A vulnerability has been discovered in a popular Bosch smart thermostat, allowing potential attackers to send commands to the device and replace its firmware, according to Bitdefender.
The vulnerability impacts the Wi-Fi microcontroller that acts as a network gateway for the thermostat’s logic microcontroller.
The Bosch smart thermostat products BCC101, BCC102 and BCC50, from version 4.13.20 until v4.13.33 are affected. The vulnerability (CVE-2023-49722) has been given a ‘High’ severity score.
Owners of the thermostat have been urged to update their thermostats to v4.13.33 to patch the flaw.
Bitdefender revealed it first informed Bosch of the vulnerability on August 29, 2023. After being triaged and confirmed, Bosch deployed a fix in v4.13.33 in October 2023.
The vulnerability was then publicly disclosed on January 9, 2024.
How the Vulnerability Works
The researchers said they discovered that the STM chip in one of the thermostat’s two microcontrollers relies on the WiFi chip in the other microcontroller to communicate with the internet.
The WiFi chip also listens on TCP port 8899 on the LAN and will mirror any message received on that port directly to the main microcontroller.
This means that malicious commands can be sent to the thermostat which cannot be distinguished from genuine ones sent by the cloud server, such as writing an update to the device.
To begin the malicious update procedure, the researchers send the ‘device/update’ command on port 8899 to inform the device that a new update is available.
The device will then ask the cloud server for details about the update, which responds with an error code because no update is available.
However, the device will accept a forged response containing the update details: the URL where the firmware will be downloaded from, the size and MD5 checksum of the firmware file, and the version of the new firmware, which must be higher than the current one.
If all the conditions match, including an internet-accessible URL, the thermostat asks the cloud server to download the firmware and send it through the websocket.
The cloud will then perform the upgrade once it has received the file, causing the device to be totally compromised.
The patch update published by Bosch works by closing the port 8899.
Advice for IoT Device Owners
Bitdefender set out the following advice for consumers to reduce the risk of their home IoT devices being exploited by cyber threat actors:
- Set up a dedicated network for IoT devices to isolate them as much as possible from the local network
- Use free tools to scan for connected devices on the network, and identify and highlight vulnerable ones
- Check for newer firmware and update devices as soon as the vendor releases new versions