Brother
Professional
- Messages
- 2,590
- Reaction score
- 539
- Points
- 113
Bitdefender warns of new risks for owners of IoT devices.
Bitdefender has identified a vulnerability in a widespread model of the Bosch BCC100 home Wi-Fi thermostat. This vulnerability allows attackers to remotely manipulate device settings, including temperature, as well as install malware.
All Internet of Things (IoT) devices, from coffee makers to security cameras, are potentially at risk of being hacked. The Bitdefender lab, which created the first cybersecurity hub for the smart home, regularly conducts audits of popular IoT equipment for vulnerabilities. Their latest research revealed vulnerabilities in the Bosch BCC100 thermostat affecting versions 1.7.0-HD Version 4.13.22.
The security breach was discovered on August 29, 2023, but details were not released until January 11, 2024, when the company fixed it. Vulnerability CVE-2023-49722 allows attackers to replace the device firmware with a malicious one, and then use the compromised thermostat at their discretion, having gained full control over its functionality.
The BCC100 thermostat uses two microcontrollers: a Hi-Flying chip (HF-LPT230) for Wi-Fi functions and an STMicroelectronics chip (STM32F103) for the main logic of the device. The STM chip has no network capabilities and depends on the Wi-Fi chip for communication. The Wi-Fi chip listens on TCP port 8899 on the local network and directly transmits any received messages to the main microcontroller via the UART data bus.
However, if the message is correctly formed, the microcontroller cannot distinguish malicious messages from genuine ones sent by the cloud server. Attackers can use this to send arbitrary commands to the thermostat, including malicious updates.
The thermostat communicates with the "connect.boschconnectedcontrol [.] com" using JSON packets via WebSocket, which are easy to fake. The device initiates the "device/update" command on port 8899, causing the thermostat to request information from the cloud server.
Despite the error code, the device accepts a fake response with update details, including an arbitrary URL, size, MD5 checksum, and firmware version. The device then asks the cloud server to download the firmware and send it via WebSocket, making sure that the specified URL is available. After receiving the file, the device performs an update, completing the compromise.
To avoid possible risks, users are advised to follow the necessary security measures, including regularly updating the thermostat firmware, changing the standard administrative password, avoiding unnecessary connection of the thermostat to the Internet, and using a firewall to restrict access to unauthorized devices.
It is noteworthy that just last week, specialists from another information security company revealed details about a number of vulnerabilities in another Bosch product-a network industrial wrench, widely used in various industries. The consequences of exploiting these vulnerabilities are a complete shutdown of production, as well as damage to expensive equipment.
Such studies once again remind us that even seemingly harmless smart devices with Internet access can pose very specific security risks for their users.
As the smart device market grows, manufacturers must prioritize security and ensure a secure and reliable connection environment, and users must be responsible for regular updates and follow other recommendations from manufacturers.
Bitdefender has identified a vulnerability in a widespread model of the Bosch BCC100 home Wi-Fi thermostat. This vulnerability allows attackers to remotely manipulate device settings, including temperature, as well as install malware.
All Internet of Things (IoT) devices, from coffee makers to security cameras, are potentially at risk of being hacked. The Bitdefender lab, which created the first cybersecurity hub for the smart home, regularly conducts audits of popular IoT equipment for vulnerabilities. Their latest research revealed vulnerabilities in the Bosch BCC100 thermostat affecting versions 1.7.0-HD Version 4.13.22.
The security breach was discovered on August 29, 2023, but details were not released until January 11, 2024, when the company fixed it. Vulnerability CVE-2023-49722 allows attackers to replace the device firmware with a malicious one, and then use the compromised thermostat at their discretion, having gained full control over its functionality.
The BCC100 thermostat uses two microcontrollers: a Hi-Flying chip (HF-LPT230) for Wi-Fi functions and an STMicroelectronics chip (STM32F103) for the main logic of the device. The STM chip has no network capabilities and depends on the Wi-Fi chip for communication. The Wi-Fi chip listens on TCP port 8899 on the local network and directly transmits any received messages to the main microcontroller via the UART data bus.
However, if the message is correctly formed, the microcontroller cannot distinguish malicious messages from genuine ones sent by the cloud server. Attackers can use this to send arbitrary commands to the thermostat, including malicious updates.
The thermostat communicates with the "connect.boschconnectedcontrol [.] com" using JSON packets via WebSocket, which are easy to fake. The device initiates the "device/update" command on port 8899, causing the thermostat to request information from the cloud server.
Despite the error code, the device accepts a fake response with update details, including an arbitrary URL, size, MD5 checksum, and firmware version. The device then asks the cloud server to download the firmware and send it via WebSocket, making sure that the specified URL is available. After receiving the file, the device performs an update, completing the compromise.
To avoid possible risks, users are advised to follow the necessary security measures, including regularly updating the thermostat firmware, changing the standard administrative password, avoiding unnecessary connection of the thermostat to the Internet, and using a firewall to restrict access to unauthorized devices.
It is noteworthy that just last week, specialists from another information security company revealed details about a number of vulnerabilities in another Bosch product-a network industrial wrench, widely used in various industries. The consequences of exploiting these vulnerabilities are a complete shutdown of production, as well as damage to expensive equipment.
Such studies once again remind us that even seemingly harmless smart devices with Internet access can pose very specific security risks for their users.
As the smart device market grows, manufacturers must prioritize security and ensure a secure and reliable connection environment, and users must be responsible for regular updates and follow other recommendations from manufacturers.
