Trane thermostat is a hot spot for viruses on home networks:

Back in April 2014, the Cisco Talos security team alerted Trane that its Wi-Fi-connected ComfortLink II thermostat had some serious security flaws. The most egregious was the hardcoding of SSH passwords in the device.

The SSH service is exposed to the network, meaning a nearby hacker who can get onto the gadget’s Wi-Fi can use the credentials to login and execute code remotely. This design flaw is particularly bad news for you if the thermostat is facing the public internet, allowing anyone on the planet to potentially infiltrate the gizmo.

The other two flaws were buffer overflow vulnerabilities that could be used to gain access by sending unreasonably long data requests to the device. With trial and error, an attacker could overwrite sections of the device’s memory and perform remote code execution.

Once inside the ComfortLink II, the assailant would have the ability to turn the device into a little malware store that could be used to infect other devices using the same wireless network as the so-called “smart” thermostat. It’s a serious issue and you’d think Trane would want to fix it.

The Internet of Things, while a boom to convenience, is a huge bane to security and privacy. Most of the companies developing IoT devices have no practical experience designing security into their products, and rarely even consider it as a necessity. This will take a culture shift before things change, but it will be well worth the wait once it happens.

Originally posted on the Cylncr blog