WiFi [Thermostat] - Security Issues?
WiFi [Thermostat] - Security Issues?
I recently purchased and installed a WiFi thermostat for my home. Because it is WiFi, it allows me to access the program from my laptop via an internet page. This is MUCH easier to program than trying to push tiny buttons on a 4 inch thermostat, and that alone is probably worth the extra $40 over a similar model that did not have WiFi.
When I set it up, I used a ridiculously long password. My WiFI network also has a similarly ridiculously long password. I get that anyone can log onto the t-stat mfg webpage, and if they guess my username and password, they can "hack" onto my thermostat and change the settings.
My questions are:
1. Does this t-stat in any way compromise the security of my WiFi system? ie can someone hack into it and access my WiFi network that way? I've set up other wireless devices (Google Chromecast, Roku, Kindle) and each of those scans for available wireless networks, you select yours, and enter your wireless network password. This think broadcast it's own network, and I had to disconnect from my WiFI and connect to the T-stat before I could connect the T-stat to the wireless network. Because this device seems to be able to broadcast Wifi instead of just receive the signal, I got to wondering.
2. The T-stat has an app for my phone. I have not yet downloaded it. Seems like it would just be a webpage optimized for the phone, and thus I access the t-stat via phone the same way I can access it via the webpage. Does downloading and using this app in any way increase my security risk?
When I set it up, I used a ridiculously long password. My WiFI network also has a similarly ridiculously long password. I get that anyone can log onto the t-stat mfg webpage, and if they guess my username and password, they can "hack" onto my thermostat and change the settings.
My questions are:
1. Does this t-stat in any way compromise the security of my WiFi system? ie can someone hack into it and access my WiFi network that way? I've set up other wireless devices (Google Chromecast, Roku, Kindle) and each of those scans for available wireless networks, you select yours, and enter your wireless network password. This think broadcast it's own network, and I had to disconnect from my WiFI and connect to the T-stat before I could connect the T-stat to the wireless network. Because this device seems to be able to broadcast Wifi instead of just receive the signal, I got to wondering.
2. The T-stat has an app for my phone. I have not yet downloaded it. Seems like it would just be a webpage optimized for the phone, and thus I access the t-stat via phone the same way I can access it via the webpage. Does downloading and using this app in any way increase my security risk?
Re: WiFi Tstat - Security Issues?
I'd be a lot more cautious about web/wi-fi enabled door locks and security systems than a thermostat. Make sure you are using a unique password at the thermostat website (one that you don't use on any other site).
Warning: I am about 80% satisficer (accepting of good enough) and 20% maximizer
Re: WiFi Tstat - Security Issues?
Without knowing specifics, one can only speak in generalities. And in general, software is buggy because software is made by humans and humans make mistakes. Will that will rise up to the level of being a risk to other devices on the network? Maybe or maybe not. It depends upon the nature and severity of the bug.
For example, if the thermostat stores your very long WiFi password in an insecure fashion and someone can hack the thermostat and retrieve that information, that would be a problem for the security of your network. But if the worst they can do is turn the thermostat off, that would be more of an inconvenience (although it would be a potential hazard during extreme weather).
For example, if the thermostat stores your very long WiFi password in an insecure fashion and someone can hack the thermostat and retrieve that information, that would be a problem for the security of your network. But if the worst they can do is turn the thermostat off, that would be more of an inconvenience (although it would be a potential hazard during extreme weather).
Re: WiFi Tstat - Security Issues?
A lot of the "Internet of Things" devices, like WiFi/Internet-enabled thermostats and power meters, have very poor security. A wifi thermostat popular in Britain had multiple fundamental security issues that would enable a casual attacker to obtain credentials to the wifi network itself, as well as performing malicious actions. The primary "secure" protocol used by "smart" power meters has so many profound vulnerabilities that security researchers got tired of devising new and ever-quicker attacks.Saving$ wrote:I recently purchased and installed a WiFi thermostat for my home. Because it is WiFi, it allows me to access the program from my laptop via an internet page. This is MUCH easier to program than trying to push tiny buttons on a 4 inch thermostat, and that alone is probably worth the extra $40 over a similar model that did not have WiFi.
When I set it up, I used a ridiculously long password. My WiFI network also has a similarly ridiculously long password. I get that anyone can log onto the t-stat mfg webpage, and if they guess my username and password, they can "hack" onto my thermostat and change the settings.
My questions are:
1. Does this t-stat in any way compromise the security of my WiFi system? ie can someone hack into it and access my WiFi network that way? I've set up other wireless devices (Google Chromecast, Roku, Kindle) and each of those scans for available wireless networks, you select yours, and enter your wireless network password. This think broadcast it's own network, and I had to disconnect from my WiFI and connect to the T-stat before I could connect the T-stat to the wireless network. Because this device seems to be able to broadcast Wifi instead of just receive the signal, I got to wondering.
