Study together with the BSI: IT security of smart radiator thermostats

Certitude carried out the technical security testing of smart radiator thermostats on behalf of the Federal Ministry for Information Security (BSI). The study that emerged from this project was published today and shows that there is still a lot of catching up to do, particularly when it comes to dealing with vulnerabilities.

It should come as no surprise that operating many small computers connected to the Internet poses a challenge for IT security. The BSI has therefore focused on analyzing the IoT product group in households, specifically smart radiator thermostats. The study examined how manufacturers of such consumer products deal with IT security and what security gaps lie dormant in these systems.

For the study, Certitude Consulting and its partner company CyberDanube carried out technical analyses of several smart thermostats and the associated operating apps. The scope of the review included the hardware, firmware and mobile apps. As part of the analyses, the conformity of the solutions with ETSI EN 303645 and the OWASP Mobile Application Security Testing Guide was checked. Identified vulnerabilities were reported to the relevant manufacturers through a Coordinated Vulnerability Disclosure (CVD) process. The study also included a survey of the manufacturers, which was carried out by INFO GmbH.

The vulnerabilities identified included cross-site scripting and unencrypted network communication as well as unclear authorization concepts and inadequate security checks.

Nine out of ten manufacturers did not provide any information regarding a guaranteed minimum period in which the products would be provided with security updates. There is also room for improvement in the way manufacturers deal with security vulnerabilities: more than half of them did not have a responsible disclosure policy; in one case it was found that vulnerabilities were not fixed promptly.

More information about the publication and the study as a PDF can be found on the BSI website.