CyberSecurityBoard
Sponsor Register Login

Vulnerability Puts Bosch Smart Thermostats at Risk of Compromise

A vulnerability has been discovered in a popular Bosch smart thermostat, allowing potential attackers to send commands to the device and replace its firmware, according to Bitdefender.
The vulnerability impacts the Wi-Fi microcontroller that acts as a network gateway for the thermostat's logic microcontroller.
The Bosch smart thermostat products BCC101, BCC102 and BCC50, from version 4.13.20 until v4.13.33 are affected.
The vulnerability has been given a 'High' severity score.
Owners of the thermostat have been urged to update their thermostats to v4.13.33 to patch the flaw.
Bitdefender revealed it first informed Bosch of the vulnerability on August 29, 2023.
After being triaged and confirmed, Bosch deployed a fix in v4.13.33 in October 2023.
The vulnerability was then publicly disclosed on January 9, 2024.
The researchers said they discovered that the STM chip in one of the thermostat's two microcontrollers relies on the WiFi chip in the other microcontroller to communicate with the internet.
The WiFi chip also listens on TCP port 8899 on the LAN and will mirror any message received on that port directly to the main microcontroller.
This means that malicious commands can be sent to the thermostat which cannot be distinguished from genuine ones sent by the cloud server, such as writing an update to the device.
To begin the malicious update procedure, the researchers send the 'device/update' command on port 8899 to inform the device that a new update is available.
The device will then ask the cloud server for details about the update, which responds with an error code because no update is available.
The device will accept a forged response containing the update details: the URL where the firmware will be downloaded from, the size and MD5 checksum of the firmware file, and the version of the new firmware, which must be higher than the current one.
If all the conditions match, including an internet-accessible URL, the thermostat asks the cloud server to download the firmware and send it through the websocket.
The cloud will then perform the upgrade once it has received the file, causing the device to be totally compromised.
The patch update published by Bosch works by closing the port 8899.


This Cyber News was published on www.infosecurity-magazine.com. Publication date: Fri, 12 Jan 2024 10:05:05 +0000


Cyber News related to Vulnerability Puts Bosch Smart Thermostats at Risk of Compromise

