Tuesday, August 9, 2016

Trane ComfortLink XL850 thermostats running firmware version 3.1 or lower are vulnerable to information disclosure and remote access due to a weak authentication mechanism and hardcoded credentials. The device uses a custom protocol and a predictable port number to administer remote access to virtually all of the device functions. When you combine hardcoded credentials with a network accessible port, you have a device ripe for attack from the network or even an attack from the Internet if the thermostat is exposed through the router.

Once an attacker has gained access they can quickly extract all information from the device including the home heating and cooling schedule, current operation mode, current temperature, chat and alarm history, serial number, active socket connections, trusted URLs, secret IDs, software version info and detailed address and installer information. These will allow attackers to perform a number of dangerous operations. This includes forcing the device to maintain the maximum heating setting or disabling the device continuously thereby overriding user input. Attackers can also remove and create trusted server connections permanently disconnecting the device from the corporate command and control servers.

Below shows the exploit that affect the device. The "Get Connected" banner at the top of the screen is a marketing prompt indicating that the device is not enrolled in any remote services or special features.

No comments: