WiFi [Thermostat] - Security Issues?

Questions on how we spend our money and our time - consumer goods and services, home and vehicle, leisure and recreational activities
Post Reply
Topic Author
Saving$
Posts: 2510
Joined: Sat Nov 05, 2011 8:33 pm

WiFi [Thermostat] - Security Issues?

Post by Saving$ »

I recently purchased and installed a WiFi thermostat for my home. Because it is WiFi, it allows me to access the program from my laptop via an internet page. This is MUCH easier to program than trying to push tiny buttons on a 4 inch thermostat, and that alone is probably worth the extra $40 over a similar model that did not have WiFi.

When I set it up, I used a ridiculously long password. My WiFI network also has a similarly ridiculously long password. I get that anyone can log onto the t-stat mfg webpage, and if they guess my username and password, they can "hack" onto my thermostat and change the settings.

My questions are:
1. Does this t-stat in any way compromise the security of my WiFi system? ie can someone hack into it and access my WiFi network that way? I've set up other wireless devices (Google Chromecast, Roku, Kindle) and each of those scans for available wireless networks, you select yours, and enter your wireless network password. This think broadcast it's own network, and I had to disconnect from my WiFI and connect to the T-stat before I could connect the T-stat to the wireless network. Because this device seems to be able to broadcast Wifi instead of just receive the signal, I got to wondering.

2. The T-stat has an app for my phone. I have not yet downloaded it. Seems like it would just be a webpage optimized for the phone, and thus I access the t-stat via phone the same way I can access it via the webpage. Does downloading and using this app in any way increase my security risk?
stan1
Posts: 14235
Joined: Mon Oct 08, 2007 4:35 pm

Re: WiFi Tstat - Security Issues?

Post by stan1 »

I'd be a lot more cautious about web/wi-fi enabled door locks and security systems than a thermostat. Make sure you are using a unique password at the thermostat website (one that you don't use on any other site).
Warning: I am about 80% satisficer (accepting of good enough) and 20% maximizer
Mudpuppy
Posts: 7409
Joined: Sat Aug 27, 2011 2:26 am
Location: Sunny California

Re: WiFi Tstat - Security Issues?

Post by Mudpuppy »

Without knowing specifics, one can only speak in generalities. And in general, software is buggy because software is made by humans and humans make mistakes. Will that will rise up to the level of being a risk to other devices on the network? Maybe or maybe not. It depends upon the nature and severity of the bug.

For example, if the thermostat stores your very long WiFi password in an insecure fashion and someone can hack the thermostat and retrieve that information, that would be a problem for the security of your network. But if the worst they can do is turn the thermostat off, that would be more of an inconvenience (although it would be a potential hazard during extreme weather).
mnaspbh
Posts: 204
Joined: Fri Sep 09, 2011 12:26 pm

Re: WiFi Tstat - Security Issues?

Post by mnaspbh »

Saving$ wrote:I recently purchased and installed a WiFi thermostat for my home. Because it is WiFi, it allows me to access the program from my laptop via an internet page. This is MUCH easier to program than trying to push tiny buttons on a 4 inch thermostat, and that alone is probably worth the extra $40 over a similar model that did not have WiFi.

When I set it up, I used a ridiculously long password. My WiFI network also has a similarly ridiculously long password. I get that anyone can log onto the t-stat mfg webpage, and if they guess my username and password, they can "hack" onto my thermostat and change the settings.

My questions are:
1. Does this t-stat in any way compromise the security of my WiFi system? ie can someone hack into it and access my WiFi network that way? I've set up other wireless devices (Google Chromecast, Roku, Kindle) and each of those scans for available wireless networks, you select yours, and enter your wireless network password. This think broadcast it's own network, and I had to disconnect from my WiFI and connect to the T-stat before I could connect the T-stat to the wireless network. Because this device seems to be able to broadcast Wifi instead of just receive the signal, I got to wondering.

