back to article Heatmiser digital thermostat users: For pity's sake, DON'T SWITCH ON the WI-FI

Digital thermostats from Heatmiser are wide open to takeover thanks to default login credentials and myriad other security flaws. The UK-based manufacturer has promised to develop a fix. Pending the arrival of a patch, users are advised to disable the device's Wi-Fi capability. The security flaws were discovered by Andrew …

  1. Anonymous Coward
    Coat

    It's not a bug, it's a feature!

    It means that your guests can control the heat as well. What's the issue.

    Coat? It's suddenly got cold around here.

  2. Adam 1 Silver badge

    That's the stupidest combination I've ever heard in my life! That's the kind of thing an idiot would have on his luggage!

    1. Anonymous Coward
      Anonymous Coward

      Err... no

      This is what you will get out of an embedded or SCADA engineer given a task to make the thermostat manageable. Their are good at what they do (or supposedly so), asking most of them to have even the most basic comprehension of Internet security is an extremely tall order. By the way - that is valid for alarm engineers too. Most of them have no clue whatsoever of how to secure the internet exposure of an alarm system.

      I have pointed this out 5 years ago when working in the area and got screamed at by every single management critter in the vicinity. Well... the reality has been proving me right ever since.

      1. Flocke Kroes Silver badge

        The usual trick

        PHB asks for proof of concept demo software to get some investment. Funds are needed urgently, so "You can save time by not bothering with security." When that version is delivered, the software 'works', so it must be 'complete', and there is no need to waste time or money on changes that only matter to engineers. PHB will ship it as is.

    2. Anonymous Custard Silver badge
      Joke

      That's the stupidest combination I've ever heard in my life! That's the kind of thing an idiot would have on his luggage!

      Hail Skroob!

  3. Anonymous Coward
    Anonymous Coward

    Where are the crims?

    I can't see the black hats hacking into wifi stats simply to play around the temperature. They shouldn't be able to, but its hardly going to be a major draw.

    But if the user can be locked out of their stat (like Cryptolocker for central heating) then I start to see how the crims might make money. Which means (unsurprisingly) that access to basic control functionality is relatively low risk, but any capabilities to set new passwords, load or delete firmware and the like, that's where the money will be. What's the ransom value of a heating denial of service (HDOS) attack in winter? Is it a credible blackmail option, or am I being overly worried?

    Other IoT possibilities step forward: Telly Denial of Service. Look at the vile, skanky firmware and software that TV makers plaster on "smart" TV's, can that be hacked to lock the device? At £500 for a nice TV, the ransom value has to be at least £150 (a bit like the Beeb's TV ransom). FDOS attacks on smart fridges & freezers would look other options with credible ransom values.

    And then you come to smart meters themselves, which would be the meatiest of targets, able to deny energy full stop. I wonder if those responsible for smart meters have had them properly tested by competent device hackers? At a guess the answer will be no for most of them - I'm close enough to the programme to know that many of the makers have had real problems with software, because (like TV & stat makers) they come from a hardware background, and I'll wager that DECC (in charge of the SMETS2 specification) believe that a good paper specification is defence in itself.

    1. Anonymous Custard Silver badge
      Big Brother

      Re: Where are the crims?

      Telly Denial of Service

      Or more worryingly have your TV only able to play cheap and tacky "reality" TV, Cash in the Attic and such daytime-TV fodder at all times.

      A bit like waterboarding, but without the refreshment...

    2. Simon Harris Silver badge
      Devil

      Re: Where are the crims?

      "I can't see the black hats hacking into wifi stats simply to play around the temperature. They shouldn't be able to, but its hardly going to be a major draw."

      If my downstairs neighbours had an IoT thermostat I might...

      mmmm... underfloor heating

    3. Frank Bitterlich
      Alert

      Re: Where are the crims?

      Read the article again - it reveals the WiFi credentials.

      1. Jos

        Re: Where are the crims?

        Yes it does reveal the credentials, like it does on github:

        https://github.com/carlossg/heatmiser-node

    4. JLV Silver badge

      Re: Where are the crims?

