back to article Trane thermostat is a hot spot for viruses on home networks

That shiny Internet of Things thermostat might look oh-so cool on the wall, but new research from Cisco shows it could be harboring a whole host of ugly malware. Back in April 2014, the Cisco Talos security team alerted Trane that its Wi-Fi-connected ComfortLink II thermostat had some serious security flaws. The most egregious …

  1. edge_e
    Joke

    When is the IoT industry going to get smart on security?

    you forgot the joke icon

    FTFY

    1. Blofeld's Cat
      FAIL

      Re: When is the IoT industry going to get smart on security?

      When it impacts on profits, or somebody at board level receives a custodial sentence.

      In other words - when Satan is seen buying Winter clothing.

      1. Pete 2 Silver badge

        Re: When is the IoT industry going to get smart on security?

        One reason that the IT industry is so tardy at fixing potential problems is that until they turn into live issues - with actual exploits that affect real users, there are always more pressing (if not more important) things to focus the available talent on.

        So if people want to promote IT security they need to not just wave their arms about potential security holes, but to tell people how many actual incidents of exploits are affecting¹ real customers, NOW.

        It's also worth noting, that customers / users are just as bad. They don't install available fixes until after the "horse has bolted". So unless fixes are forcibly pushed down - an extremely risky strategy: just ask Apple or Microsoft - it's left up to an equally resistent user population to act on patches and fixes.

        [1] and "affecting" means: dickin' with their IoT stuff. Not just ssh-ing in and having a poke around, but turning the thermostat up to boiling point or having other material affects on the users' lives. Without that sort of information, it's still just a theoretical threat that they won't take seriously.

  2. ben kendim

    And IoT devices that DO have an updating mechanism are...

    .. prone to being patched surreptiously, and become vulnerable to compromise.

  3. td97402

    When is the IoT industry going to get smart on security?

    Not until the technology is built out and very entrenched in our homes and businesses. Once IoT malware starts costing somebody who matters some money then, and not before, will the serious handwringing ensue. At that point patch after patch will be released to keep devices secure but to little avail as an unknowable multitude of vulnerabilities will have already been baked in, since developers and manufacturers were racing to get their Iot devices out quickly and cheaply.

    Isn't this how tech is supposed to work?

    1. ecofeco Silver badge

      Re: When is the IoT industry going to get smart on security?

      Exactly.

    2. Charles 9 Silver badge

      Re: When is the IoT industry going to get smart on security?

      "When is the IoT industry going to get smart on security?"

      Probably when someone dies or has their life directly threatened by IoT tech.

      Put it this way. The Internet of Things is a lot like the shoe-fitting x-ray machine, radium clock and watch faces, or thalidomide.

  4. John Tserkezis

    "almost no one is updating their operating systems"

    Are you kidding? Have you not kept up with what Microsoft is doing? Trying to navigate the labarynth of upgrades WITHOUT going to 10 is a complete reason NOT to upgrade...

    1. psychonaut

      true

      just spent the last 3 days patching ....about 400 machines in now. me and a bunch of guys on experts exchange wrote a script that you might find handy, it sure does speed things up.

      link to thread is here

      http://www.experts-exchange.com/questions/28923876/prevent-win-10-recomended-upgrade-tuesday-9th-feb.html#a41454272

      @echo off

      if not "%1" == "max" start /MAX cmd /c %0 max & exit/b

      @echo off

      goto check_Permissions

      :check_Permissions

      net session >nul 2>&1

      if %errorLevel% == 0 (

      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows\Gwx" /v DisableGWX /t REG_DWORD /d 1 /f

      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v DisableOSUpgrade /t REG_DWORD /d 1 /f

      REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\OSUpgrade" /v AllowOSUpgrade /t REG_DWORD /d 0 /f

      REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\OSUpgrade" /v ReservationsAllowed /t REG_DWORD /d 0 /f

      REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update" /v IncludeRecommendedUpdates /t REG_DWORD /d 0 /f

      echo.

      echo should have 5 succesfull statements above

      echo.

      echo.

