Researchers from Talos, an offshoot of Cisco Systems, first discovered flaws in the connected thermostat — sold under the brand new ComfortLink II — in April 2014. Trane patched two of the bugs in April 2015 and fixed the third vulnerability as of Jan. 27, 2016.
The vulnerabilities could have allowed bad actors to remotely access and operate the thermostats, as well as trigger arbitrary code to use the device as conduit for local network and external network attacks, Talos said in a blog post. The research group also recommended that ComfortLink II owners update their firmware immediately, as it was unclear if Trane had “effectively communicated the necessity of installing these updates to their customers.”
“While IoT devices such as smart thermostats, home lighting and security systems bring an added level of convenience into our lives, these vulnerabilities highlight the dangers of insecure development practices,” Talos cautioned.