IoT Thermostat Bug Allows Hackers to Turn Up the Heat

Introduction

With the ever-increasing impact of smart and connected devices in our daily lives, Cybersecurity has a variety of security challenges to deal with. The field of traditional computer security deals with a myriad of issues like data theft or sabotage. However, when it comes to IoT security, the consequences of a successful attack can be even more diverse. In this post, we discuss an IoT Smart Thermostat bug and how a hacker leveraged it to raise the control temperature by 12 C (~22 F) degrees.

Commodity IoT malware vs Targeted IoT attack

The most common purpose of IoT malware has been to form a botnet of zombie devices (such as routers or cameras) to launch denial of service attacks. Authors program such malware to look for default passwords and exploits for smart devices (which are abundant) so that their botnet army is huge. Smart thermostats on the other hand will not be as big a pool of devices. Hence, they do not qualify to be very useful zombies for carrying out a denial of service attack. If such devices can be controlled, however, one can perform actions like changing and controlling temperature which have the potential to cause physical discomfort (or even harm in extreme cases) to the target environment.

Understanding the Heatmiser Thermostat Bug

The following are simple steps that illustrate how it is possible to leverage an unpatched Heatmiser IoT Smart thermostat and eventually take control of the temperature of the environment where it is installed.

Step 1: A quick look up on Shodan for “Heatmiser” can give attackers a list of IP addresses associated with Smart Heatmiser thermostats, which are publicly exposed:

Image 1. Shodan service used to locate Heatmiser thermostat systems

Step 2: An attacker could try to access any of these IPs. If these are indeed live and working, they will respond with a login page as shown below.

Image 2. Login screen for Heatmiser access

Step 3: The attacker could set a GET request (or simply visit in his browser) a crafted URL. The vulnerability is simple as we see that the attacker just needs to visit a web page named “networkSetup.htm”:

Image 3. URL to “networkSetup.htm”

Step 4: Now the attacker needs to see the source of the page where the credentials are stored in plaintext. Since this attack is via vulnerability, keeping strong passwords will not halt the attack. Once the attacker gets these credentials he can go back to the credentials page, login and control the thermostat. For privacy purposes, we are blurring the credentials and the IP.

Image 4. Source of network credentials indicating login and password

To refer to the POC in detail please refer to this article.

Attacker leveraged bug to increase temperature

What concerned us most about this attack is that it’s not just limited to a Proof of Concept phase. In at least one hacking forum, we observed a case where a hacker implemented such an attack to take control of one thermostat and increase its temperature from 23C (73.4 F) to 35C (95 F). The attacker is proud of this work and flaunted it in the forum.

Image 5. Bragadocious “Johnny5698”

As we can see above, the attacker claims that he found this thermostat device using Shodan, proving the assumption of Shodan being a double-edged sword when it comes to IoT intelligence. The intelligence can be used to make the IoT safer for someone with good intentions. However, hackers like these leverage it as well to find devices exposed to internet.

To prove his point, “Johnny” also provided two screenshots, one before and one after attack. We can see that before attack, temperature is set to 23C. In the second image post-attack, the temperature is set to 35C.

Image 6. Before raising the temp

Image 7. After temp is changed

Conclusion

Just a few days ago, there was a concern from U.S. White House Cybersecurity Coordinator Rob Joyce about IoT Cybersecurity as one of his Air Conditioners behaved different from his expectations. As stated by Federal Computer Week, this case was not a hack, but it created enough concerns about the possibilities of hackers controlling the temperature of the surroundings. Now we see that an old bug in a thermostat being leveraged by an attacker to actually change the temperature and convert his assumption to reality. Although attacks which can cause discomfort to victim are in an initial phase, this is an issue to watch for as the implications can go much beyond data exfiltration or extrusion. Any internet connected Smart device should be patched, and should be accessible via a public IP only when there is a reason for it. In some cases, a firewall can help prevent unwanted connections. Some Smart devices support blocking HTTP connections, and restricting access to a single IP address.

Ankit Anubhav

Principal Researcher, NewSky Security

Note: This bug has already been patched and the vendor aggressively provided remediation to its users. However with the increase of smart thermostats and devices, one should be prepared that similar issues might happen again.