      TASKKILL /IM GWX.exe /T /F

      echo.

      echo dont worry if you get ERROR GWX.exe failed, it doesnt matter

      echo.

      echo.

      echo please wait until you see the FINISHED statement this may take 10 seconds or 20 minutes

      echo.

      echo.

      echo step 1 of 6 - PLEASE WAIT

      @echo on

      start /wait wusa /uninstall /kb:3035583 /quiet /norestart /log

      @echo OFF

      echo step 2 of 6 - PLEASE WAIT dont touch anything

      @echo ON

      start /wait wusa /uninstall /kb:3035583 /quiet /norestart /log

      @echo OFF

      echo step 3 of 6 - PLEASE WAIT dont touch anything

      @echo ON

      start /wait wusa /uninstall /kb:2952664 /quiet /norestart /log

      @echo OFF

      echo step 4 of 6 - PLEASE WAIT dont touch anything

      @echo ON

      start /wait wusa /uninstall /kb:2952664 /quiet /norestart /log

      @echo OFF

      echo step 5 of 6 - PLEASE WAIT dont touch anything

      @echo ON

      start /wait wusa /uninstall /kb:2976978 /quiet /norestart /log

      @echo OFF

      echo step 6 of 6 - PLEASE WAIT dont touch anything

      @echo ON

      start /wait wusa /uninstall /kb:2976978 /quiet /norestart /log

      @echo OFF

      echo.

      echo.

      echo FINISHED!

      echo NOW press any key to reboot your computer

      echo.

      pause

      shutdown.exe /r /t 005

      ) else (

      echo.

      echo.

      echo Failure: THIS HAS NOT WORKED.

      echo PLEASE RUN THIS AGAIN AS AN ADMINISTRATOR. press any key to exit

      pause

      exit

      )

      pause >nul

      1. stizzleswick

        Re: true @psychonaut

        Er... is there a reason you're removing kb2952664 twice, or is that a typo and a different update is supposed to get removed?

        1. Solmyr ibn Wali Barad

          Re: true @stizzleswick

          "Er... is there a reason you're removing kb2952664 twice"

          Probably. When doing manual removal, I noticed that KB2952664 didn't disappear on the first attempt. Can't tell whether it always behaves like that. This KB was re-issued at some point, so it may have been an update on top of the similarly named update.

          1. Dan 55 Silver badge

            Re: true @stizzleswick

            I believe it's when they push out more than one version of the same patch, the previous version is cached.

            Not liking the link to Expert Sex Change, you have to mess about with cookies if you want to see more than one page.

            1. psychonaut

              Re: true @stizzleswick

              theyll never live down expert sex change....thats what i always think when i type it.

              i saw another url on the back of an italian lorry, their company was italian continental, their website is

              italiancont.it

              in massive letters. childish, but it did make me giigle

      2. Anonymous Coward
        Anonymous Coward

        Re: true

        Group policy and/or WSUS not useful in your case?

        1. psychonaut

          Re: true

          cant do gpols / wsus, these are all home prem or pro and none of them are on a domain.

          kb's are removed twice becuase apparantly it doesnt always work the first time....

    2. Captain TickTock
      Headmaster

      "almost no one is updating their operating systems"

      perhaps ambiguous writing?

      In context, could mean "almost no one is updating the devices' operating systems"

  5. ZSn

    Shower

    It took a whole year to remove hard coded ssh passwords? What a total shower...

    1. Anonymous Coward
      Anonymous Coward

      Re: Shower

      The shower was using named pipes with the default username & password of soap and water

  6. psychonaut

    who the fuck needs to adjust their thermostat when they arent in their fucking house? its like being able to check the tread depth on your tyres whilst you are on holiday

    thats what a timer is for dick heads!

    the only viable smart feature i want from my heating system is zoning. but im about to move so im not going to shell out for it.

    with hive you can control your heating from your phone......when would i ever want to do that?

    1. Charles 9 Silver badge

      What if you work irregular hours and don't live your life to a schedule? Meaning you have no F'n clue when you're in or out of your house?

      1. Wensleydale Cheese Silver badge
        Unhappy

        "What if you work irregular hours and don't live your life to a schedule? Meaning you have no F'n clue when you're in or out of your house?"

        Didn't you know that you are supposed to have a spouse or partner at home at all times?

        After all, the Gas, Electrickery, BT and a host a delivery companies clearly think so when all you can get out of them is AM or PM for an appointment.

      2. psychonaut

        just leave the thermostat on 19.

        1. Charles 9 Silver badge

          Can't. Don't stay home long enough (and don't have enough in the budget) to justify it staying a certain temperature when I'm not around (BTW, many people with irregular schedules also tend to be single, as (potential) spouses tend to get aggravated over such schedules. And since it takes time to get the place warmed up, the ideal solution MUST be one I can trigger when I'm not at home but on the way (which can literally be any time at all, so no scheduling system on Earth would be able to keep up).

    2. Dan 55 Silver badge

      I don't know why anyone would want Hive, but those who do will be cursing the day their phone breaks or gets stolen (and the thief turns the heating up to 11 for a laugh).

  7. asdf Silver badge

    wait wut?

