API security

Bosch thermostats vulnerable to malware attacks

Hackread reports that widely used Bosch BCC100 thermostats have been discovered by Bitdefender Labs researchers to be impacted by a vulnerability that could be exploited for malware deployment.

Attackers could leverage the flaw, tracked as CVE-2023-49722, to infiltrate thermostat settings and data, remotely replace device firmware, and distribute malware in BCC100 thermostats versions 1.7.0 HD Version 4.13.22, according to the Bitdefender report. Researchers noted that the security bug stems from the inability of the thermostat's microcontroller which is composed of an STMicroelectronics chip for primary logic and a Hi-Flying chip for Wi-Fi to filter messages from the cloud server, which could include malicious messages that could be used for the delivery of malware. Bosch, which has already issued patches for the bug, urged users to not only apply thermostat firmware updates and modify their default admin passwords, but also curb unneeded internet connectivity for thermostats and restrict unauthorized device access through a firewall.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.