2. The T-stat has an app for my phone. I have not yet downloaded it. Seems like it would just be a webpage optimized for the phone, and thus I access the t-stat via phone the same way I can access it via the webpage. Does downloading and using this app in any way increase my security risk?
A lot of the "Internet of Things" devices, like WiFi/Internet-enabled thermostats and power meters, have very poor security. A wifi thermostat popular in Britain had multiple fundamental security issues that would enable a casual attacker to obtain credentials to the wifi network itself, as well as performing malicious actions. The primary "secure" protocol used by "smart" power meters has so many profound vulnerabilities that security researchers got tired of devising new and ever-quicker attacks.

Even without significant security issues, unintentional information disclosure is not uncommon. A remote attacker may be able to monitor enough details of a thermostat to determine one's schedule, or detect when the house is unoccupied for a period of time, making planning a break-in much easier.
User avatar
magellan
Posts: 3489
Joined: Fri Mar 09, 2007 3:12 pm

Re: WiFi Tstat - Security Issues?

Post by magellan »

You mentioned that you access the t-stat using a web interface. Generally, there are three different models for how this can work, and they each have different security issues. In all cases, it's assumed that you use robust passwords.

Case 1 - The web interface is provided (served) by the t-stat itself.

With this approach, you enter the IP address or a local network name for the t-stat in your browser and the t-stat serves a web page with status and lets you change settings. Unless your router's firewall/port forwarding settings are changed, there's no possible way anyone can access the t-stat or your internal home network remotely. This is the most secure model, but it's the least flexible since you can't access the t-stat away from home. Of course, this assumes the t-stat implements wifi security correctly.

If you want to be able to access the t-stat from outside of your home, you'll need to enable port forwarding on your router. Doing this introduces a security risk because it's likely that the software on the t-stat has at least some flaws that might eventually be discovered by hackers that let them take control of the t-stat. The hackers could use this control to mess with your t-stat or launch other attacks through the t-stat from inside your home network. These attacks could be aimed at devices inside your network, or they may force your t-stat to become part of a hacking botnet.

Case 2 -
The t-stat web interface is served by a centralized internet based server run by the t-stat manufacturer. The server initiates secure remote communications with the t-stat to query status and update its configuration (aka interactive communication between t-stat and server through home firewall).

With this approach, the t-stat manufacturer has to have perfect security on their server so it never gets hacked and also the t-stat must have perfect security to prevent hackers from contacting the t-stat and impersonating the central server. (I'm not sure if any consumer devices use this model anymore - hopefully not).

Case 3 -
The t-stat web interface is served by a centralized internet based server run by the t-stat manufacturer and the t-stat initiates all communications with the server (eg to update temps and receive config changes).

This approach is probably lower risk than case 2 because the t-stat (and your home network) can't be directly accessed remotely. The only way for the t-stat (and your home network) to get compromised would be if someone was able to impersonate the central server and somehow exploit a t-stat firmware vulnerability.
Topic Author
Saving$
Posts: 2510
Joined: Sat Nov 05, 2011 8:33 pm

Re: WiFi Tstat - Security Issues?

Post by Saving$ »

magellan wrote:You mentioned that you access the t-stat using a web interface. Generally, there are three different models for how this can work, and they each have different security issues. In all cases, it's assumed that you use robust passwords.
It is either case 2 or case 3. How do I tell the difference? The t-stat is made by Honeywell.

No one has commented about an increased security risk by putting the app on my phone, vs. just using the interface from my laptop. I guess the initial tstat connection to the internet creates the most risk, and the way I access it (laptop or phone) has less impact on security. Do I have the correct?
cmdreset
Posts: 39
Joined: Sat Jul 14, 2007 9:31 am

Re: WiFi [Thermostat] - Security Issues?

Post by cmdreset »

Without specifics on your device and network config it is really hard to say what your risk is. Once it is on your WiFi (behind a good firewall, right?) someone within wireless range shouldn't be able to "see" the device or connect to it directly, just your secured WiFi access point(s). If the device still broadcasts as a wireless access point after you connect it then I wouldn't use it. A lot of the security flaws in these devices presume the attacker has network access, and then I agree they aren't generally secure, but then neither is your computer. This is why we have firewalls and use non-routable IP addresses on our LANs (right?)