    >while everyone is cock-a-hoop these days for shiny IoT devices,

    Perhaps the people making the devices but especially on this site haven't heard much demand for the Internet of Fail for the toaster.

    1. ecofeco Silver badge

      Re: wait wut?

      Because this is not a site for the average punter.

      1. Elmer Phud Silver badge

        Re: wait wut?

        I consider myself to be an average-ish punter who is IT-curious.

        not even mid-range but of the lower orders but who answers the 'your computer has a fault' calls with 'Which one -- can you tell me the IP and MAC address so I can check?' (not that I know much but they tend to bugger off)

        Reading the Reg has opened my eyes to the absolute dog's breakfast that is the internet and also the 'must have's'.

        I'm average but a suspicious bastard as well.

  8. Walter Bishop Silver badge

    When is the IoT industry going to get smart on security?

    The answer is, while there are no legal sanctions for leaking customer data, never. People with a defective understanding of writing secure code, cobbling together firmware from bits of other peoples code doesn't exactly lead to security by design. Once the thing is up-and-running, you then have to spend the same amount of time testing for vulnerabilities.

    1. Elmer Phud Silver badge

      Re: When is the IoT industry going to get smart on security?

      Or, while they can pull in the dosh and no-one is asking questions, only going for the shiny-shiny.

      They will not give a toss as they need to chuck out more shiny-shiny for those instant profits.

      Not until the lawsuits find the companies liable -- so, about three years?

  9. This post has been deleted by its author

  10. gollux
    Mushroom

    Sooooweeeeet!!!

    First the heat goes up, then the AC goes down,

    Circulate the air all around.

    Give us a natural gas flare

    to help us singe our hair.

    Then a pilot light flame out,

    Who managed to mess up the thermocouple safety with that weird test function?

    Whoops, there goes the house skyward taking us to perdition...

    BOOOOM!

    1. ecofeco Silver badge

      Re: Sooooweeeeet!!!

      Bravo!

  11. allthecoolshortnamesweretaken Silver badge

    IoT

    So, my IoT alarm system will tell burglars when the house is empty, my IoT thermostat will hog the bandwith I need to stream video and my IoT toaster will rat me out to the feds. That about it?

    1. Pete 2 Silver badge

      Re: IoT

      Either that or your "smart" fridge will notice that it's packed full of junk food and beer. It will ping the node in your bathroom scales that will confirm you've put on a couple of kg in the last month. Your intelligent doorbell will pass that on to your car, which will refuse to unlock the door in the morning, so you have to walk to work.

      The toaster will order you a treadmill off Amazon and the TV won't work until your electricity monitor confirms you've done an hour's running each night.

      And it'll be your waste-analysing lavatory that rats you to the DEA.

    2. Elmer Phud Silver badge

      Re: IoT

      "my IoT toaster will rat me out to the feds"

      Was that in a Michael Marshal Smith book -- ah no, it was an alarm clock that wouldn't go away.

  12. a_yank_lurker Silver badge

    Answer

    Never or until they get hit with Ford Pinto type liability lawsuit and lose.

    '"The unfortunate truth is that few people think 'Hey! It's the first Monday of the month! I should check and see if my TV needs to be patched!'" said Alex Chiu, a threat researcher at Cisco Talos.' If the device can not be easily patched, the description made my eyes roll, it will not get patched - ever. The will try to blame the user but it is really their sloppy code and generally crappy product that is the real problem.

  13. ecofeco Silver badge

    Is this a trick question?

    Hate to say... oh fuck it. Told ya so.

  14. dbtx Bronze badge

    I can't quite put my finger on what it is you are all getting so heated about.

    1. gollux

      It was the only way to stop my chattering teeth as some hacker set my home on Penguin defaults...

      1. Fred Dibnah

        Must be running Linux then.

  15. Starace
    Flame

    The real problem

    The problem with this piece of junk and so many of the others boils down to the same basic issue - the barrier to entry is too low.

    It used to be that getting hardware out the door was a slightly difficult process and you probably needed at least one person with a vague clue to be able to get anywhere.

    Now you buy a cheap SOC and a reference design, push a Linux build through Yocto or whatever, chuck it at a Chinese contract manufacturer and *bang* you have your system. Minimal effort and minimal thought required. So if for example you want to chuck together an internet connected thermostat any half-educated student can manage to get something vaguely presentable without having to think about any of the details of the design, or an appropriate solution, or things like basic security.

    And even worse than this some people are actually in a position where they believe the companies behind this crap have some sort of inherent value rather than just pushing out half finished versions of an easily duplicated idea for no profit.

