Vulnerability affecting smart thermostats patched by Bosch

German technology manufacturer Bosch fixed a vulnerability affecting a popular line of smart thermostats in October, the company disclosed this week.

Researchers from Bitdefender discovered an issue with Bosch BCC100 thermostats last August which lets an attacker on the same network replace the device firmware with a rogue version.

Bogdan Botezatu, director of threat research and reporting at Bitdefender, told Recorded Future News that an attacker could use the vulnerability — tracked as CVE-2023-49722 — to render the device inoperable.

“By replacing its firmware, the attacker could prevent the thermostat from booting up – making it useless. While the thermostat is still on the wall, it would be impossible for the user to modify temperature and working modes,” Botezatu said.

“Additionally, a hacker could also plant a backdoor along with the original operating system of the thermostat to be able to connect to the network from the outside. The worst-case scenario allows an attacker to replace the original firmware with a Linux distribution of their choice and use this newly acquired foothold into the network to sniff traffic, pivot on other devices, and so on.”

A spokesperson for Bosch confirmed that Bitdefender notified them of the issue on August 29. They said the issue only affects Bosch Home Comfort thermostats sold in the U.S. and Canada. The thermostats are available on Amazon for about $125.

The company spent the next few weeks developing a solution and made sure that the issue was limited to that specific device. The bug carries a CVSS severity score of 8.3.

“On October 12, a software update was pushed to all affected customers,” the spokesperson said, sharing a link to an advisory released this week by the Bosch Product Security Incident Response Team.

In a report released on Thursday by Bitdefender, researchers said they began to audit popular internet of things (IoT) hardware, and smart thermostats in particular, because more consumers are turning to them for energy efficiency and environmental sustainability.

Devices like smart thermostats also have a major impact on energy conservation and cost savings at a time when energy prices are higher than normal.

The researchers found that the thermostat has a WiFi chip that communicates with the internet. It could not distinguish between malicious messages and genuine ones, allowing a hacker to “send commands to the thermostat, including writing a malicious update to the device.”

When asked what kind of attacker would target a vulnerability like this, Botezatu explained that the issue is “low-hanging fruit.”

“Easy enough to exploit, great enough in terms of impact. Opportunistic hackers would take it just to demonstrate their skills,” he said. “More focused hackers would probably use it to gain persistence on the network and use the thermostat as a pivot point to more interesting targets on the network (NAS [network attached storage], cameras).”

Bitdefender warned that in general, people should closely monitor IoT devices and “isolate them as completely as possible from the local network.”