Serious Vulnerability Spotted In Bosch Thermostat

Researchers spotted a severe security vulnerability in the Bosch thermostat that exposed users to privacy risks. Exploiting the flaw allowed malware to be installed on target devices.

Bosch Thermostat Vulnerability Risked Users’ Security

According to a recent post from Bitdefender, their researchers discovered a significant security vulnerability affecting Bosch thermostat models.

Identified as CVE-2023-49722, it existed due to how the device assembles the microcontrollers. As Bitdefender explained, the thermostat has two microcontrollers – a Hi-Flying chip, HF-LPT230, that implements the Wi-Fi functionality, and an STMicroelectronics chip, STM32F103, which implements the main logic but exhibits no WiFi capability of its own. Instead, it relies on the Hi-Flying chip for WiFi, which triggers the vulnerability.

The WiFi chip leverages the UART data bus to communicate messages to the main controller and also listens on the TCP port 8899 on the LAN. Thus, it becomes possible for an adversary to execute malicious actions. As stated in the post,

This means that, if formatted correctly, the microcontroller can’t distinguish malicious messages from genuine ones sent by the cloud server. This allows an attacker to send commands to the thermostat, including writing a malicious update to the device.

Configuring malicious updates on the target device is easy because of unsecured communication between the thermostat and the server.

The thermostat communicates with the connect.boschconnectedcontrol.com server through JSON encoded payloads over a websocket. The packets sent by the server are unmasked, making them easy to imitate.

The researchers have also explained in their post how a potential adversary could introduce malicious updates to the target device. Once done, the attackers could execute any desired malicious action through the compromised IoT device, threatening users’ privacy.

Bosch Patched The Flaw

Following the bug report, Bosch acknowledged the vulnerability and started working on a fix. Yet, their observations and the subsequent patches seemingly differ from what Bitdefender reported.

Specifically, the researchers mentioned Bosch BCC100 thermostat (SW version 1.7.0 – HD Version 4.13.22) as the vulnerable device. However, Bosch mentioned the models BCC101, BCC102, and BCC50 as the vulnerable thermostat models in its advisory, clearly specifying the safe status of the BCC100 thermostat.

Consequently, the firm patched the security issue (opened port 8899) with the WiFi firmware 4.13.33 update, closing port 8899. While the update should reach all eligible devices automatically, users must still check their respective thermostats for any firmware updates to receive the patch in time.

Let us know your thoughts in the comments.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients

1 comment

Skakash January 21, 2024 - 1:54 pm
Heck

Comments are closed.

Add Comment