Trane thermostat is a hot spot for viruses on home networks That shiny Internet of Things thermostat might look oh-so cool on the wall, but new research from Cisco shows it could be harboring a whole host of ugly malware. Back in April 2014, the Cisco Talos security team alerted Trane that its Wi-Fi-connected ComfortLink II thermostat had some serious security flaws. The most egregious …
One reason that the IT industry is so tardy at fixing potential problems is that until they turn into live issues - with actual exploits that affect real users, there are always more pressing (if not more important) things to focus the available talent on.
So if people want to promote IT security they need to not just wave their arms about potential security holes, but to tell people how many actual incidents of exploits are affecting¹ real customers, NOW.
It's also worth noting, that customers / users are just as bad. They don't install available fixes until after the "horse has bolted". So unless fixes are forcibly pushed down - an extremely risky strategy: just ask Apple or Microsoft - it's left up to an equally resistent user population to act on patches and fixes.
[1] and "affecting" means: dickin' with their IoT stuff. Not just ssh-ing in and having a poke around, but turning the thermostat up to boiling point or having other material affects on the users' lives. Without that sort of information, it's still just a theoretical threat that they won't take seriously.
Not until the technology is built out and very entrenched in our homes and businesses. Once IoT malware starts costing somebody who matters some money then, and not before, will the serious handwringing ensue. At that point patch after patch will be released to keep devices secure but to little avail as an unknowable multitude of vulnerabilities will have already been baked in, since developers and manufacturers were racing to get their Iot devices out quickly and cheaply.
Isn't this how tech is supposed to work?
"When is the IoT industry going to get smart on security?"
Probably when someone dies or has their life directly threatened by IoT tech.
Put it this way. The Internet of Things is a lot like the shoe-fitting x-ray machine, radium clock and watch faces, or thalidomide.
just spent the last 3 days patching ....about 400 machines in now. me and a bunch of guys on experts exchange wrote a script that you might find handy, it sure does speed things up.
link to thread is here
http://www.experts-exchange.com/questions/28923876/prevent-win-10-recomended-upgrade-tuesday-9th-feb.html#a41454272
@echo off
if not "%1" == "max" start /MAX cmd /c %0 max & exit/b
@echo off
goto check_Permissions
:check_Permissions
net session >nul 2>&1
if %errorLevel% == 0 (
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows\Gwx" /v DisableGWX /t REG_DWORD /d 1 /f
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v DisableOSUpgrade /t REG_DWORD /d 1 /f
REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\OSUpgrade" /v AllowOSUpgrade /t REG_DWORD /d 0 /f
REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\OSUpgrade" /v ReservationsAllowed /t REG_DWORD /d 0 /f
REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update" /v IncludeRecommendedUpdates /t REG_DWORD /d 0 /f
echo.
echo should have 5 succesfull statements above
echo.
echo.
TASKKILL /IM GWX.exe /T /F
echo.
echo dont worry if you get ERROR GWX.exe failed, it doesnt matter
echo.
echo.
echo please wait until you see the FINISHED statement this may take 10 seconds or 20 minutes
echo.
echo.
echo step 1 of 6 - PLEASE WAIT
@echo on
start /wait wusa /uninstall /kb:3035583 /quiet /norestart /log
@echo OFF
echo step 2 of 6 - PLEASE WAIT dont touch anything
@echo ON
start /wait wusa /uninstall /kb:3035583 /quiet /norestart /log
@echo OFF
echo step 3 of 6 - PLEASE WAIT dont touch anything
@echo ON
start /wait wusa /uninstall /kb:2952664 /quiet /norestart /log
@echo OFF
echo step 4 of 6 - PLEASE WAIT dont touch anything
@echo ON
start /wait wusa /uninstall /kb:2952664 /quiet /norestart /log
@echo OFF
echo step 5 of 6 - PLEASE WAIT dont touch anything
@echo ON
start /wait wusa /uninstall /kb:2976978 /quiet /norestart /log
@echo OFF
echo step 6 of 6 - PLEASE WAIT dont touch anything
@echo ON
start /wait wusa /uninstall /kb:2976978 /quiet /norestart /log
@echo OFF
echo.