    There's probably a gap in the market for actual qualified engineers to get in and do things properly, but I doubt the market is there to drive the volume to make the financials work for a real business. So I guess people will have to continue to put up with junk knocked together by muppets in a small rented office in a suitably fashionable area.

    1. Jack of Shadows Silver badge

      Re: The real problem

      Well, if any half-educated student can do it, I'm quite sure Watson and its progeny will be able to kick those students to the curb and get the job done right. [Rightness, of course, is specific to the designer, not necessarily the consumer.]

    2. DropBear Silver badge

      Re: The real problem

      "There's probably a gap in the market for actual qualified engineers to get in and do things properly"

      You mean like some of those recent smartphone security oriented startups that were allegedly built on the premise of doing it right, only to be proven just as pwnable as the rest...? Yup, that'll do it...

  16. smartypants

    Toasters with IP addresses

    In the future they'll not need a purpose-built heating element.

    Just plug them in and their embedded SOC will heat your toast up all on its own as it signs into Botnets-r-us and starts DDOSing the crap out of the target-du-jour.

  17. Lee D Silver badge

    General purpose computing.

    It's honestly the biggest problem in security. The fact that these devices CAN run any program, can do anything they're programmed to do, etc. is their biggest security hole.

    When you have a washing machine with an electronic timer... it can time. That's it. It can click round and do what it's been told to do. The capability to go out to the net, or whatever, isn't there, so it can't be abused.

    With a thermostat, it can have a temperature and click on and off a relay. That's all it needs to do. As such, if it goes wrong the worst is that the heating goes on or off.

    But general purpose computers in a thermostat (like in ATM's and anything else nowadays) mean that they can be abused to do all kinds of things that have nothing to do with turning your heating on and off. It doesn't mean the old ones can't be compromised, but because their range of physical effects is so damn small (turn the heating on, dispense cash - still serious, but nowhere near as serious as access to the banking network to roll back transactions like a recent article I read somewhere!), they are relatively safe.

    The biggest problem we have is people putting general purpose processors and even operating systems (ATM's running on Windows, etc.) into things that really don't need them. And there's NO WAY to limit what that processor does. All the containerisation, virtualisation and abstraction in the world hasn't proved enough to actually stop things like hypervisor exploits and so on.

    The ubiquity of general purpose computing - where it's easier to slap in a Raspberry Pi or Windows PC instead of a purpose-built circuit - is really the biggest security issue we have.

  18. elenora

    Manufacturers are not interested in supporting products. You are lucky if you get a firmware update out of them so the products are half working to spec, let alone security updates. Even high end manufacturers like Panasonic churn out TVs which advertised web features which never materialised and they just stopped updating after a year. The only thing that will fix this is regulations from Europe mandating security updates and product support for a certain time after product sale. It has to happen eventually, but as usual these things are only tackled after a being ignored until there is a major disaster and a backlash. The VW scandal is another example of major known product issues being ignored until the whole thing blew up and the media finally caught on. Until this happens with IOT malware is is not sexy enough for the media to take notice.

    1. Dan 55 Silver badge

      And then the EU voted to allow them to produce cars which emit up to double the emissions limit until 2019 anyway, so I wouldn't count on them coming to the rescue for IoT.

    2. Anonymous Coward
      Anonymous Coward

      " Even high end manufacturers like Panasonic churn out TVs which advertised web features which never materialised and they just stopped updating after a year."

      There's a term for what you describe: planned obsolescence. And there's very little governments can do about it because manufacturers in this regard can behave as a cartel. The moment the EU tries to force some kind of support contract beyond what's there now, they'll probably counter with a threat to pack up and move back to Asia and leave everyone with their obsolete stuff as fiduciary duty will say it's cheaper to shut down and pack up than to comply with such laws.

  19. Overflowing Stack

    who opens their ports up to the internet?

    Any well made piece of IoT tat would push-pull information from a central server?

  20. myemailforspamdeflection@gmail.com

    not a *real* problem

    How does one "inject viruses" through an ssh vulnerability when every wifi router blocks ssh by default?

    In-order to compromise this thermostat, you need access to the home network. But once you have that, who cares about a thermostat?

    1. Charles 9 Silver badge

      Re: not a *real* problem

      How can they block ssh when it's an encrypted protocol? Sure, they can block the standard port, but what's to stop a connection to a nonstandard port, or a pushed connection initiated by the device? As for why invade a thermostat, it becomes a beachhead or hideout point for the crooks: like those malwares that keep copies of itself strewn about. Even if the WiFi is changed out, they can use the hideout as a way to establish a new link and just pwn you all over again.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019