back to article Trane thermostat is a hot spot for viruses on home networks

That shiny Internet of Things thermostat might look oh-so cool on the wall, but new research from Cisco shows it could be harboring a whole host of ugly malware. Back in April 2014, the Cisco Talos security team alerted Trane that its Wi-Fi-connected ComfortLink II thermostat had some serious security flaws. The most egregious …

Joke

When is the IoT industry going to get smart on security?

you forgot the joke icon

FTFY

16
0
FAIL

Re: When is the IoT industry going to get smart on security?

When it impacts on profits, or somebody at board level receives a custodial sentence.

In other words - when Satan is seen buying Winter clothing.

16
0
Silver badge

Re: When is the IoT industry going to get smart on security?

One reason that the IT industry is so tardy at fixing potential problems is that until they turn into live issues - with actual exploits that affect real users, there are always more pressing (if not more important) things to focus the available talent on.

So if people want to promote IT security they need to not just wave their arms about potential security holes, but to tell people how many actual incidents of exploits are affecting¹ real customers, NOW.

It's also worth noting, that customers / users are just as bad. They don't install available fixes until after the "horse has bolted". So unless fixes are forcibly pushed down - an extremely risky strategy: just ask Apple or Microsoft - it's left up to an equally resistent user population to act on patches and fixes.

[1] and "affecting" means: dickin' with their IoT stuff. Not just ssh-ing in and having a poke around, but turning the thermostat up to boiling point or having other material affects on the users' lives. Without that sort of information, it's still just a theoretical threat that they won't take seriously.

4
0

And IoT devices that DO have an updating mechanism are...

.. prone to being patched surreptiously, and become vulnerable to compromise.

12
0

When is the IoT industry going to get smart on security?

Not until the technology is built out and very entrenched in our homes and businesses. Once IoT malware starts costing somebody who matters some money then, and not before, will the serious handwringing ensue. At that point patch after patch will be released to keep devices secure but to little avail as an unknowable multitude of vulnerabilities will have already been baked in, since developers and manufacturers were racing to get their Iot devices out quickly and cheaply.

Isn't this how tech is supposed to work?

7
0
Silver badge

Re: When is the IoT industry going to get smart on security?

Exactly.

0
0
Silver badge

Re: When is the IoT industry going to get smart on security?

"When is the IoT industry going to get smart on security?"

Probably when someone dies or has their life directly threatened by IoT tech.

Put it this way. The Internet of Things is a lot like the shoe-fitting x-ray machine, radium clock and watch faces, or thalidomide.

1
0

"almost no one is updating their operating systems"

Are you kidding? Have you not kept up with what Microsoft is doing? Trying to navigate the labarynth of upgrades WITHOUT going to 10 is a complete reason NOT to upgrade...

11
0
Silver badge

true

just spent the last 3 days patching ....about 400 machines in now. me and a bunch of guys on experts exchange wrote a script that you might find handy, it sure does speed things up.

link to thread is here

http://www.experts-exchange.com/questions/28923876/prevent-win-10-recomended-upgrade-tuesday-9th-feb.html#a41454272

@echo off

if not "%1" == "max" start /MAX cmd /c %0 max & exit/b

@echo off

goto check_Permissions

:check_Permissions

net session >nul 2>&1

if %errorLevel% == 0 (

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows\Gwx" /v DisableGWX /t REG_DWORD /d 1 /f

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v DisableOSUpgrade /t REG_DWORD /d 1 /f

REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\OSUpgrade" /v AllowOSUpgrade /t REG_DWORD /d 0 /f

REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\OSUpgrade" /v ReservationsAllowed /t REG_DWORD /d 0 /f

REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update" /v IncludeRecommendedUpdates /t REG_DWORD /d 0 /f

echo.

echo should have 5 succesfull statements above

echo.

echo.

