Smart thermostats from Heatmiser can give hackers easy access to your heating system if you log in from a Windows PC.
Heatmiser’s WiFi thermostats, which let you control the temperature of different rooms in your house, contain a number of security flaws which were discovered by researcher Andrew Tierney.
He said the Heatmiser platform uses an easy-to-guess default username and PIN – admin and 1234 – when connected remotely to a Windows computer, and then allows data about your WiFi connection to be shared, potentially exposing your home network to further attacks.
Heastmiser has advised customers to stop accessing its WiFi thermostats from desktops while it works on a fix.
Heatmiser said: “A security issue has been identified on our WiFi Thermostat… It has been identified that if certain steps are carried out, the username and password to your system can be obtained therefore allowing remote access of your system.
“We are working as quickly as possible to resolve this issue but in the meantime would ask that you remove the port forwarding to your WiFi Thermostat in your router. This means that remote web browser access won’t work but you will be able to use the SmartPhone App.”
Tierney also found that the admin page can also be accessed even if you change your username and password to something more complicated.
If you log into the admin page from a desktop browser, others using the same network – such as your colleagues – could log into your admin panel if they head to the same page on your network. This is known as a CSRF, a cross-site request forgery attack.
Tierney said: “If you want a thermostat that can’t be activated by just about anyone, then I would suggest returning your Heatmiser WiFi thermostat. My recommendation would be to stop port-forwarding to both port 80 and 8068. You will lose remote control, but would still be able to access the thermostat from inside you [sic] house.”
Heatmiser recently launched a Windows Phone app to complement its iOS and Android apps. This means you can still adjust the temperature of each room manually without having to log in from a desktop browser.