      What about selling lists of addresses which seem to be vacant to criminals? Winter, you would expect a thermostat at low for 3-4 days to mean owner is away. Ditto smart tv and that works in summer too.

      Granted, break ins are not usually hi tech and might even be trending down for various reasons. But there is still a lot of potential downsides to an internet of things that allows extrapolation of your daily habits in the real world. Seems like we are at the same maturity level as Outlook running vbs ifrom emails, back in the day. Or me clicking on my buddies' exe joke attachments.

      Naive.

  4. Dan 55 Silver badge

    Welcome to embedded software

    Security? We've heard of it.

  5. JimmyPage Silver badge
    FAIL

    Old school hacking ...

    if one of the utility companies surreptitiously turned everyones 'stat up by one degree ....

    1. randomwomble

      Re: Old school hacking ...

      I've already got something that turns the thermostat up when I'm not looking. It's called a 'Wife'

      1. Bigbird3141
        Happy

        Re: Old school hacking ...

        Have you got the model that understands some of the basics and just turns the thermostat up a degree or two because "they're chilly" (in only a t-shirt), or the model that thinks whacking it up to 30 will make it reach 22 degrees a lot quicker?

        Currently mine has not yet turned the heating back on this autumn - a record.

      2. fruitoftheloon

        Re: Old school hacking ...

        Rw,

        does yours also insist that lights must be left on in unoccupied rooms as she will be 'going back in their later'?

        Just wondered.

        Jay

        1. Cripes Chief!

          Re: Old school hacking ...

          And because it looks nice with the side lamps on she says as she closes the door on leaving the room!

        2. Alan Brown Silver badge

          Re: Old school hacking ...

          Mine insists on turning lights off even if out of the room for 30 seconds - and if you know anything much about CFLs you'll know that being turned on and off all the time shortens their lifespan.

      3. Gronk

        Re: Old school hacking ...

        You must have the newer model of wife. I've got an older model and she keeps turning the thermostat down.

        I think there's a common fault in the temperature sensors and after running for a few decades the sensors start reporting the external temperature to be several degrees hotter at random times. I'm told this will pass after a certain time but there's no way to know the duration.

        The temperature sensors aren't a user-replaceable part. The only options are to live with the problem or replace the whole unit, but replacing the whole unit can be very expensive.

      4. Steven Raith

        Re: Old school hacking ...

        @RandomWomble:

        apt-get install wife

        Reading package lists... Done

        Building dependency tree

        Reading state information... Done

        E: Unable to locate package wife

        Damn. <foreveralone.png>

        Steven "what do mean, this is why I'm single?" R

    2. Bunbury

      Re: Old school hacking ...

      Or the IPCC turning it down by a degree. Can't believe this is el Reg and no-one has shouted "conspiracy" yet! For shame, 'tards, for shame.

      1. Mpeler
        Mushroom

        Re: Old school hacking ...

        Or the IPCC turning it down by a degree. Can't believe this is el Reg and no-one has shouted "conspiracy" yet! For shame, 'tards, for shame.

        Well, this time it's not the Koch brothers, it's "Yer gonna COOK, brother"....

        Coming to an internet-of-things soon, near you....

        IOT - 60 percent of idIOT..... </snark>

        (gee, it's hot in here....all that, cough, smoke, second-hand..haha)

    3. Anonymous Coward
      Anonymous Coward

      Re: Old school hacking ...

      "if one of the utility companies surreptitiously turned everyones 'stat up by one degree ...."

      ...it would be a f***ing miracle. I work in one, and we struggle pitifully with all forms of IT, so the idea of being clever enough and having sufficient skilled people to illegally hack customers' devices doesn't sound convincing.

  6. cosymart
    Meh

    Reverse Engineer

    Is a reverse engineer someone who can take things apart but is unable to put them back together again? I used to work with lots of these :-(

    1. Nigel Whitfield.

      Re: Reverse Engineer

      But surely, in the words of the Haynes manual, "reassembly is a reversal of disassembly" ;)

      1. Anonymous Custard Silver badge

        Re: Reverse Engineer

        But surely, in the words of the Haynes manual, "reassembly is a reversal of disassembly" ;)

        From observational experience, it depends on how many excess pieces you have left afterwards...