TASKKILL /IM GWX.exe /T /F

echo.

echo dont worry if you get ERROR GWX.exe failed, it doesnt matter

echo.

echo.

echo please wait until you see the FINISHED statement this may take 10 seconds or 20 minutes

echo.

echo.

echo step 1 of 6 - PLEASE WAIT

@echo on

start /wait wusa /uninstall /kb:3035583 /quiet /norestart /log

@echo OFF

echo step 2 of 6 - PLEASE WAIT dont touch anything

@echo ON

start /wait wusa /uninstall /kb:3035583 /quiet /norestart /log

@echo OFF

echo step 3 of 6 - PLEASE WAIT dont touch anything

@echo ON

start /wait wusa /uninstall /kb:2952664 /quiet /norestart /log

@echo OFF

echo step 4 of 6 - PLEASE WAIT dont touch anything

@echo ON

start /wait wusa /uninstall /kb:2952664 /quiet /norestart /log

@echo OFF

echo step 5 of 6 - PLEASE WAIT dont touch anything

@echo ON

start /wait wusa /uninstall /kb:2976978 /quiet /norestart /log

@echo OFF

echo step 6 of 6 - PLEASE WAIT dont touch anything

@echo ON

start /wait wusa /uninstall /kb:2976978 /quiet /norestart /log

@echo OFF

echo.

echo.

echo FINISHED!

echo NOW press any key to reboot your computer

echo.

pause

shutdown.exe /r /t 005

) else (

echo.

echo.

echo Failure: THIS HAS NOT WORKED.

echo PLEASE RUN THIS AGAIN AS AN ADMINISTRATOR. press any key to exit

pause

exit

)

pause >nul

2
0

Re: true @psychonaut

Er... is there a reason you're removing kb2952664 twice, or is that a typo and a different update is supposed to get removed?

0
0
Anonymous Coward

Re: true

Group policy and/or WSUS not useful in your case?

0
0
Silver badge

Re: true

cant do gpols / wsus, these are all home prem or pro and none of them are on a domain.

kb's are removed twice becuase apparantly it doesnt always work the first time....

2
0
Headmaster

"almost no one is updating their operating systems"

perhaps ambiguous writing?

In context, could mean "almost no one is updating the devices' operating systems"

0
0
Silver badge

Re: true @stizzleswick

"Er... is there a reason you're removing kb2952664 twice"

Probably. When doing manual removal, I noticed that KB2952664 didn't disappear on the first attempt. Can't tell whether it always behaves like that. This KB was re-issued at some point, so it may have been an update on top of the similarly named update.

1
0
Silver badge

Re: true @stizzleswick

I believe it's when they push out more than one version of the same patch, the previous version is cached.

Not liking the link to Expert Sex Change, you have to mess about with cookies if you want to see more than one page.

1
0
Silver badge

Re: true @stizzleswick

theyll never live down expert sex change....thats what i always think when i type it.

i saw another url on the back of an italian lorry, their company was italian continental, their website is

italiancont.it

in massive letters. childish, but it did make me giigle

0
0
ZSn

Shower

It took a whole year to remove hard coded ssh passwords? What a total shower...

3
0
Anonymous Coward

Re: Shower

The shower was using named pipes with the default username & password of soap and water

6
0
Silver badge

who the fuck needs to adjust their thermostat when they arent in their fucking house? its like being able to check the tread depth on your tyres whilst you are on holiday

thats what a timer is for dick heads!

the only viable smart feature i want from my heating system is zoning. but im about to move so im not going to shell out for it.

with hive you can control your heating from your phone......when would i ever want to do that?

10
5
Silver badge

What if you work irregular hours and don't live your life to a schedule? Meaning you have no F'n clue when you're in or out of your house?

4
1
Silver badge
Unhappy

"What if you work irregular hours and don't live your life to a schedule? Meaning you have no F'n clue when you're in or out of your house?"

Didn't you know that you are supposed to have a spouse or partner at home at all times?

After all, the Gas, Electrickery, BT and a host a delivery companies clearly think so when all you can get out of them is AM or PM for an appointment.

6
0
Silver badge

just leave the thermostat on 19.

1
0
Silver badge

I don't know why anyone would want Hive, but those who do will be cursing the day their phone breaks or gets stolen (and the thief turns the heating up to 11 for a laugh).

1
0
Silver badge

Can't. Don't stay home long enough (and don't have enough in the budget) to justify it staying a certain temperature when I'm not around (BTW, many people with irregular schedules also tend to be single, as (potential) spouses tend to get aggravated over such schedules. And since it takes time to get the place warmed up, the ideal solution MUST be one I can trigger when I'm not at home but on the way (which can literally be any time at all, so no scheduling system on Earth would be able to keep up).