2. The T-stat has an app for my phone. I have not yet downloaded it. Seems like it would just be a webpage optimized for the phone, and thus I access the t-stat via phone the same way I can access it via the webpage. Does downloading and using this app in any way increase my security risk?
Even without significant security issues, unintentional information disclosure is not uncommon. A remote attacker may be able to monitor enough details of a thermostat to determine one's schedule, or detect when the house is unoccupied for a period of time, making planning a break-in much easier.
Re: WiFi Tstat - Security Issues?
You mentioned that you access the t-stat using a web interface. Generally, there are three different models for how this can work, and they each have different security issues. In all cases, it's assumed that you use robust passwords.
Case 1 - The web interface is provided (served) by the t-stat itself.
With this approach, you enter the IP address or a local network name for the t-stat in your browser and the t-stat serves a web page with status and lets you change settings. Unless your router's firewall/port forwarding settings are changed, there's no possible way anyone can access the t-stat or your internal home network remotely. This is the most secure model, but it's the least flexible since you can't access the t-stat away from home. Of course, this assumes the t-stat implements wifi security correctly.
If you want to be able to access the t-stat from outside of your home, you'll need to enable port forwarding on your router. Doing this introduces a security risk because it's likely that the software on the t-stat has at least some flaws that might eventually be discovered by hackers that let them take control of the t-stat. The hackers could use this control to mess with your t-stat or launch other attacks through the t-stat from inside your home network. These attacks could be aimed at devices inside your network, or they may force your t-stat to become part of a hacking botnet.
Case 2 -
The t-stat web interface is served by a centralized internet based server run by the t-stat manufacturer. The server initiates secure remote communications with the t-stat to query status and update its configuration (aka interactive communication between t-stat and server through home firewall).
With this approach, the t-stat manufacturer has to have perfect security on their server so it never gets hacked and also the t-stat must have perfect security to prevent hackers from contacting the t-stat and impersonating the central server. (I'm not sure if any consumer devices use this model anymore - hopefully not).
Case 3 -
The t-stat web interface is served by a centralized internet based server run by the t-stat manufacturer and the t-stat initiates all communications with the server (eg to update temps and receive config changes).
This approach is probably lower risk than case 2 because the t-stat (and your home network) can't be directly accessed remotely. The only way for the t-stat (and your home network) to get compromised would be if someone was able to impersonate the central server and somehow exploit a t-stat firmware vulnerability.
Case 1 - The web interface is provided (served) by the t-stat itself.
With this approach, you enter the IP address or a local network name for the t-stat in your browser and the t-stat serves a web page with status and lets you change settings. Unless your router's firewall/port forwarding settings are changed, there's no possible way anyone can access the t-stat or your internal home network remotely. This is the most secure model, but it's the least flexible since you can't access the t-stat away from home. Of course, this assumes the t-stat implements wifi security correctly.
If you want to be able to access the t-stat from outside of your home, you'll need to enable port forwarding on your router. Doing this introduces a security risk because it's likely that the software on the t-stat has at least some flaws that might eventually be discovered by hackers that let them take control of the t-stat. The hackers could use this control to mess with your t-stat or launch other attacks through the t-stat from inside your home network. These attacks could be aimed at devices inside your network, or they may force your t-stat to become part of a hacking botnet.
Case 2 -
The t-stat web interface is served by a centralized internet based server run by the t-stat manufacturer. The server initiates secure remote communications with the t-stat to query status and update its configuration (aka interactive communication between t-stat and server through home firewall).
With this approach, the t-stat manufacturer has to have perfect security on their server so it never gets hacked and also the t-stat must have perfect security to prevent hackers from contacting the t-stat and impersonating the central server. (I'm not sure if any consumer devices use this model anymore - hopefully not).
Case 3 -
The t-stat web interface is served by a centralized internet based server run by the t-stat manufacturer and the t-stat initiates all communications with the server (eg to update temps and receive config changes).
This approach is probably lower risk than case 2 because the t-stat (and your home network) can't be directly accessed remotely. The only way for the t-stat (and your home network) to get compromised would be if someone was able to impersonate the central server and somehow exploit a t-stat firmware vulnerability.
Re: WiFi Tstat - Security Issues?
It is either case 2 or case 3. How do I tell the difference? The t-stat is made by Honeywell.magellan wrote:You mentioned that you access the t-stat using a web interface. Generally, there are three different models for how this can work, and they each have different security issues. In all cases, it's assumed that you use robust passwords.
No one has commented about an increased security risk by putting the app on my phone, vs. just using the interface from my laptop. I guess the initial tstat connection to the internet creates the most risk, and the way I access it (laptop or phone) has less impact on security. Do I have the correct?
