Bitdefender Exposes Bosch BCC100 Wi-Fi Thermostat Vulnerability

Bitdefender has identified a vulnerability in the popular Bosch BCC100 Wi-Fi thermostat model. This flaw permits cybercriminals to remotely manipulate device settings, including temperature, and install malicious software.

Internet of Things (IoT) devices, ranging from coffee makers to security cameras, are potentially susceptible to hacking. Bitdefender’s lab, which established the first cybersecurity hub for smart homes, routinely audits popular IoT equipment for vulnerabilities. Their latest research revealed weaknesses in the Bosch BCC100 thermostat, affecting versions 1.7.0 — HD Version 4.13.22.

The security breach, discovered on August 29, 2023, was only detailed on January 11, 2024, after being rectified by the company. The CVE-2023-49722 vulnerability allows attackers to replace the device’s firmware with a malicious one, subsequently gaining complete control over its functions.

The BCC100 thermostat employs two microcontrollers: a Hi-Flying (HF-LPT230) chip for Wi-Fi functions and an STMicroelectronics (STM32F103) chip for the main device logic. The STM chip lacks networking capabilities and relies on the Wi-Fi chip for communication. The Wi-Fi chip listens on TCP port 8899 in the local network and directly transmits any received messages to the main microcontroller via the UART data bus.

However, if a message is properly formed, the microcontroller cannot distinguish malicious messages from legitimate ones sent by the cloud server. Attackers can exploit this to send arbitrary commands to the thermostat, including harmful updates.

The thermostat interacts with the server “connect.boschconnectedcontrol[.]com” using JSON packets via WebSocket, which are easily spoofed. The device initiates the “device/update” command on port 8899, prompting the thermostat to request information from the cloud server.

Despite error codes, the device accepts a fraudulent response with updated details, including a random URL, size, MD5 checksum, and firmware version. The device then asks the cloud server to download the firmware and transfer it via WebSocket, ensuring the specified URL is accessible. After receiving the file, the device performs the update, completing the compromise.

To mitigate potential risks, users are advised to maintain necessary security measures, including regularly updating the thermostat’s firmware, changing the default administrative password, avoiding unnecessary internet connections for the thermostat, and using a firewall to restrict access to unauthorized devices.

Notably, just last week, specialists from another cybersecurity company revealed details about vulnerabilities in another Bosch product — a network industrial wrench widely used in various productions. The exploitation of these vulnerabilities results in a complete production halt and damage to expensive equipment.

Such research reiterates that even seemingly harmless smart devices with internet access can pose specific security risks to their users.

As the smart device market grows, manufacturers must prioritize security and ensure a safe and reliable connection environment, while users should responsibly adhere to regular updates and other recommendations from manufacturers.