0
0
Silver badge

wait wut?

>while everyone is cock-a-hoop these days for shiny IoT devices,

Perhaps the people making the devices but especially on this site haven't heard much demand for the Internet of Fail for the toaster.

5
0
Silver badge

Re: wait wut?

Because this is not a site for the average punter.

4
1
Silver badge

Re: wait wut?

I consider myself to be an average-ish punter who is IT-curious.

not even mid-range but of the lower orders but who answers the 'your computer has a fault' calls with 'Which one -- can you tell me the IP and MAC address so I can check?' (not that I know much but they tend to bugger off)

Reading the Reg has opened my eyes to the absolute dog's breakfast that is the internet and also the 'must have's'.

I'm average but a suspicious bastard as well.

2
0
Silver badge

When is the IoT industry going to get smart on security?

The answer is, while there are no legal sanctions for leaking customer data, never. People with a defective understanding of writing secure code, cobbling together firmware from bits of other peoples code doesn't exactly lead to security by design. Once the thing is up-and-running, you then have to spend the same amount of time testing for vulnerabilities.

4
0
Silver badge

Re: When is the IoT industry going to get smart on security?

Or, while they can pull in the dosh and no-one is asking questions, only going for the shiny-shiny.

They will not give a toss as they need to chuck out more shiny-shiny for those instant profits.

Not until the lawsuits find the companies liable -- so, about three years?

0
0

This post has been deleted by its author

Mushroom

Sooooweeeeet!!!

First the heat goes up, then the AC goes down,

Circulate the air all around.

Give us a natural gas flare

to help us singe our hair.

Then a pilot light flame out,

Who managed to mess up the thermocouple safety with that weird test function?

Whoops, there goes the house skyward taking us to perdition...

BOOOOM!

6
0
Silver badge

Re: Sooooweeeeet!!!

Bravo!

2
0
Silver badge

IoT

So, my IoT alarm system will tell burglars when the house is empty, my IoT thermostat will hog the bandwith I need to stream video and my IoT toaster will rat me out to the feds. That about it?

6
0
Silver badge

Re: IoT

Either that or your "smart" fridge will notice that it's packed full of junk food and beer. It will ping the node in your bathroom scales that will confirm you've put on a couple of kg in the last month. Your intelligent doorbell will pass that on to your car, which will refuse to unlock the door in the morning, so you have to walk to work.

The toaster will order you a treadmill off Amazon and the TV won't work until your electricity monitor confirms you've done an hour's running each night.

And it'll be your waste-analysing lavatory that rats you to the DEA.

3
0
Silver badge

Re: IoT

"my IoT toaster will rat me out to the feds"

Was that in a Michael Marshal Smith book -- ah no, it was an alarm clock that wouldn't go away.

0
0
Silver badge

Answer

Never or until they get hit with Ford Pinto type liability lawsuit and lose.

'"The unfortunate truth is that few people think 'Hey! It's the first Monday of the month! I should check and see if my TV needs to be patched!'" said Alex Chiu, a threat researcher at Cisco Talos.' If the device can not be easily patched, the description made my eyes roll, it will not get patched - ever. The will try to blame the user but it is really their sloppy code and generally crappy product that is the real problem.

6
0
Silver badge

Is this a trick question?

Hate to say... oh fuck it. Told ya so.

1
0
Bronze badge

I can't quite put my finger on what it is you are all getting so heated about.

2
0

It was the only way to stop my chattering teeth as some hacker set my home on Penguin defaults...

0
0

Must be running Linux then.

0
0
Flame

The real problem

The problem with this piece of junk and so many of the others boils down to the same basic issue - the barrier to entry is too low.

It used to be that getting hardware out the door was a slightly difficult process and you probably needed at least one person with a vague clue to be able to get anywhere.

Now you buy a cheap SOC and a reference design, push a Linux build through Yocto or whatever, chuck it at a Chinese contract manufacturer and *bang* you have your system. Minimal effort and minimal thought required. So if for example you want to chuck together an internet connected thermostat any half-educated student can manage to get something vaguely presentable without having to think about any of the details of the design, or an appropriate solution, or things like basic security.

And even worse than this some people are actually in a position where they believe the companies behind this crap have some sort of inherent value rather than just pushing out half finished versions of an easily duplicated idea for no profit.

There's probably a gap in the market for actual qualified engineers to get in and do things properly, but I doubt the market is there to drive the volume to make the financials work for a real business. So I guess people will have to continue to put up with junk knocked together by muppets in a small rented office in a suitably fashionable area.

4
0
Silver badge

Re: The real problem

Well, if any half-educated student can do it, I'm quite sure Watson and its progeny will be able to kick those students to the curb and get the job done right. [Rightness, of course, is specific to the designer, not necessarily the consumer.]

1
0
Silver badge

Re: The real problem

"There's probably a gap in the market for actual qualified engineers to get in and do things properly"

You mean like some of those recent smartphone security oriented startups that were allegedly built on the premise of doing it right, only to be proven just as pwnable as the rest...? Yup, that'll do it...

1
0

Toasters with IP addresses

In the future they'll not need a purpose-built heating element.

Just plug them in and their embedded SOC will heat your toast up all on its own as it signs into Botnets-r-us and starts DDOSing the crap out of the target-du-jour.

1
0
Silver badge

General purpose computing.

It's honestly the biggest problem in security. The fact that these devices CAN run any program, can do anything they're programmed to do, etc. is their biggest security hole.

When you have a washing machine with an electronic timer... it can time. That's it. It can click round and do what it's been told to do. The capability to go out to the net, or whatever, isn't there, so it can't be abused.

With a thermostat, it can have a temperature and click on and off a relay. That's all it needs to do. As such, if it goes wrong the worst is that the heating goes on or off.

But general purpose computers in a thermostat (like in ATM's and anything else nowadays) mean that they can be abused to do all kinds of things that have nothing to do with turning your heating on and off. It doesn't mean the old ones can't be compromised, but because their range of physical effects is so damn small (turn the heating on, dispense cash - still serious, but nowhere near as serious as access to the banking network to roll back transactions like a recent article I read somewhere!), they are relatively safe.

The biggest problem we have is people putting general purpose processors and even operating systems (ATM's running on Windows, etc.) into things that really don't need them. And there's NO WAY to limit what that processor does. All the containerisation, virtualisation and abstraction in the world hasn't proved enough to actually stop things like hypervisor exploits and so on.

The ubiquity of general purpose computing - where it's easier to slap in a Raspberry Pi or Windows PC instead of a purpose-built circuit - is really the biggest security issue we have.

7
0

Manufacturers are not interested in supporting products. You are lucky if you get a firmware update out of them so the products are half working to spec, let alone security updates. Even high end manufacturers like Panasonic churn out TVs which advertised web features which never materialised and they just stopped updating after a year. The only thing that will fix this is regulations from Europe mandating security updates and product support for a certain time after product sale. It has to happen eventually, but as usual these things are only tackled after a being ignored until there is a major disaster and a backlash. The VW scandal is another example of major known product issues being ignored until the whole thing blew up and the media finally caught on. Until this happens with IOT malware is is not sexy enough for the media to take notice.

1
0
Silver badge

And then the EU voted to allow them to produce cars which emit up to double the emissions limit until 2019 anyway, so I wouldn't count on them coming to the rescue for IoT.

0
0
Anonymous Coward

" Even high end manufacturers like Panasonic churn out TVs which advertised web features which never materialised and they just stopped updating after a year."

There's a term for what you describe: planned obsolescence. And there's very little governments can do about it because manufacturers in this regard can behave as a cartel. The moment the EU tries to force some kind of support contract beyond what's there now, they'll probably counter with a threat to pack up and move back to Asia and leave everyone with their obsolete stuff as fiduciary duty will say it's cheaper to shut down and pack up than to comply with such laws.

0
0

who opens their ports up to the internet?

Any well made piece of IoT tat would push-pull information from a central server?

1
0

not a *real* problem

How does one "inject viruses" through an ssh vulnerability when every wifi router blocks ssh by default?

In-order to compromise this thermostat, you need access to the home network. But once you have that, who cares about a thermostat?

1
0

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2017