According to security researcher-extraordinaire Brian Krebs, the Trane ComfortLink II smart thermostat has "three separate critical vulnerabilities" related to network security. American Standard is also Trane by another name. Typically, it is the same hardware with a different name plate; A/S being the brand for the small independent dealers. Their version is called the AccuLink Platinum 950. This is the model I have. I assume they share the same software and thus security issues.
Trane ComfortLink II
https://www.trane.com/residential/e...ntrols/connected-controls/comfortlink_ii.html
AccuLink Platinum 950
https://www.americanstandardair.com/products/thermostat-controls/acculink-platinum-950-control.html
So, How serious is the security vulnerability?
So, basically, hackers can use your thermostat as a backdoor into your home network and have at it from there.
There's more:
So, How has Trane responded to this security flaw?
Krebs says: "In April 2014, researchers at Cisco alerted HVAC vendor Trane about three separate critical vulnerabilities in their ComfortLink II line of Internet-connected thermostats."
Krebs says: "On January 26, 2016, Trane patched the more serious of the flaws (the hardcoded credentials). According to Cisco, Trane patched the other two bugs part of a standard update released back in May 2015, but apparently without providing customers any indication that the update was critical to their protection efforts."
My Personal Experience
I've had the American Standard model since November 2014. The device has the ability to check for updates and download/install them. I have checked my device several times since owning it and it always reports there are no updates available.
My system is also connected to Nexia -- http://www.nexiahome.com/ . Nexia is an online home automation site, so I can manage my heat pump system from anywhere in the world. Nexia is owned by Ingersol Rand, the company that owns Trane and American Standard. The point being that they know I have this product and they have my email address so they could contact me with a heads up.
What Did I do?
First thing I did was disable the Wi-Fi on the device until I can determine if it is affected and how to get the software update. Then I alerted my dealer, who is a pretty sharp cookie. He hadn't received a bulletin from the company about the issue either.
There is a page with a v4.0.3 software update for the Trane device here:
https://www.trane.com/residential/en/resources/smart-home-automation/installing-upgrading.html
There is v4.0.3 for the American standard here (mine has v3.0):
https://www.americanstandardair.com/software-update.html
If in doubt, call your dealer and make them resolve it for you.
---
Here is Kreb's full story: http://krebsonsecurity.com/2016/02/iot-reality-smart-devices-dumb-defaults/
---
UPDATE: I downloaded the A/S update to an SD card and performed the upgrade. Pretty straightforward. They did acknowledge the security updates, and credited Cisco, on-screen during the update (but not on the website). The update was dated DEC 2015. Curious since Krebs said the latest update was JAN 2016.
Trane ComfortLink II
https://www.trane.com/residential/e...ntrols/connected-controls/comfortlink_ii.html
AccuLink Platinum 950
https://www.americanstandardair.com/products/thermostat-controls/acculink-platinum-950-control.html
So, How serious is the security vulnerability?
Cisco researchers found that the ComfortLink devices allow attackers to gain remote access and also use these devices as a jumping off point to access the rest of a user’s network.
So, basically, hackers can use your thermostat as a backdoor into your home network and have at it from there.
There's more:
“Compromising IoT devices allow unfettered access though the network to any other devices on the network,” said Craig Williams, security outreach manager at Cisco. “To make matters worse almost no one has access to their thermostat at an [operating system] layer to notice that it has been compromised. No one wakes up and thinks, ‘Hey, it’s time to update my thermostats firmware.’ Typically once someone compromises these devices they will stay compromised until replaced. Basically it gives an attacker a perfect foothold to move laterally though a network.”
So, How has Trane responded to this security flaw?
Krebs says: "In April 2014, researchers at Cisco alerted HVAC vendor Trane about three separate critical vulnerabilities in their ComfortLink II line of Internet-connected thermostats."
Krebs says: "On January 26, 2016, Trane patched the more serious of the flaws (the hardcoded credentials). According to Cisco, Trane patched the other two bugs part of a standard update released back in May 2015, but apparently without providing customers any indication that the update was critical to their protection efforts."
My Personal Experience
I've had the American Standard model since November 2014. The device has the ability to check for updates and download/install them. I have checked my device several times since owning it and it always reports there are no updates available.
My system is also connected to Nexia -- http://www.nexiahome.com/ . Nexia is an online home automation site, so I can manage my heat pump system from anywhere in the world. Nexia is owned by Ingersol Rand, the company that owns Trane and American Standard. The point being that they know I have this product and they have my email address so they could contact me with a heads up.
What Did I do?
First thing I did was disable the Wi-Fi on the device until I can determine if it is affected and how to get the software update. Then I alerted my dealer, who is a pretty sharp cookie. He hadn't received a bulletin from the company about the issue either.
There is a page with a v4.0.3 software update for the Trane device here:
https://www.trane.com/residential/en/resources/smart-home-automation/installing-upgrading.html
There is v4.0.3 for the American standard here (mine has v3.0):
https://www.americanstandardair.com/software-update.html
If in doubt, call your dealer and make them resolve it for you.
---
Here is Kreb's full story: http://krebsonsecurity.com/2016/02/iot-reality-smart-devices-dumb-defaults/
---
UPDATE: I downloaded the A/S update to an SD card and performed the upgrade. Pretty straightforward. They did acknowledge the security updates, and credited Cisco, on-screen during the update (but not on the website). The update was dated DEC 2015. Curious since Krebs said the latest update was JAN 2016.
Attachments
Last edited: