Very Dumb Security For A WiFi Thermostat

We have finally figured out what the Internet of Things actually is. It turns out, it’s just connecting a relay to the Internet. Not a bad idea if you’re building a smart, Internet-connected thermostat, but you have no idea how bad the security can be for some of these devices. The Heatmiser WiFi thermostat is probably the worst of the current round of smart home devices, allowing anyone with even a tiny amount of skill to control one of these thermostats over the Internet.

The Heatmiser is a fairly standard thermostat, able to connect to an 802.11b network and controllable through iOS, Android, and browser apps. Setting this up on your home network requires you to forward port 80 (for browser access) and port 8068 (for iOS/Android access). A username, password, and PIN is required to change the settings on the device, but the default credentials of user: admin, password: admin, and PIN: 1234 are allowed. If you’re on the same network as one of these devices, these credentials can be seen by looking at the source of the webpage hosted on the thermostat.

if you connect to this thermostat with a browser, you’re vulnerable to cross-site request forgery. If you use the Android or iOS apps to access the device with the custom protocol on port 8068, things are even worse: there is no rate limiting for the PIN, and with only four digits and no username required, it’s possible to unlock this thermostat by trying all 10,000 possible PINs in about an hour.

There are about a half-dozen more ways to bypass the security on the Heatmiser thermostat, but the most damning is the fact there is no way to update the firmware without renting a programmer from Heatmiser and taking the device apart. Combine this fact with the huge amount security holes, and you have tens of thousands of installed devices that will remain unpatched. Absolutely astonishing, but a great example of how not to build an Internet connected device.

47 thoughts on “Very Dumb Security For A WiFi Thermostat

    1. depends on the kind of access they get. they could install a sniffer on your thermostat and send all your network traffic to a machine they controlled. or be evil and block services like facebook or twitter for the entire home.

      that, or just screw with the thermostat. i wonder what happens if you turn the heater on and off multiple times per second…

    2. Not much else beyond screwing with the temperature, but let’s say you go on vacation for a couple weeks and your disgruntled tech-saavy ex (or a random stranger, whatever) decides that your thermostat needs to be set to 97 for heat or 47 for a/c. Sure it wouldn’t bother you if you were home and noticed that your system was causing it to be warmer or cooler than normal. You could override the unit, and/or disconnect it from the internet if the problem recurred. But since you’re on vacation… well, that’s a pretty high utility bill you’re going to find yourself with upon your return. Beyond the cost, what about your pets? Or your plants? Or whatever else you have in your house that doesn’t do well in comparative temperature extremes. Based on how many folks live paycheck to paycheck, I’d wager that an unexpected utility bill in the thousands is going to be really problematic for a lot of budgets. Given the predilection of utility companies to cut off your electricity/gas for an unpaid bill on very short notice, you could end up with a bunch of unsuspecting people in a world of hurt in very short order.

      Sure, it’s not likely that those of us who are tech saavy would fall for such a crappy product, but we’re in the minority. These thermostats are in the homes of folks who might have trusted a contractor to install/configure it for them, elderly folks whose children gave it to them as a gift (ahh, the well-meaning but naïve gifting of technology to those who neither want nor need it…), etc… There are numerous scenarios that come to mind as to who might have these units and who would probably be ignorant as to how to deal with the issues that this awful example of non-security presents.

      Throw some mischief-minded folks with scripting abilities into the mix and a whole lot of people are suddenly subjected to nearly completely random attacks which could cost them significant sums of money or at the very least discomfort or frustration.

      There’s a lesson to be learned here in terms of the emerging “internet of things”. I doubt we’ll learn much from it, but we could if we cared.

    3. It can get pretty nasty if you are living in a region of the country that is very cold in the winter. (sub freezing temperature) Someone could turn off the heat while you are on Xmas holidays and let your indoor water pipes freeze -> burst. You’ll ended up with a big flood and a huge water damage.

    4. If they own your thermostat, they might be able to use it as a jumping-off point to attack other computers in your house. Or they could set up a spam relay, or use it to generate DDOS attacks, or provide hosting space for malware, illegal images, or sales of illegal materials, or …

      I doubt they give a darn about your temperature, as there is no profit in attacking it. It’s much more likely they’ll own it for something worse.

    5. Even if we ignore potential secondary vulnerabilities of using the thermostat as an attack vector against the rest of your network, there could be risks in allowing random strangers to control your thermostat.

      Let’s say an attacker is able to toggle the ‘fan’ setting which simply controls the HVAC’s blower motor. Many electric motors are rated for a limited number of starts per hour. Let’s assume for the moment that a furnace blower has such a limitation and that the HVAC’s firmware doesn’t include a failsafe limit. What happens if an attacker toggles the blower on and off all day? Can the motor’s starter windings overheat? A replacement blower motor might cost hundreds of dollars to replace.

      The underlying risk is that the Internet-of-Things exposes lots of devices to the internet that were never designed for such exposure.

