Security issue with Trane ComfortLink II thermostats highlights broader IoT security risk, says Cisco's Talos
Cisco's Talos Group has identified security vulnerabilities in commercial smart thermostats made by Trane that could enable an attacker to gain access to the entire network through the vulnerable devices.
Trane ComfortLink™ II XL950
Back in 2014, Cisco alerted Trane to three vulnerabilities in its ComfortLink II thermostats, which enable users to change the temperature in their building remotely using a smartphone, tablet or PC.
Exploiting these vulnerabilities, "an attacker could compromise the thermostat to conduct reconnaissance of the local network, launch both local and at-large attacks, or utilize the device as a platform for other malicious operations on the internet," explained Alex Chiu, a Talos researcher, in a blog post.
In April 2015, Trane patched two of these vulnerabilities as part of a standard update without providing customers any indication that the update was critical to their protection efforts, noted Chiu.
Just recently, the third vulnerability was patched, but because there was no disclosure, customers continue to be unaware of this security issue, he related.
Talos recommended that users of the Trane ComfortLink II thermostats update their firmware immediately.
Chiu stressed that the security issue with the Trane thermostats is part of a broader issue with the security of Internet of Things devices in general.
"Adversaries attacking the weakest link could exploit a vulnerable IoT device, then move laterally within an organization's network to conduct further attacks. Additionally, patching vulnerable devices can be complicated, if not impossible, for the average user or for those who are not technically savvy. For organizations that maintain large amounts of IoT devices on their network, there may not be a way to update a device that scales, creating a nightmare scenario," Chiu concluded.
- read Chiu's blog post