This week Heatmiser, a UK-based manufacturer of digital thermostats, has been contacting its customers regarding a series of security flaws that range from simple errors to potentially disastrous oversights that could expose those using a Wi-Fi-connected version of its product to takeover.
Heatmiser's actions appear to be the direct result of the litany of issues outlined by security researcher Andrew Tierney on his blog. According to Tierney, the company's Wi-Fi-enabled thermostats running firmware version 1.2. leak all aspects of Wi-Fi credentials including passwords, usernames, and Service Set Identifiers (SSID) when logged in. Additionally, it is possible to launch cross-site request forgery (CSRF) attacks via the device, sending users malicious links which could be enacted by an attacker that had recently logged into the thermostat.
According to comments on Tierney's blog post, these major security flaws have been in effect for over a year.
Responding to the onslaught of questions and concerns that this information has incurred, Martyn Kay, a Director at Heatmiser, told the press: “We are actively working on a solution and whilst we don't have a time frame for this, it is an important priority for us and hope to have this rectified very soon.”