        1. theblackhand

          Re: Reverse Engineer

          And from observational experience, how easily it came apart.

          Can you pass me that hammer, I need to remove a mobile phone screen.

          Not that one, the bigger one next to it.

          1. Anonymous Custard Silver badge

            Re: Reverse Engineer

            Hey, don't knock percussive maintenance!

        2. Anonymous John

          Re: Reverse Engineer

          "From observational experience, it depends on how many excess pieces you have left afterwards."

          Or how many of the pingfuckits that flew about your garage you were unable to find.

      2. WraithCadmus
        Trollface

        Re: Reverse Engineer

        But surely, in the words of the Haynes manual, "reassembly is a reversal of disassembly" ;)

        Yes, that spring will fly up from the corner of the garage back into the housing and re-anchor itself just right.

  7. Longrod_von_Hugendong
    FAIL

    What a bag...

    of dogwank. Whoever let this out to the wild needs a slap, with a 2 by 4, wielded by the worlds strongest person who is stood on a truck doing 60 mph.

    Just unbelievable stuff.

  8. Destroy All Monsters Silver badge
    Trollface

    Adequate webservers are small, very cheap and available under "industry-friendly" terms

    A security issue has been identified on our WiFi Thermostat…

    The issue consists in the fact that it exists.

  9. Winkypop Silver badge
    Flame

    As Glenn Frey once sang....

    The heat is on...

    Time for someone at he company to have the heat turned up on them.

  10. Anonymous Coward
    Anonymous Coward

    I don't understand the obsession people have with adjusting thermostats.

    When it's cold outdoors, people turn the thermostat up, when it's hot outdoors they turn it down.

    But the whole point of a thermostat is that you should set it once, to a comfortable room temperature. Then the thermostat controls the heating and/or aircon to maintain the room at that temperature, regardless of the outdoor temperature.

    1. Anonymous Coward
      Anonymous Coward

      "But the whole point of a thermostat is that you should set it once, to a comfortable room temperature."

      Only if you want a steady temperature. In practice many people prefer to have a warmer "wake up" temperature than they want during the day, and to have a slightly lower temperature in late evening. But programmeable stats have been able to do that for several decades - I've got a twenty year old Eberle progstat that's been doing just that. That gives me better comfort and lower bills without messing around. There's no need for wifi and tech vulnerabilities to have a user programmeable device, although the dodgy control logics and interfaces of almost all heating controls are certainly begging for improvement in the touchscreen world.

      Even with a progstat there's still the need to mess with it occasionally, mind you, since the human perceived temperature is not the same as the measured dry bulb temperature that a stat measures.

      1. Down not across Silver badge

        Room thermostats should work on WBGT

        Even with a progstat there's still the need to mess with it occasionally, mind you, since the human perceived temperature is not the same as the measured dry bulb temperature that a stat measures.

        Quite. Thermostats should really include a humidity sensor and they could operate on WBGT instead.

        The formula is simple enough for any embedded system to handle.

    2. Stoneshop Silver badge
      FAIL

      Not just once

      The very minimum I want a thermostat to do is drop[1] the house temp a couple of degrees at night and when I'm out for more than an hour or two. And it appears I'm not the only one to operate them this way.

      The first can be achieved by the humble clock thermostat, as developed at least as far back as 1960[2], although it's rather inflexible regarding what it considers 'night'.

      W.r.t. the second requirement, with a simple thermostat it's a matter of twisting the dial a bit when you leave and when you return, but the less human intervention you want, the smarter the thermostat needs to be to detect absence/presence. And thermostat vendors appear to have decided that remote access is a feature that conveys smarts.

      [1] on the condition that it does not require the house to be actively cooled to do so, as that option is unavailable.

      [2] I have one from that year.

      1. Roland6 Silver badge

        Re: Not just once @Stoneshop

        >[2] I have one from that year.

        Don't expect a smart thermostat to be that reliable or last as long...

        The laugh I have is that by using the controls in a basic way ie. set and forget, I've managed to keep my house warm through several winters at a lower level of energy consumption than I achieved using the controls in the way envisaged by the manufacturer...