echo.
echo FINISHED!
echo NOW press any key to reboot your computer
echo.
pause
shutdown.exe /r /t 005
) else (
echo.
echo.
echo Failure: THIS HAS NOT WORKED.
echo PLEASE RUN THIS AGAIN AS AN ADMINISTRATOR. press any key to exit
pause
exit
)
pause >nul
"Er... is there a reason you're removing kb2952664 twice"
Probably. When doing manual removal, I noticed that KB2952664 didn't disappear on the first attempt. Can't tell whether it always behaves like that. This KB was re-issued at some point, so it may have been an update on top of the similarly named update.
who the fuck needs to adjust their thermostat when they arent in their fucking house? its like being able to check the tread depth on your tyres whilst you are on holiday
thats what a timer is for dick heads!
the only viable smart feature i want from my heating system is zoning. but im about to move so im not going to shell out for it.
with hive you can control your heating from your phone......when would i ever want to do that?
"What if you work irregular hours and don't live your life to a schedule? Meaning you have no F'n clue when you're in or out of your house?"
Didn't you know that you are supposed to have a spouse or partner at home at all times?
After all, the Gas, Electrickery, BT and a host a delivery companies clearly think so when all you can get out of them is AM or PM for an appointment.
Can't. Don't stay home long enough (and don't have enough in the budget) to justify it staying a certain temperature when I'm not around (BTW, many people with irregular schedules also tend to be single, as (potential) spouses tend to get aggravated over such schedules. And since it takes time to get the place warmed up, the ideal solution MUST be one I can trigger when I'm not at home but on the way (which can literally be any time at all, so no scheduling system on Earth would be able to keep up).
I consider myself to be an average-ish punter who is IT-curious.
not even mid-range but of the lower orders but who answers the 'your computer has a fault' calls with 'Which one -- can you tell me the IP and MAC address so I can check?' (not that I know much but they tend to bugger off)
Reading the Reg has opened my eyes to the absolute dog's breakfast that is the internet and also the 'must have's'.
I'm average but a suspicious bastard as well.
The answer is, while there are no legal sanctions for leaking customer data, never. People with a defective understanding of writing secure code, cobbling together firmware from bits of other peoples code doesn't exactly lead to security by design. Once the thing is up-and-running, you then have to spend the same amount of time testing for vulnerabilities.
Or, while they can pull in the dosh and no-one is asking questions, only going for the shiny-shiny.
They will not give a toss as they need to chuck out more shiny-shiny for those instant profits.
Not until the lawsuits find the companies liable -- so, about three years?
This post has been deleted by its author
First the heat goes up, then the AC goes down,
Circulate the air all around.
Give us a natural gas flare
to help us singe our hair.
Then a pilot light flame out,
Who managed to mess up the thermocouple safety with that weird test function?
Whoops, there goes the house skyward taking us to perdition...
BOOOOM!
Either that or your "smart" fridge will notice that it's packed full of junk food and beer. It will ping the node in your bathroom scales that will confirm you've put on a couple of kg in the last month. Your intelligent doorbell will pass that on to your car, which will refuse to unlock the door in the morning, so you have to walk to work.
The toaster will order you a treadmill off Amazon and the TV won't work until your electricity monitor confirms you've done an hour's running each night.
And it'll be your waste-analysing lavatory that rats you to the DEA.
Never or until they get hit with Ford Pinto type liability lawsuit and lose.
'"The unfortunate truth is that few people think 'Hey! It's the first Monday of the month! I should check and see if my TV needs to be patched!'" said Alex Chiu, a threat researcher at Cisco Talos.' If the device can not be easily patched, the description made my eyes roll, it will not get patched - ever. The will try to blame the user but it is really their sloppy code and generally crappy product that is the real problem.