    1. Read up on form sanity checking, XSS, SQL Injection – don’t rely on the client side (browser) doing form sanity checks alone, mirror all form sanity checks in firmware, NEVER rely on JavaScript handling user/password authentication (EVER!), never store an auth token (ie something required for authentication) in a hidden HTML form field, never display any data passed from the URL directly on the page without pre-processing it (is GET data), strip all HTML tags and escape sequences from any data that is expected to he returned by a form

      There’s much more. You’ll have to think of all your users as being malicious, that they’re all trying to break your software

  1. As a hacker, do you really trust every embedded device on your network? This article just focuses on the sensationalist.. rather than the reality, which is these vulnerabilities can be easily dealt with by implementing a VPN, or simply not allowing port-forwarding for this device. Which is common sense.

    1. You’re talking from the point of view of someone who knows how to handle these things. Problem is, the device is marketed at *everyone*, and the instructions don’t tell you to change the username/pass/pin but they do walk you through forwarding the ports and treat it as something that of course you should be doing.

      1. +1, this whole IOT fad is making me nauseous – a lot of the devices I’ve seen are just like the one Brian mentioned.

        You have someone with an entry level knowledge of electronics and software at best who probably buys an arduino (no disrespect to Arduinoers, its an easy target due to popularity), copies/pastes/modifies programming examples and makes something that works, an investor sees it, all of a sudden it’s being sold without thinking about any security implications and very little revision.

        Reminds me of the plight of web developers: “Why so expensive, my nephew can make a website up in Frontpage! It’s not that hard”

    2. The reality is that I have found over 5000 of these thermostats that are contactable and exploitable. They aren’t sold to just hardware hackers and IT professionals – average consumers buy them, and install them following the instructions to port forward.

  2. Just what is the supposed justification behind remote access to your HVAC?
    The pets and plants thing?? oh please, For decades now, We’ve had simple T’stats that can easily be set for a low temp call for heat and high temp calls for cooling.
    Some sort of extraordinary event? BZZZT, sorry Charlie.
    Your system can only pull or push “x” many BTU into or out of the building, So the only way a remote control would matter is if you were to leave the premises and afterwards decide that you wouldn’t be returning for a sufficient length of time that out weighed the energy cost of recovering the building temp from an “unoccupied” setting.
    If you have any furniture, the cushions are pretty good air traps and the moisture in said air is sort of slow to shift back into equilibrium with the rest of the house, Got a water bed still? , granite counter tops ? Quite a number of things in a typical dwelling or office that have lagging release of their thermal masses.
    In my own observation, that’s pretty much what kills any illusion of
    energy savings from cycling the temps during a day or anything less than about a weeks length period.
    Back to the circuity concerns: Is there any hard coded control for letting compressors bleed head pressure between restarts?
    let someone keep cycling the comp till it trips the thermal disc
    ad-infinum and you could put a pretty good bump in the utility bill
    and a shorten the life of the pump.
    Now if by some really odd fluke, We were to have enough of these gadgets in an area and a common access code, You could maybe even go for a mini brown out.
    Even as low number of just a dozen or so homes on a street with simultaneous restarting refrigerators and AC’s to get a pretty good line sag briefly.
    I’m not up on these devices (and will try to never have any) But is there a common chunk of code, perhaps a limited variety of chips for the boards, etc. i.e. With presumed sufficient number of net’stats and refrigerator or whatever, in an area
    Is the ever chance some jackwad could find said exploit to hit a
    large number of things and go for a cluster of restarts and try overloading a neighborhood powerline and triggering shutdown of the ‘hood?
    I’m sorry folks, But other than making a “Mission Impossible” style scenario not fail the implausable tech in TV shows, that was mentioned elsewhere or providing ongoing fodder for the tin hat/Govt conspiracy crowd, I just can’t see the point to it.
    Remote monitoring and alarm notifactions? yes, but remember,
    you can’t pull any more heating or cooling capability out of the system than it already has, by pawing at a cellphone.

    1. In many parts of the world it makes much more sense to shut off the HVAC when you aren’t at home. Maintaining some kind of “occupied state temperature” while you are away is futile and a waste of resources (except to avoid frozen pipes and boiling pets). Remote access just allows us to start the process before we get there, but there are also automation benefits. If it is a vacation rental property, then there would be door sensors that would shut off the HVAC if someone left the door wide open for x number of minutes. Also connectivity allows the owner to kill all power to devices once the renters had left.

    2. My power bill went down substantially when I programmed my thermostat to basically shut off heating/cooling during the work day. It takes the system about ten minutes to bring the temps down or up, after which it cycles at a steady state, versus a few dozen cycles if I left it on. To be fair, it’s also a brand-new, ultra-insulated building which might exaggerate some effects. My bill in July for cooling was 3-4x what it was in February for heating, in Boston, which is kind of bizarre.