        For example there is little real point in dropping the house temperature over short periods of time, particularly if you have a well insulated house, because the thermal mass of the house will maintain the temperature and the controls won't trip unless the house actually drops a couple of degrees. In my house I can turn everything off and for most of the autumn/winter/spring the temperature will not drop below 14~16 C (today, no heating since Mar/Apr and the internal temperature is 20~21C with windows and doors open), even in with snow and minus temperatures overnight the coldest I got the house down to was 12 C after a week (but I didn't have the windows and doors wide open :) ).

        1. Tanuki

          Re: Not just once @Stoneshop

          Agreed: there's a lot to be said for thermal-inertia once you get your house temperature up to the desired set-point: even if I let the woodstove go out there's still enough heat stored in a couple of hundred Kg of cast-iron-and-firebrick to keep the house warm for a day or so. [foot-thick internal masonry-walls help a bit too].

          I defy anyone to successfully hack my stove via WiFi.

          1. Tom 7 Silver badge

            Re: Not just once - Log Burners!

            Got cavity wall insulation in the parts of the house that aren't cob and after that I found that the log burner had to be on 'no fun just put some logs on and damp it all down' and it kept the house peachy.

            But even a few years ago before CW insulation it managed to keep the place warm (not hot) when it was -13C outside.

            Still find sawing up and splitting a few baskets is the best warmer though. And walking the dog a few miles makes even a cold house seem warm when you get in!

            But a wifi thermostat that could be hacked by the supplier in a drive buy .... I'm surprised the energy companies haven't made them compulsory.

        2. Anonymous Coward
          Anonymous Coward

          Re: Not just once @Stoneshop

          "For example there is little real point in dropping the house temperature over short periods of time, particularly if you have a well insulated house, because the thermal mass of the house will maintain the temperature"

          From a comfort point of view that's largely true. But from an energy use perspective less so. The heat loss is a function of the thermal resistance of the envelope, and the temperature differential. So although the thermal inertia will keep the house warm, the thermal "core temperature" is still dropping, and your heating source then needs to top up the thermal store, which will invariably have relatively high SHC and energy density. For an hour or two here and there you won't notice the cost, but for an hour or two extra every day you would.

          That's the beauty of a simple programmeable stat - you faff around until you're happy, then you can leave it alone for years until your routine changes, and in the meanwhile you're as warm as you want with minimal wasted energy. I'm no tree hugger, but there's no point paying for energy that you're not benefiting from.

    3. Destroy All Monsters Silver badge
      Coat

      "I don't understand the obsession people have with adjusting thermostats."

      It's the new "cooller app"

  11. IglooDude
    Coat

    I foresee some Denial of Thermostat attacks coming soon. Then again, could Global Climate Change just be considered a DDoT attack? Via social engineering, no less?

    I'll get my coat, yeah, even though I might not need it.

  12. Captain Scarlet Silver badge
    Childcatcher

    I bet the Utility Companies

    Will be driving around ramping up everyone's heating so they can maximise their profits!

    1. Anonymous Coward
      Anonymous Coward

      Re: I bet the Utility Companies

      And I bet it won't be noticed as the bill payers significant others ramp the temperature up even higher.

      In spite of the tropical plants dying from the heat....

  13. heyrick Silver badge

    Until there are stiff penalties for releasing hardware with fundamental security flaws...

    ...this sort of thing will keep happening and while it might not be a big deal[*] to tweak people's heat or spit out pages from a printer, sooner or later these flaws will have a more important effect.

    * - that said, somebody you hate has gone on a winter holiday, the weather is forecast to be very cold, and you know how to access their heating controller...imagine what would happen if you disabled it all midwinter with nobody home for a week. No access, no trace (recorded by domestic kit)...and you can even turn it back on before they return so....gee....what could have happened? Hmmm!

  14. 2+2=5 Silver badge
    Holmes

    New plot idea for a detective show...

    Perp is in line to inherit a substantial amount but has problem of how to bump off the elderly relative without getting caught. Solution: install these thermostats and turn down remotely on a cold Winter's day/night so otherwise perfectly healthy relative gets hypothermia and dies. Only problem is how to pad out the remaining 40 minutes of the show? Perhaps they could focus on the thermostat supplier whinging and squirming in court claiming it's not their fault.

