BSI investigates the security of smart radiator thermostats

The German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, BSI) took a closer look at smart heating thermostats suiting the season. The aim was to examine the IT security of the systems.

Foremost, the BSI explains in the analysis that smart home devices such as radiator thermostats have short development cycles, "in which IT security often takes a lower priority than other product features. This goes hand in hand with a lack of or inadequate security-by-design approaches", according to the authority. Many products therefore offer "no effective protection against hacker attacks".

Lack of IT security puts data and third parties at risk

Attackers could misuse compromised devices to access personal data or use them to carry out distributed denial-of-service attacks (dDoS). Incorrect configurations can lead to information leaks even without malicious attackers. To motivate the manufacturers of such devices to take security-by-design and security-by-default into account during development, the BSI has conducted interviews with manufacturers and retailers in this regard. In addition, the IT security authority had a random sample of ten smart radiator thermostats technically inspected after creating a test plan for them. The devices themselves and the associated apps, i.e. their ecosystem, were analyzed. For any vulnerabilities found, the BSI strives for "cooperative collaboration" with the manufacturers and pursues a responsible disclosure policy.

The BSI monitored and analyzed the network traffic. It also subjected the apps to a static and dynamic analysis. The program also included a technical analysis of the circuit boards, microprocessors and communication on bus systems in the thermostats, for example.

Findings of the BSI investigation

The apps are all "not designed for high-security scenarios". Two manufacturers made a mistake with the data transmission of the iOS app: it was simply unencrypted. One iOS app had a cross-site scripting vulnerability. Certificate spinning does not usually take place, which makes man-in-the-middle attacks easier. None of the apps required biometric authentication, and three of the ten apps did not store tokens and access data in the secure keystore or keychain. Three products in the test are based on an OEM design, a Chinese white label. The apps are almost identical and only have replaced logos; the hardware housing of one product has been slightly modified. All three have a secret key that can be extracted and used to interact with the device via the network. The BSI criticized the fact that some apps use components that do not have buffer overflow protection activated.

The hardware test revealed that the debug interfaces of six test subjects were accessible. This made it quite easy to read out and even modify the firmware. The risk for end customers is manageable, but the BSI considers the manufacturer's intellectual property to be at risk. Here too, a manufacturer with "virtually unencrypted communication" was discovered, which transmitted all data in plain text over the network. The BSI found almost no security vulnerabilities relevant to consumers. Two test subjects downloaded firmware updates from the network via unencrypted channels and did not check the authenticity of the updates.

In conclusion, the BSI summarizes: "The analyses show that consumers are confronted with certain risks when using smart devices and their mobile apps. While most vulnerabilities do not pose an immediate threat, they can have serious consequences for privacy and security if they are actually exploited by attackers". However, manufacturers must continue to improve their security measures and implement established standards "to ensure a higher level of protection".

The 93-page PDF also provides manufacturers, retailers and other interested parties with numerous guidelines and tips on how they can implement better IT security during product development. The results are only included in anonymized form; specific vulnerabilities cannot be assigned to any manufacturer or product.

(dmk)