Researchers have warned that your Bosch smart thermostat can be hacked and used by threat actors for a wide variety of malicious activities.
Cybersecurity experts at Bitdefender have published a new report detailing the discovery of a vulnerability in the Bosch BCC100 thermostat for versions SW 1.7.0 – HD 4.13.22. In the report, they said that the device has two microcontrollers, one that provides Wi-Fi functionality and another that provides the main thermostat function. The one with Wi-Fi functionality listens to TCP port 8899 on the LAN and reflects any messages received on that port directly to the main microcontroller, via the UART data bus.
“This means that, if formatted correctly, the microcontroller cannot distinguish malicious messages from genuine ones sent by the cloud server,” the researchers explained. “This allows an attacker to send commands to the thermostat, including writing a malicious update to the device.”
Defending a smart home
By overwriting the device's firmware with a malicious one created by hackers, the thermostat can be used for different purposes, from listening to communication passing through the device to stealing login credentials, passing to other devices, and more.
Smart home devices, while offering a lot of convenience, are also a major risk factor, experts say. To protect the home from prying eyes, homeowners should, above all, “closely monitor IoT devices and isolate them as completely as possible from the local network,” they said.
“This can be done by setting up a dedicated network exclusively for IoT devices.”
Additionally, homeowners can use cybersecurity solutions designed for the smart home to search for connected devices, identify and highlight potentially vulnerable ones. “IoT device owners should also look for newer firmware and update devices as soon as the vendor releases new versions,” Bitdefender concludes.
Lastly, it can also be helpful to have a network cybersecurity solution built directly into the router.
