14 DAY TRIAL // Digital thermostats from Heatmiser that offer control over WiFi have been found to be riddled with security flaws that could be leveraged by a potential attacker to gain access to the WiFi connection.
A reverse engineer, Andrew Tierney, discovered the wealth of issues while reading about vulnerabilities of another, older product of the company, Netmonitor. He then decided to check other products and found the line of WiFi thermostats that can connect directly to the router and provide access to their functions from afar by forwarding port 8086 for control through a mobile app and port 80 for control through the web browser.
WiFi SSID and password available in plain text
In one of the cases, the researcher noticed that after logging into a device, he could also learn the username, password, WiFi Service Set Identifier (SSID) and password.
This could be done by simply looking into the source code of the web page, as all the information was available in the clear.
“When logged into one of the devices, the username, password, WiFi SSID and WiFi password are all filled into the form and can be viewed easily by examine the source of the webpage. There is really no excuse for this – it’s lazy,” he says in a blog post.
No need for credentials to alter settings
The researcher went through all the configuration steps of the device and found that access to the thermostat’s functions can be gained without inputting credentials in the device’s control web page.
The web page is built from multiple HTM files, and one of them (left.htm) provides access to the temperature controls regardless of the login state. Basically, all someone needs to do is type in the IP address and the faulty page (http://87.56.123.121/left.htm) and they can make changes to the temperature.
Finding the IP address is not too difficult since port 8086 seems to be common to Heatmiser’s WiFi thermostats. The researcher says that by scanning for this port “we can be fairly confident that anything with this port open is one of their devices.” Next, a verification of port 80 can be done to extract more information.
More issues are present in these devices, as there is the possibility of cross-site request forgery (CSRF) attacks, which means that malicious requests can be inserted in a link to the device and the command is executed. Commands can range from altering the configuration to modifying the password.
Tierney stopped testing the product after uncovering no less than nine security glitches that could be easily abused, and reported them to the manufacturing company, which said that they would notify customers to close port 80 on the WiFi Thermostat until a solution is provided. A tweet from the company confirmed that some glitches were found in their product.
A security issue has been identified on our WiFi Thermostat. We are contacting customers to inform them and are working to fix ASAP. 1/2
— Heatmiser UK (@HeatmiserUK) September 22, 2014