If you can control the device from a public web page, then either the device is polling outside your LAN (a possible security risk) or it is allowing incoming connects (probably a much more serious security risk if you don't know what you are doing.) I would seriously consider blocking these features (your router can do this.)
User avatar
magellan
Posts: 3489
Joined: Fri Mar 09, 2007 3:12 pm

Re: WiFi Tstat - Security Issues?

Post by magellan »

Saving$ wrote:It is either case 2 or case 3. How do I tell the difference? The t-stat is made by Honeywell.
The easiest way to tell is to log into your router and disable universal plug n play (UPnP). Then reboot everything and see if you can still use the cloud app and see updates from the t-stat. If everything still works with UPnP disabled, it's most likely using case 3. If so, leave UPnP disabled on your router because it's a pretty big security risk, IMO.
http://www.zdnet.com/article/millions-o ... hers-find/

No one has commented about an increased security risk by putting the app on my phone, vs. just using the interface from my laptop. I guess the initial tstat connection to the internet creates the most risk, and the way I access it (laptop or phone) has less impact on security. Do I have the correct?
Probably. From googling, it looks like honeywell t-stats poll the cloud server periodically to send updates and pull down any config changes (case 3 above). If that's true, the main risk is that someone might figure out a way to spoof the cloud server to trick your t-stat into changing its config or updating its firmware. One of the amazon reviews of a t-stat made it sound like firmware upgrade cannot be initiated by the cloud server, and if that's true, the risk of a hacker getting into your network through the t-stat is relatively low (though never zero with this stuff).

As far as installing the app, the risk there is the same as with any app. Get it from a trusted source (eg app store), use a good unique password, and hope for the best.

As far as overall security risk, if you can sign up for the cloud service anonymously or with a fake name and address, that's advisable. Assume the cloud server is logging all of your t-stat data (and by inference your home occupancy details). Also assume that one day the cloud server will get hacked and all of your home temperature information will be available for purchase on the black market. If your account doesn't have a name and address associated with it, the logs will just have your IP address. It's possible this could be mapped back to your house, but it's harder to do without help from your ISP or leaked information from some other a service provider that keeps logs that bind your home's IP address to your name and address.
Last edited by magellan on Sun May 24, 2015 2:47 pm, edited 1 time in total.
eucalyptus
Posts: 746
Joined: Tue Apr 24, 2007 1:24 pm

Re: WiFi [Thermostat] - Security Issues?

Post by eucalyptus »

TIL that some people actually believe the NEST style thermostats are about temperature control instead of still more Facebook style data monetization.
takeshi
Posts: 1175
Joined: Thu Oct 03, 2013 10:02 pm

Re: WiFi Tstat - Security Issues?

Post by takeshi »

Mudpuppy wrote:Without knowing specifics, one can only speak in generalities.
Even with specifics we can quite often only speak in generalities as not all vulnerabilities are known to begin with. A system not connected to the outside world is generally less of a risk than one that is connected to the outside world. More access points is generally more of a risk. That's really about all we can say. The OP can take preventative measures such as long, complex passwords but even such precautions may not guarantee security as there could be other points of failure.
Saving$ wrote:This think broadcast it's own network, and I had to disconnect from my WiFI and connect to the T-stat before I could connect the T-stat to the wireless network. Because this device seems to be able to broadcast Wifi instead of just receive the signal, I got to wondering.
Probably not an issue once it's joined to the network. A number of devices use that approach and they generally only create their own networks for initial setup. You can use a device or app to scan for networks and see if the device's own network still exists once joined to your own.
Saving$ wrote:The T-stat has an app for my phone. I have not yet downloaded it. Seems like it would just be a webpage optimized for the phone, and thus I access the t-stat via phone the same way I can access it via the webpage. Does downloading and using this app in any way increase my security risk?
Again, it's another point of entry. It does increase risk. By how much is difficult to say and all depends on how secure your device and the app are. It's probably not the biggest risk which is outside access offered by the thermostat which exists regardless of how you manage the device.

All you can really do is determine where you're willing to compromise security for convenience, try to understand the specifics of how your thermostat works and minimize its security risks with that understanding. I know that's vague but I can't speak to the specifics of your thermostat even if you provided the model number. You'd need to carefully research that thermostat and ideally do that before making the purchase.
Post Reply