Leo PortalA vulnerability in the popular Bosch smart thermostats has been identified, allowing potential attackers to manipulate its firmware remotely, as reported by Bitdefender. The affected Wi-Fi microcontroller serves as the network gateway for the thermostat’s logic controller, impacting versions 4.13.20 through v4.13.33 of Bosch smart thermostat products BCC101, BTC102, and C50, rated with a severity level of “High” under CVE-2023-49722.
Bosch promptly addressed the issue, urging owners to update their thermostats to version v4.13.33. Initially brought to Bosch’s attention on August 29, 2023, the fix was released in October 2023 and made public on January 9, 2024.
The vulnerability exploits the thermostat’s STM chip’s reliance on the WiFi chip for internet communication, which listens on TCP port 8899. Malignant commands sent through this port, such as firmware updates, can be indistinguishable from legitimate ones. Researchers demonstrated that by sending a forged “device/update” command, the thermostat could be tricked into accepting a malicious firmware update, compromising the device.
Bosch’s mitigation strategy involves shutting down port 8899 through a patch update. Bitdefender advises IoT device owners to segregate IoT devices on a dedicated network, regularly scan for vulnerabilities, and promptly update devices and firmware as new versions are released to minimize the risk of exploitation.
Firmware Manipulation and Microcontroller Vulnerability Expose
A well-known Bosch bright thermostat has a vulnerability that, according to Bitdefender, enables potential attackers to send commands to the gadget and change its firmware.
The Wi-Fi microcontroller, which serves as a network gateway for the thermostat’s logic controller, is impacted by the vulnerability.
Versions 4.13.20 through v4.13.33 of the Bosch bright thermostat products BCC101, BTC102, and C50 are impacted. The vulnerability (CVE-2023- 49722) has received a severity rating of “High.”
To fix the problem, thermostat owners have been urged to update their thermostats to version v4.13.33.
According to Bitdefender, on August 29, 2023, Bosch was initially made aware of the vulnerability. In October 2023, Bosch released a fix for version 4.13.33 after being triaged and confirmed.
The vulnerability was finally made known to the public on January 9, 2024.
Uncovering Vulnerabilities: STM Chip Exploitation in Bosch Smart Thermostat
The researchers claimed to have found that in order to communicate with the internet, the STM chip in one of the thermostat’s two microcontrollers relies on the WiFi chip.
Additionally, the WiFi chip listens on the LAN’s TCP port 8899 and will instantly mirror any message sent through that port to the major microcontroller.
This implies that malignant commands, such as writing an update to the thermostat, can be sent to it that cannot be distinguished from legitimate ones sent by the cloud server.
The researchers send the “device/update” command on port 8899 to let the device know that a fresh update is available in order to start the malignant update process.
The cloud server will then receive an error code when the device requests information about the update because there isn’t one available.
But, the device will accept a forged response that contains the updated information, including the firmware’s URL, file size and MD5 checksum, and version, which must be higher than the current one.
The thermostat asks the cloud server to download the firmware and send it through the websocket if all the requirements are met, including a URL that can be accessed online.
When the cloud has received the file, it will therefore perform the upgrade, completely jeopardizing the device.
Bosch released a patch update that functions by shutting down port 8899.
Advice for Owners of IoT Devices
In order to lower the possibility that their home IoT devices will be used by cyber threat actors, Bitdefender offers the following suggestions to customers:
- To keep IoT devices as far away from the local network as possible, set up a dedicated network for them.
- Utilize free tools to scan the network for related devices, find them, and highlight any that are susceptible.
- As soon as the vendor releases fresh versions, look for updated devices and firmware.
