Flaws in Trane thermostats underscore IoT security risks, Cisco says

Cisco warned that some vendors with Internet-connected devices are failing to take basic security steps

Cisco warned on Monday of serious flaws it found in an Internet-connected thermostat control, which it said are typical among products of vendors who aren't well-versed in network security.

The flaws were found in the ComfortLink II thermostats made by Trane. The thermostats allow users to control room temperature from a mobile device, display the weather and even act as a digital photo frame.

Cisco's Talos unit said the issues have now finally been patched since notifying Trane nearly two years ago, which is why it went public.

"The unfortunate truth is that securing internet-enabled devices is not always a high priority among vendors and manufacturers," wrote Alex Chiu, a Cisco threat researcher, in a blog post Monday.

"While IoT devices such as smart thermostats, home lighting, and security systems bring an added level of convenience into our lives, these vulnerabilities highlight the dangers of insecure development practices," he wrote.

Cisco found three vulnerabilities which could be used to gain remote control of the thermostat, run rogue code and gain access to the local network.

Trane was notified in April 2014. It patched two of the vulnerabilities in April 2015 and the final one on Jan. 27, Chiu said.

"We are unable to determine if Trane has associated these vulnerabilities with security advisories or if they have effectively communicated the necessity of installing these updates to their customers," he wrote. "As a result, Talos recommends that users who own these thermostats to update immediately."

The updated version of the ComfortLink II firmware is 4.0.3, which is available on Trane's website.

The problems Cisco found violate some of the most basic security tenets. The ComfortLink II's firmware contained two sets of user credentials with hardcoded passwords. An attacker could log into the device over SSH and then would have access to a fully functioning BusyBox environment, which is a toolkit for embedded Linux OSes.

The other two vulnerabilities related to a buffer overflow, which could be exploited.

Trane officials couldn't immediately be reached for comment.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jeremy Kirk

IDG News Service
Show Comments

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Tom Pope

Dynabook Portégé X30L-G

Ultimately this laptop has achieved everything I would hope for in a laptop for work, while fitting that into a form factor and weight that is remarkable.

Ada Chan

Dynabook Portégé X30L-G

I highly recommend the Dynabook Portégé® X30L-G notebook for everyday business use, it is a benchmark setting notebook of its generation in the lightweight category.

Tom Sellers

MSI P65

This smart laptop was enjoyable to use and great to work on – creating content was super simple.

Lolita Wang

MSI GT76

It really doesn’t get more “gaming laptop” than this.

Jack Jeffries

MSI GS75

As the Maserati or BMW of laptops, it would fit perfectly in the hands of a professional needing firepower under the hood, sophistication and class on the surface, and gaming prowess (sports mode if you will) in between.

Taylor Carr

MSI PS63

The MSI PS63 is an amazing laptop and I would definitely consider buying one in the future.

Featured Content

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?