Researchers say they found that although internet, “Wi-Fi connectivity, remote service, remote control and ZWave features” are included in that model, it’s wasn’t secure until repeated, multiple-months attempts at contact with the company instigated a patch getting issued. That patch is now finally being rolled out via the internet connection.

The model’s connectivity features are designed to let end users remotely manage their heating and cooling schedule, along with temperature. However, models running the earlier, now superseded firmware would still be “vulnerable to information disclosure and remote access due to a weak authentication mechanism and hardcoded credentials.”

“A custom protocol and a predictable port number” is at the root of the trouble. That allows access to all areas of the thermostat from the network or internet, including hacks. And the researcher found that with the earlier firmware—even when some of the feature-set was switched off—the device was still accessible.

More problems encountered included Github code repositories from Nexia, a third party involved in the device, being overly open. That, too, got cleaned up eventually.

Why thermostat data needs to be protected

“Once an attacker has gained access, they can quickly extract all information from the device,” Trustwave says. That includes “the home heating and cooling schedule, current operation mode, current temperature, chat and alarm history, serial number, active socket connections, trusted URLs, secret IDs, software version info and detailed address and installer information.”

The HVAC system dormant hours—in other words when the climate control is off or in standby—would at the minimum be a security risk because it could give a potential robber times when the home may be empty.

An expensive problem that could be created through a thermostat hack is that malicious damage could be launched by raising temperatures too high or low. Winter-time damage could include freezing, burst water pipes.

More sinister possibilities, too, have been studied on unrelated thermostats by a penetration tester in 2015 that hypothesized of hackers gaining access to power plants through IoT thermostats.

This Trane incident is not the first time I’ve written of IoT manufacturers being unreceptive to security reports. Security firm Bitdefender, too, uncovered a residential IoT security issue, and in its case, couldn’t get a manufacturer to patch it.

Trustwave claims its initial attempts to contact Trane’s offices resulted in bounced emails and ignored communications, and that it took them two months to speak to the right person.

Extraordinarily one email came back from someone saying: “Trane already has a dedicated team for security risks and the like, so I think it would be a good idea to let them handle this and any future vulnerabilities.”

Amusingly, Ingersoll Rand did not respond to my request for a comment.

Copyright © 2016 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022