      1. Yeah, heating bills clearly show the benefit. I have no idea why that guy was acting like the savings are some kind of unknowable, fuzzy mystery such that they could possibly be illusory.

  3. The heart of the problem is that the device was designed and then security was pinned on at the end. Good security requires that in every step of the design process that security is thought about. Bad security is easy, good takes a lot of knowledge and hard work.

      1. For software, qmail. For operating systems, seL4. For commercial, Microsoft’s recent track record. For crypto, PGP and OpenSSL. For hardware, Apple’s devices.

        Perfect? Naw. However, the failures you see in things like OpenSSL or PGP’s end user adoption are mere distractions from their triumphs. There are entire classes of security problems that have been *solved*, and battle-tested until we found new problems to focus on.

        Arduino-level security is great for a single prototype, but these guys didn’t even try.

  4. “We have finally figured out what the Internet of Things actually is. It turns out, it’s just connecting a relay to the Internet.”

    Whether it’s meant sarcastically or not, it’s totally true. Told you so.

    1. Both sarcastic and truthful. I’ve been keeping track of IoT submissions and press releases that hit my email and the tip line. I have a few thousand examples. It’s just an internet connected relay.

      Oh, if anyone is interested in me posting tens of thousands of dollars worth of IoT market research….

  5. I bet the Chinese laughed out loud, and added the default login to their huge cyberwar script.
    Should they ever start it, then the whole US will be out of power, money, heating, water, food, gas and Coca Cola within minutes.

    I will then fire up my wood stove, chew on an NRG-5 bar, listen to solar powered shortwave radio and laugh all day.

    1. The US govt has explicitly stated that such a cyberattack against infrastructure would be treated as an act of war (because it clearly is) and would respond with the full force of our trillion-dollar hug squad. If China lost its damn mind and started a no-shit shooting war with their biggest customer you’re not going to have much to laugh about, at least not for long.

      Unless you find MIRVs funny, in which case you’d be a very lucky man, and probably die with a smile.

  6. can anyone recommend a wifi connected thermostat that is secure? I was looking at this as an option, I don’t want a cloud connected device, for security!
    I would build my own, but I’m not allowed to install it due to local regs!

    1. place a tiny computer controlled heater just under your existing thermostat (a power resistor will probably do) and you can fool the thermostat into maintaining any temp you want without modifying it.

  7. This why God made routers and VPN’s. So every IOT device on your LAN needn’t replicate full encryption and VPN quality security. If every IOT device had to have full security, they would be costly and unmanageable. “Honey, do you remember the password for the coffee pot? Stupid computers, can’t even get a cup of coffee!!”
    Set up a VPN or one of the many free and reasonably secure remote access applications (TeamViewer, LogMeIn, Go To My PC, etc.), then YOU can control all your devices, but no one else can get through to them.

    1. that’s old testament stuff, fire and brimstone

      the new testament is IPv6, no VPN necessary, just a proper firewall

      “If every IOT device had to have full security, they would be costly and unmanageable.”

      hahaha

      “full” security would be “self managing”

      “costly” yeah it costs so much money to make copies of software

  8. “is probably the worst of the current round of smart home devices, allowing anyone with even a tiny amount of skill to control one of these thermostats over the Internet”

    picture the following:

    you go on vacation for a month at the hight of winter and you set the heat to minimum so the pipes dont burst and the pets are safe

    you have a neighbor or someone who has a grudge against you.

    as soon as you are gone the neighbor does 1 of the following.

    1. they turn off the heat and the pipes burst and pets freeze to the cold.

    2. the average cost of electric is 8 cents per 1000 watts or you are on one of those variable rates and the gas backup for heat pumps below 40 is quite high and your heat pump is an older model that burns 10k of electric.

    so the grudge filled neighbor connects to the controls and sets the heat to the max and racks up a high electric and gas bill to either financially ruin you or even worse make the police suspect you of running a grow house for marijuana.

    marijuana grow houses can rack up thousands on electric bill with their grow lights and the police use the fast spinning meter and high electric bills as a just cause to get a search warrant .

    or what if the furnace is oil fired a full tank will last about 10 days at 1 gallon per hour 24/7 and can cost over 1000 dollars

    1. if you neighbor has a grudge against you then a better firewall is not going to save you from their wrath. They can just as easily smash a basement window and crank up your old fashioned thermostat to max, and without monitoring you would not be able to tell until you got back.

      but gee if you had internet connectivity for your house you could see them break in on the security webcam and you could see the increased temperature

      and gosh if your neighbor really wanted to mess with you they’d just burn down your house while you are at work

      maybe the best thing is to be friendly with your neighbors

  9. Interestingly enough the FTC slapped TRENDnet earlier this year for the unsecure IP cameras. Though a different “area” of privacy, a lot of context still applies, explicitly with sending credentials via clear text.
    They seem to be a UK company though, not sure how the law applies there – I’m no legal expert. One thing is guaranteed, we’re going to see a lot more open devices before we see a lot less, potentially with more serious impact.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.