  15. Tom Chiverton 1

    Smart meters any one ?

  16. Gene Cash Silver badge

    None of this crap needs to go through the cloud in the first place

    This is the stupidest crap. All the IoT thing apps go to some mfgr cloud, which then sends the command to the device, instead of talking to the device directly.

    Since I have a working firewall, none of that works, and I'm certainly not punching holes for it.

    1. cybergibbons

      Re: None of this crap needs to go through the cloud in the first place

      It doesn't go through the cloud on this device. It's port-forwarded, by manufacturer recommendations.

  17. Zog_but_not_the_first Silver badge
    Childcatcher

    Not really a problem?

    Surely if you're rich enough to afford one of these new-fangled Internet-enabled thermostats you can just have Jeeves throw another orphan on the fire?

    1. Anonymous Coward
      Anonymous Coward

      Re: Not really a problem?

      Obviously the downvote was from someone who knows you should cure the orphan a bit first, so you get the maximum heating benefit. All the water in the human body slows down combustion.

  18. Anonymous Coward
    Anonymous Coward

    Disable port 80 forwarding...

    ...for external Browser access is what Heatmiser are recommending. One needs to leave another port forwarded for Smartphone App access. This is still vulnerable to a brute force attack on the thermostat's PIN but probably an acceptable risk for most users pending a fix.

    Interestingly, it seems like the fix will involve a new thermostat "front panel", i.e. the bit of the unit with the electronics in it, as there appears to be no simple way to flash the firmware of the device. This is, presumably, not going to be a cheap exercise for Heatmiser.

    1. Anonymous Coward
      Anonymous Coward

      Re: Disable port 80 forwarding...

      "This is, presumably, not going to be a cheap exercise for Heatmiser."

      That would depend on whether they do a full and effective "recall". My guess is most customers won't hear about the security kerfuffle, are as happy or otherwise as they were last week, and if Heatmiser have any sense they'd replace them only on request. That's typically how non-safety related faults are dealt with by manufacturers.

      I recall the (now) old Ford Cargo trucks, where some models had a problem that the front wheel mudguard could under some situations deflect a big puddle splash straight into the engine air intake. Water being incompressible, this usually resulted in a loud crack followed by a heavy tinkling as the shattered engine block fell out onto the road. The design was changed for future production, no retrofit was ever offered, and any warranty claims were quietly paid, although many owners would have blamed other causes like poor driving.

    2. cybergibbons

      Re: Disable port 80 forwarding...

      The brute force is quite slow, and requires more than just use of a browser. I've not released the proof of concept yet for it either.

      1. Anonymous Coward
        Anonymous Coward

        Re: Disable port 80 forwarding...

        @cybergibbons Hence my comment re acceptable risk.

        It would appear, from latest correspondence with Heatmiser, that they are planning to implement the lock-out approach for PINs that you suggested in your blog post.

        1. Gerardo McFitzpatrick-O'Toole

          Re: Disable port 80 forwarding...

          Now that (lockouts above a certain number of failed logins) there is a *proper* Denial of Service vulnerability (unless it's per-external-address and there isn't also away around this - but judging by previous experience, I'd imagine not)

  19. Anonymous John

    Warheating?

    Hackers are roaming the streets, turning up thermostats?

  20. Jonski
    FAIL

    The security flaws were discovered... after reading about problems in another (old and discontinued) Heatmiser product...

    The definition of a masochist: someone who paints themselves into a corner, then goes back for a second coat.

    FFS, when will they (manufacturers of IOT Thingies) learn? It's only been several decades now.

  21. flyguy

    VPN Anyone?

    I've had a handful of these stats running for over a year now.

    I recall posting a comment somewhere else regarding Heatmiser's new Neo stats which have to operate through Heatmiser's "service". This posed an unaccepted loss of control for me so I decided to stick with the WiFi stats and just VPN in to my home network to remote control.

    Which is only really handy if you're away from the house for more than a couple of days during the winter....so not very.

    Port forwarding seems a bit old fashioned these days...??

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019