A critical vulnerability has been discovered in the widely used, Web-connected Bosch BCC100 thermostat, which is a popular device in hospitality environments.
Exploiting this flaw could lead to local unauthorized access, enabling attackers to infiltrate the user's network.
According to a Bitdefender report last week, the vulnerability, which affects software versions 1.7.0 - HD Version 4.13.22, exists in the device's Wi-Fi microcontroller and allows potential attackers to execute malicious commands.
While the thermostat is still on the wall, it would be impossible for the user to modify temperature and working modes.
A Range of Possible Smart Thermostat Attacks There are other possible attacks.
A hacker could plant a backdoor within the original operating system of the thermostat to be able to connect to the network from the outside and control the device and HVAC commands.
In the worst-case scenario, an attacker could replace the original firmware with a Linux distribution of their choice and use this newly acquired foothold into the network to sniff traffic or pivot on other devices.
Botezatu says that to prevent attacks, firmware updates should be installed as they become available - this is important because vendors constantly work with security researchers to identify and fix vulnerabilities in their products.
He adds that customers or guests should not be allowed to scan the Internet of Things network or interact with these IoT devices in any way, as they might attempt to run port-scans and known exploits to subvert potentially vulnerable devices.
IoT Attacks Rising as Vulnerabilities Exposed IoT attacks are on the rise as smart devices see increased adoption and manufacturers focus on bringing smart products to market.
In December, dozens of patches were issued for Apple's popular smartwatches and Apple TVs, while Hikvision intercoms, used in thousands of apartments and offices across the world, were found to be susceptible to spyware.
In March 2023, researchers discovered major security vulnerabilities in video-enabled smart intercoms made by Chinese company Akuvox, allowing audio and video spying.
He says this is why both the EU and the US are working to pass regulations that call for cybersecurity certifications for Internet-connected devices.
He adds that the best way to protect gadgets against known and unknown threats is through security solutions deployed at the router or gateway level.
This Cyber News was published on www.darkreading.com. Publication date: Tue, 16 Jan 2024 20:00:18 +0000