A vulnerability has been found in a preferred Bosch sensible thermostat, permitting potential attackers to ship instructions to the system and exchange its firmware, in accordance with Bitdefender.
The vulnerability impacts the Wi-Fi microcontroller that acts as a community gateway for the thermostat’s logic microcontroller.
The Bosch sensible thermostat merchandise BCC101, BCC102 and BCC50, from model 4.13.20 till v4.13.33 are affected. The vulnerability (CVE-2023-49722) has been given a ‘Excessive’ severity rating.
Homeowners of the thermostat have been urged to replace their thermostats to v4.13.33 to patch the flaw.
Bitdefender revealed it first knowledgeable Bosch of the vulnerability on August 29, 2023. After being triaged and confirmed, Bosch deployed a repair in v4.13.33 in October 2023.
The vulnerability was then publicly disclosed on January 9, 2024.
How the Vulnerability Works
The researchers stated they found that the STM chip in one of many thermostat’s two microcontrollers depends on the WiFi chip within the different microcontroller to speak with the web.
The WiFi chip additionally listens on TCP port 8899 on the LAN and can mirror any message acquired on that port on to the principle microcontroller.
Because of this malicious instructions may be despatched to the thermostat which can’t be distinguished from real ones despatched by the cloud server, reminiscent of writing an replace to the system.
To start the malicious replace process, the researchers ship the ‘system/replace’ command on port 8899 to tell the system {that a} new replace is on the market.
The system will then ask the cloud server for particulars in regards to the replace, which responds with an error code as a result of no replace is on the market.
Nonetheless, the system will settle for a solid response containing the replace particulars: the URL the place the firmware will probably be downloaded from, the scale and MD5 checksum of the firmware file, and the model of the brand new firmware, which should be greater than the present one.
If all of the circumstances match, together with an internet-accessible URL, the thermostat asks the cloud server to obtain the firmware and ship it via the websocket.
The cloud will then carry out the improve as soon as it has acquired the file, inflicting the system to be completely compromised.
The patch replace revealed by Bosch works by closing the port 8899.
Recommendation for IoT Machine Homeowners
Bitdefender set out the next recommendation for shoppers to scale back the danger of their residence IoT units being exploited by cyber menace actors:
- Arrange a devoted community for IoT units to isolate them as a lot as attainable from the native community
- Use free instruments to scan for related units on the community, and determine and spotlight weak ones
- Test for newer firmware and replace units as quickly as the seller releases new variations
