Get all your news in one place.
100’s of premium titles.
One app.
Start reading
TechRadar
TechRadar
Sead Fadilpašić

Your Bosch smart thermostat might not be as clever as you thought - this security flaw could let hackers install malicious updates and more, so patch now

An abstract image of digital security.

Your Bosch smart thermostat can be hacked and used by threat actors for a wide variety of malicious activities, researchers have warned.

Cybersecurity experts from Bitdefender have published a new report in which they detailed discovering a vulnerability in the Bosch BCC100 thermostat for versions SW 1.7.0 – HD 4.13.22. In the report, they said that the device has two microcontrollers, one that provides Wi-Fi functionality, and one that provides the thermostat’s main function. The one with the Wi-Fi functionality listens to TCP port 8899 on LAN and mirrors any message received on that port directly to the main microcontroller, through the UART data bus.

“This means that, if formatted correctly, the microcontroller can’t distinguish malicious messages from genuine ones sent by the cloud server,” the researchers explained. “This allows an attacker to send commands to the thermostat, including writing a malicious update to the device.”

Defending a smart home

By overwriting the device’s firmware with a malicious one built by the hackers, the thermostat can be used for different purposes, from listening to the communication going through the device, to stealing login credentials, to moving to other devices, and more.

Smart home devices, while offering plenty of convenience, are also a major risk factor, experts are saying. In order to protect the home from prying eyes, homeowners should, first and foremost, “closely monitor IoT devices and isolate them as completely as possible from the local network,” they said.

“This can be done by setting up a dedicated network exclusively for IoT devices.”

Furthermore, homeowners can use cybersecurity solutions built for the smart home, to scan for connected devices, identify and highlight potentially vulnerable ones. “IoT device owners should also check for newer firmware and update devices as soon as the vendor releases new versions,” Bitdefender concludes.

Finally, having a network cybersecurity solution built directly into the router can help, too.

More from TechRadar Pro

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.