The problem with this piece of junk and so many of the others boils down to the same basic issue - the barrier to entry is too low.
It used to be that getting hardware out the door was a slightly difficult process and you probably needed at least one person with a vague clue to be able to get anywhere.
Now you buy a cheap SOC and a reference design, push a Linux build through Yocto or whatever, chuck it at a Chinese contract manufacturer and *bang* you have your system. Minimal effort and minimal thought required. So if for example you want to chuck together an internet connected thermostat any half-educated student can manage to get something vaguely presentable without having to think about any of the details of the design, or an appropriate solution, or things like basic security.
And even worse than this some people are actually in a position where they believe the companies behind this crap have some sort of inherent value rather than just pushing out half finished versions of an easily duplicated idea for no profit.
There's probably a gap in the market for actual qualified engineers to get in and do things properly, but I doubt the market is there to drive the volume to make the financials work for a real business. So I guess people will have to continue to put up with junk knocked together by muppets in a small rented office in a suitably fashionable area.
"There's probably a gap in the market for actual qualified engineers to get in and do things properly"
You mean like some of those recent smartphone security oriented startups that were allegedly built on the premise of doing it right, only to be proven just as pwnable as the rest...? Yup, that'll do it...
General purpose computing.
It's honestly the biggest problem in security. The fact that these devices CAN run any program, can do anything they're programmed to do, etc. is their biggest security hole.
When you have a washing machine with an electronic timer... it can time. That's it. It can click round and do what it's been told to do. The capability to go out to the net, or whatever, isn't there, so it can't be abused.
With a thermostat, it can have a temperature and click on and off a relay. That's all it needs to do. As such, if it goes wrong the worst is that the heating goes on or off.
But general purpose computers in a thermostat (like in ATM's and anything else nowadays) mean that they can be abused to do all kinds of things that have nothing to do with turning your heating on and off. It doesn't mean the old ones can't be compromised, but because their range of physical effects is so damn small (turn the heating on, dispense cash - still serious, but nowhere near as serious as access to the banking network to roll back transactions like a recent article I read somewhere!), they are relatively safe.
The biggest problem we have is people putting general purpose processors and even operating systems (ATM's running on Windows, etc.) into things that really don't need them. And there's NO WAY to limit what that processor does. All the containerisation, virtualisation and abstraction in the world hasn't proved enough to actually stop things like hypervisor exploits and so on.
The ubiquity of general purpose computing - where it's easier to slap in a Raspberry Pi or Windows PC instead of a purpose-built circuit - is really the biggest security issue we have.
Manufacturers are not interested in supporting products. You are lucky if you get a firmware update out of them so the products are half working to spec, let alone security updates. Even high end manufacturers like Panasonic churn out TVs which advertised web features which never materialised and they just stopped updating after a year. The only thing that will fix this is regulations from Europe mandating security updates and product support for a certain time after product sale. It has to happen eventually, but as usual these things are only tackled after a being ignored until there is a major disaster and a backlash. The VW scandal is another example of major known product issues being ignored until the whole thing blew up and the media finally caught on. Until this happens with IOT malware is is not sexy enough for the media to take notice.
" Even high end manufacturers like Panasonic churn out TVs which advertised web features which never materialised and they just stopped updating after a year."
There's a term for what you describe: planned obsolescence. And there's very little governments can do about it because manufacturers in this regard can behave as a cartel. The moment the EU tries to force some kind of support contract beyond what's there now, they'll probably counter with a threat to pack up and move back to Asia and leave everyone with their obsolete stuff as fiduciary duty will say it's cheaper to shut down and pack up than to comply with such laws.
How can they block ssh when it's an encrypted protocol? Sure, they can block the standard port, but what's to stop a connection to a nonstandard port, or a pushed connection initiated by the device? As for why invade a thermostat, it becomes a beachhead or hideout point for the crooks: like those malwares that keep copies of itself strewn about. Even if the WiFi is changed out, they can use the hideout as a way to establish a new link and just pwn you all over again.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
