A vulnerability has been discovered in a popular Bosch smart thermostat, allowing potential attackers to send commands to the device and overwrite its firmware, according to Bitdefender.
The vulnerability affects the Wi-Fi microcontroller which acts as a network gateway for the thermostat logic microcontroller.
Bosch smart thermostat products BCC101, BCC102 and BCC50, from version 4.13.20 to v4.13.33, are affected. The vulnerability (CVE-2023-49722) has been assigned a severity score of “High”.
Thermostat owners have been advised to update their thermostats to version 4.13.33 to fix the flaw.
Bitdefender revealed he first informed Bosch about the vulnerability on August 29, 2023. After being triaged and confirmed, Bosch deployed a fix in v4.13.33 in October 2023.
The vulnerability was then publicly disclosed on January 9, 2024.
How the vulnerability works
The researchers said they discovered that the STM chip in one of the thermostat’s two microcontrollers relies on the WiFi chip in the other microcontroller to communicate with the Internet.
The WiFi chip also listens on TCP port 8899 of the LAN and will reflect any message received on this port directly to the main microcontroller.
This means that malicious commands can be sent to the thermostat that are indistinguishable from genuine commands sent by the cloud server, such as writing an update to the device.
To initiate the malicious update procedure, researchers send the “device/update” command on port 8899 to inform the device that a new update is available.
The device will then ask the cloud server for details about the update, which will respond with an error code as no update is available.
However, the device will accept a fake response containing the update details: the URL from which the firmware will be downloaded, the size and MD5 checksum of the firmware file, and the version of the new firmware , which must be greater than the current version. .
If all conditions match, including an internet-accessible URL, the thermostat asks the cloud server to download the firmware and send it via the websocket.
The cloud will then perform the upgrade once it receives the file, completely compromising the device.
The patch update released by Bosch works by closing port 8899.
Tips for IoT device owners
Bitdefender provided the following advice to consumers to reduce the risk of their home IoT devices being exploited by cybercriminals:
- Set up a dedicated network for IoT devices to isolate them as much as possible from the local network
- Use free tools to scan the network for connected devices and identify and highlight the most vulnerable ones
- Check for newer firmware and update devices as soon as the vendor releases new versions