Bitdefender Labs has discovered that the popular Bosch thermostat model BCC100 is vulnerable to cybersecurity threats. This vulnerability could allow a remote attacker to manipulate settings and install malware on the device.
Researchers have discovered vulnerabilities in the Bosch BCC100 thermostat, which could compromise users’ privacy and comfort. The vulnerabilities, discovered by Bitdefender Labs, allow attackers to access thermostat settings and data, manipulate settings remotely, and install malware.
The latest revelations regarding the vulnerable state of IoT devices should not be surprising. From electronic skateboards to coffee machines, from treadmills to security cameras in your room, everything connected to the internet is susceptible to potential threats.
As for the latest development, Bitdefender Labs, creator of the first smart home cybersecurity hub, regularly audits popular IoT hardware for vulnerabilities. Its latest research has revealed vulnerabilities in the Bosch BCC100 thermostat, affecting versions 1.7.0 – HD Version 4.13.22.
Bitdefender researchers discovered the vulnerability on August 29, 2023, but the details of it were only published on January 11, 2024. The vulnerability allows attackers to replace device firmware with a rogue version (CVE-2023-49722). The vulnerability was confirmed and triaged in October 2023, and Bosch started working on a fix immediately. Bitdefender responsibly disclosed the flaw on January 11, 2024.
To understand the flaw, it is essential to know how the BCC100 thermostat works. The thermostat uses two microcontrollers: a Hi-Flying chip (HF-LPT230) for Wi-Fi functionality and an STMicroelectronics chip (STM32F103) for implementing the main logic.
The STM chip lacks networking capabilities and relies on the Wi-Fi chip for communication. The Wi-Fi chip listens on TCP port 8899 on the LAN and, via the UART data bus, it mirrors any message received directly to the main microcontroller.
However, if properly formatted, the microcontroller cannot differentiate between malicious and genuine messages sent by the cloud server. An attacker can exploit this to send commands to the thermostat, including malicious updates.
The thermostat communicates with the connect.boschconnectedcontrol.com server via JSON-encoded payloads over a WebSocket, which are unmasked, and easy to imitate. The device initiates the “device/update” command on port 8899, triggering the thermostat to request details from the cloud server.
Despite an error code, the device accepts a forged response with the firmware update details, including the URL, size, MD5 checksum, and version. The device then requests the cloud server to download the firmware and send it through the WebSocket, ensuring the URL is accessible. Once the device receives the file, it performs the upgrade, finalizing the compromise.
According to Bitdefender Labs’ blog post, users are advised to follow necessary security practices. This includes updating the thermostat firmware, changing the default administrative password, avoiding connecting the thermostat to the internet unnecessarily, and using a firewall to restrict access from unauthorized devices.
Bitdefender Labs has stressed the significance of selecting secure smart home devices and ensuring their timely updates with the latest security patches. For specific details, refer to Bosch’s security advisory published on January 9, 2023.
Nevertheless, this research highlights that even seemingly innocuous smart devices can pose security risks. As the smart home market continues to grow, manufacturers must prioritize security and ensure a safe and reliable connected environment.
- The Pros and Cons of Smart Homes
- Are Smart Home Devices Invading Your Privacy?
- White hat hacker infects smart coffee machine with ransowmare
- AXIS A1001 Network Door Controller Flaw Exposes Secure Facilities
- Controller-level flaws can let hackers physically damage moving bridges
- Power Grids to Airports: TETRA Radio Hacking Risks Global Infrastructure