Smart Thermostats: Savings and Comfort at Your Fingertips - Smart thermostats offer a modern approach to home temperature control that can provide significant energy savings and enhanced comfort. Smart thermostats offer cost effectiveness, improved indoor air quality, enhanced comfort and convenience, and ...
1 year ago Securityzap.com Meow
Vulnerability Puts Bosch Smart Thermostats at Risk of Compromise - A vulnerability has been discovered in a popular Bosch smart thermostat, allowing potential attackers to send commands to the device and replace its firmware, according to Bitdefender. The vulnerability impacts the Wi-Fi microcontroller that acts as ...
1 year ago Infosecurity-magazine.com
Cybersecurity In Critical Infrastructure: Protecting Power Grids and Smart Grids - Cyber Defense Magazine - Network Intrusion: Network communication systems of power and smart grids can be intruded through weak security configurations like default password, unsecured remote access, or unpatched systems and other vulnerabilities to gain control into the ...
6 months ago Cyberdefensemagazine.com
Master Security by Building on Compliance with A Risk-Centric Approach - In recent years, a confluence of circumstances has led to a sharp rise in IT risk for many organizations. That's why a proactive approach to seeing, understanding, and acting on risk is key to improving the effectiveness of defenses in place to meet ...
1 year ago Cyberdefensemagazine.com
16 top ERM software vendors to consider in 2024 - Enterprise risk management software helps organizations identify, mitigate and remediate business risks, which can lead to improved business performance. The risk management market is rapidly evolving from separate tools across different risk domains ...
1 year ago Techtarget.com
Creating a Smart Home Ecosystem: Seamless Connectivity - Like a finely tuned symphony, creating a smart home ecosystem has the potential to bring harmony and convenience to everyday life. Establishing an interconnected network of digital devices to enable user-controlled automation of various household ...
1 year ago Securityzap.com Meow
Smart Home Technology: Your Gateway to Modern Living - Smart home technology offers homeowners an array of benefits, from increased convenience and comfort to enhanced safety and energy savings. Smart home technology offers convenience, comfort, safety, and energy savings. Smart home technology provides ...
1 year ago Securityzap.com Meow
ProcessUnity Introduces Industry's All-In-One Third-Party Risk Management Platform - PRESS RELEASE. BOSTON-(BUSINESS WIRE)- ProcessUnity, provider of comprehensive end-to-end third-party risk management and cybersecurity solutions to leading enterprises, today announced the completed integration of the Global Risk Exchange. The newly ...
1 year ago Darkreading.com
Choosing the Perfect Smart Lock for Your Home Security - Installing a smart lock on your home is like building a wall of protection around it. In this article, we will explore the benefits of using smart locks, different types of technology available, security features offered, factors to consider when ...
1 year ago Securityzap.com Meow
Key elements for a successful cyber risk management strategy - In this Help Net Security interview, Yoav Nathaniel, CEO at Silk Security, discusses the evolution of cyber risk management strategies and practices, uncovering common mistakes and highlighting key components for successful risk resolution. Nathaniel ...
1 year ago Helpnetsecurity.com
A Cybersecurity Risk Assessment Guide for Leaders - Now more than ever, keeping your cyber risk in check is crucial. In the first half of 2022's Cyber Risk Index, 85% of the survey's 4,100 global respondents said it's somewhat to very likely they will experience a cyber attack in the next 12 months. ...
2 years ago Trendmicro.com
Key Takeaways from the Gartner® Market Guide for Insider Risk Management - Insider risk incidents are on the rise and becoming more costly to contain. As a result, earlier this year, Gartner predicted that 50% of all medium to large enterprises would adopt insider risk programs. The report reveals several key findings about ...
1 year ago Securityboulevard.com
Smart Home Security Essentials: Protecting What Matters Most - Smart home security systems provide homeowners with the ability to keep their personal and property safe from intruders, theft, and other potential threats. This article will discuss different types of smart home security systems, benefits, setting ...
1 year ago Securityzap.com Meow
A Plan to Protect Critical Infrastructure from 21st Century Threats - On April 30th, the White House released National Security Memorandum-22 on Critical Infrastructure Security and Resilience, which updates national policy on how the U.S. government protects and secures critical infrastructure from cyber and ...
10 months ago Cisa.gov
Three Things to Know About the New SEC Rules on Sharing Information and Breach Disclosure Deadlines - Recently, the Securities and Exchange Commission adopted rules about the handling and reporting of cyber risks and breaches. With these new guidelines and regulations, public companies and organizations must disclose cybersecurity incidents ...
1 year ago Cyberdefensemagazine.com
CVE-2024-35292 - A vulnerability has been identified in SIMATIC S7-200 SMART CPU CR40 (6ES7288-1CR40-0AA0) (All versions), SIMATIC S7-200 SMART CPU CR60 (6ES7288-1CR60-0AA0) (All versions), SIMATIC S7-200 SMART CPU SR20 (6ES7288-1SR20-0AA0) (All versions), SIMATIC ...
9 months ago Tenable.com
CVE-2024-43647 - A vulnerability has been identified in SIMATIC S7-200 SMART CPU CR40 (6ES7288-1CR40-0AA0) (All versions), SIMATIC S7-200 SMART CPU CR60 (6ES7288-1CR60-0AA0) (All versions), SIMATIC S7-200 SMART CPU SR20 (6ES7288-1SR20-0AA0) (All versions), SIMATIC ...
7 months ago
How to Complete an IT Risk Assessment - An effective security strategy needs to put managing risk at the heart of its approach. An IT risk assessment process is used by organizations to identify and prioritize the most pressing risks to their IT environment. Naturally, it focuses on IT ...
1 year ago Heimdalsecurity.com
Critical Start Implements Cyber Risk Assessments With Peer Benchmarking and Prioritization Engine - PRESS RELEASE. PLANO, Texas, Jan. 11, 2024 /PRNewswire/ - Today, Critical Start, a leading provider of Managed Detection and Response cybersecurity solutions and pioneer of Managed Cyber Risk Reduction, announced general availability of Critical ...
1 year ago Darkreading.com
Third-Party Security Assessments: Vendor Risk Management - As businesses rely more heavily on external vendors to provide critical services and support, the importance of effective vendor risk management strategies becomes paramount. This article explores the significance of third-party security assessments, ...
1 year ago Securityzap.com
CVE-2019-13945 - A vulnerability has been identified in SIMATIC S7-1200 CPU family (incl. SIPLUS variants) (All versions), SIMATIC S7-1200 CPU family < V4.x (incl. SIPLUS variants) (All versions), SIMATIC S7-1200 CPU family V4.x (incl. SIPLUS variants) (All ...
4 years ago
What Are the 6 Types of Risk Assessment and How Do They Work? - Risk assessment is a tool used to help quantify potential risks in a certain situation. It can be used in many different scenarios, including business operations, financial decisions, and also cybersecurity. A risk assessment helps you identify areas ...
2 years ago Thehackernews.com
How to Do a Risk Analysis Service in a Software Project - Software projects are vulnerable to countless attacks, from the leak of confidential data to exposure to computer viruses, so any development team must work on an effective risk analysis that exposes any vulnerabilities in the software product. A ...
1 year ago Feeds.dzone.com
The ONE Thing All Modern SaaS Risk Management Programs Do - Reducing SaaS risk is, without a doubt, a difficult challenge. Gaining visibility into all the SaaS apps used across an enterprise is hard enough, but it becomes an even greater challenge when only a portion of the apps go through the company's ...
11 months ago Securityboulevard.com
Attackers could use vulnerabilities in Bosch Rexroth nutrunners to disrupt automotive production - Covertly tampering with tightening programs also carries potential health and safety risks: As the recent in-flight emergency involving a Boeing 737 Max 9 plane operated by Alaska Airlines has shown, inadequately tightened bolts can lead to extremely ...
1 year ago Helpnetsecurity.com CVE-2023-48257

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)