Bitdefender researchers announced that they have discovered a vulnerability that allows a hacker to replace the software of a Bosch connected thermostat with a malicious version, which can cause damage.
In 2024 and more than ever, connected, or smart, thermostats offer a relatively simple solution to save money and energy. Although they are good for the planet and for the wallet, these small devices are not immune to cyberattacks. The Bitdefender specialist also warns of a critical vulnerability in a Bosch thermostat, which affects its Wi-Fi microcontroller. We explain.
Hackers could send malicious commands to the Bosch thermostat
The vulnerability was identified in the Bosch BCC100 thermostat. It concerns its Wi-Fi microcontroller, which acts as a gateway to the logic control of the device, which is, in a way, the brain of the thermostat. By exploiting the flaw, an attacker can send commands to the device, including malicious updates, which will then grant it unauthorized access to the user’s network.
If formatted correctly, the microcontroller cannot recognize malicious messages and will mistake them for genuine messages sent by the cloud server. This is what helps the attacker send commands to the thermostat.
Bosch, which was informed of the vulnerability by Bitdefender on August 29, 2023, was slow to react. After confirming the flaw on October 4, the German company reported a patch deployed in production on November 11. Bitdefender has decided to make the report public this Thursday, January 11, 2024. That is, four and a half months after the discovery of the vulnerability.
Bosch has deployed a fix, but caution is required
While Bosch responded by deploying a patch, Bitdefender emphasizes the importance for users to ensure that they are running the latest software version for their thermostat. The warning also highlights the need to remain vigilant in the face of potential vulnerabilities in connected home (IoT) devices as a whole, which are increasingly becoming the target of cybercriminals.
Bitdefender reminds us, and the cyber specialist is right to do so, that cybercriminals are actively exploiting vulnerabilities in IoT devices, using automated scanning tools to identify easy targets. It is crucial for businesses and individual users to secure their IoT networks by limiting access and configuring separate networks.
Recommendations include separating internal, IoT, and guest networks, with isolation between them. When using POS devices, it is recommended to connect them via a 4G/5G network or a dedicated Wi-Fi or wired network to enhance security against potential threats.
5