14 DAY TRIAL // It took 22 months for Trane to patch three security bugs in its ComfortLink II XL950 smart Wi-Fi thermostat product, as Cisco's Talos security team reports.
In another case of "I'm a smart device manufacturer, but I don't give a damn about security," Trane managed to fumble three security bugs discovered by Cisco's researchers for about two years, before finally delivering the much-awaited patch that plugged its firmware's security holes.
The product in question, the ComfortLink II XL950, is a modern IoT device along the lines of Google's Nest product, which offers a simple way to manage your apartment’s or building's internal temperature.
ComfortLink lets users access a control panel via the Web or their phones, or from a touchscreen mounted in their home. Users can control the house's temperature, switch between heating and cooling modes, and even consult weather reports.
Trane moves slow but eventually fixes all issues
As you can imagine, the device can be quite useful. Unfortunately, this is all trumped by the fact that, starting with ComfortLink version 2.0.2, this Internet-connected thermostat also contained two sets of hard-coded user credentials that were activated each time the device booted (CVE-2015-2867).
Additionally, two other issues (both tracked via CVE-2015-2868) allowed attackers to execute malicious code on the device by sending oversized network packets and causing a buffer size overflow.
While security researchers consider all three vulnerabilities of the utmost importance due to the consequences of their successful exploitation, it took Trane a full year to fix the two remote code execution flaws, and another ten months to delete the hard-coded credentials from its device's boot sequence.
Cisco contacted Trane about their issues in April 2014, the company fixed the RCE flaws in April 2015 and recently released a firmware update (version 4.0.3) at the end of January to fix the last issue.
With this kind of drive and attention to security issues, no wonder every security researcher around is mocking IoT devices and their manufacturers.