Re: WiFi [Thermostat] - Security Issues?
Without specifics on your device and network config it is really hard to say what your risk is. Once it is on your WiFi (behind a good firewall, right?) someone within wireless range shouldn't be able to "see" the device or connect to it directly, just your secured WiFi access point(s). If the device still broadcasts as a wireless access point after you connect it then I wouldn't use it. A lot of the security flaws in these devices presume the attacker has network access, and then I agree they aren't generally secure, but then neither is your computer. This is why we have firewalls and use non-routable IP addresses on our LANs (right?)
If you can control the device from a public web page, then either the device is polling outside your LAN (a possible security risk) or it is allowing incoming connects (probably a much more serious security risk if you don't know what you are doing.) I would seriously consider blocking these features (your router can do this.)
If you can control the device from a public web page, then either the device is polling outside your LAN (a possible security risk) or it is allowing incoming connects (probably a much more serious security risk if you don't know what you are doing.) I would seriously consider blocking these features (your router can do this.)
Re: WiFi Tstat - Security Issues?
The easiest way to tell is to log into your router and disable universal plug n play (UPnP). Then reboot everything and see if you can still use the cloud app and see updates from the t-stat. If everything still works with UPnP disabled, it's most likely using case 3. If so, leave UPnP disabled on your router because it's a pretty big security risk, IMO.Saving$ wrote:It is either case 2 or case 3. How do I tell the difference? The t-stat is made by Honeywell.
http://www.zdnet.com/article/millions-o ... hers-find/
Probably. From googling, it looks like honeywell t-stats poll the cloud server periodically to send updates and pull down any config changes (case 3 above). If that's true, the main risk is that someone might figure out a way to spoof the cloud server to trick your t-stat into changing its config or updating its firmware. One of the amazon reviews of a t-stat made it sound like firmware upgrade cannot be initiated by the cloud server, and if that's true, the risk of a hacker getting into your network through the t-stat is relatively low (though never zero with this stuff).No one has commented about an increased security risk by putting the app on my phone, vs. just using the interface from my laptop. I guess the initial tstat connection to the internet creates the most risk, and the way I access it (laptop or phone) has less impact on security. Do I have the correct?
As far as installing the app, the risk there is the same as with any app. Get it from a trusted source (eg app store), use a good unique password, and hope for the best.
As far as overall security risk, if you can sign up for the cloud service anonymously or with a fake name and address, that's advisable. Assume the cloud server is logging all of your t-stat data (and by inference your home occupancy details). Also assume that one day the cloud server will get hacked and all of your home temperature information will be available for purchase on the black market. If your account doesn't have a name and address associated with it, the logs will just have your IP address. It's possible this could be mapped back to your house, but it's harder to do without help from your ISP or leaked information from some other a service provider that keeps logs that bind your home's IP address to your name and address.
Last edited by magellan on Sun May 24, 2015 2:47 pm, edited 1 time in total.
-
- Posts: 746
- Joined: Tue Apr 24, 2007 1:24 pm
Re: WiFi [Thermostat] - Security Issues?
TIL that some people actually believe the NEST style thermostats are about temperature control instead of still more Facebook style data monetization.
Re: WiFi Tstat - Security Issues?
Even with specifics we can quite often only speak in generalities as not all vulnerabilities are known to begin with. A system not connected to the outside world is generally less of a risk than one that is connected to the outside world. More access points is generally more of a risk. That's really about all we can say. The OP can take preventative measures such as long, complex passwords but even such precautions may not guarantee security as there could be other points of failure.Mudpuppy wrote:Without knowing specifics, one can only speak in generalities.
Probably not an issue once it's joined to the network. A number of devices use that approach and they generally only create their own networks for initial setup. You can use a device or app to scan for networks and see if the device's own network still exists once joined to your own.Saving$ wrote:This think broadcast it's own network, and I had to disconnect from my WiFI and connect to the T-stat before I could connect the T-stat to the wireless network. Because this device seems to be able to broadcast Wifi instead of just receive the signal, I got to wondering.
Again, it's another point of entry. It does increase risk. By how much is difficult to say and all depends on how secure your device and the app are. It's probably not the biggest risk which is outside access offered by the thermostat which exists regardless of how you manage the device.Saving$ wrote:The T-stat has an app for my phone. I have not yet downloaded it. Seems like it would just be a webpage optimized for the phone, and thus I access the t-stat via phone the same way I can access it via the webpage. Does downloading and using this app in any way increase my security risk?
All you can really do is determine where you're willing to compromise security for convenience, try to understand the specifics of how your thermostat works and minimize its security risks with that understanding. I know that's vague but I can't speak to the specifics of your thermostat even if you provided the model number. You'd need to carefully research that thermostat and ideally do that before making the purchase.