{"id":3284,"date":"2024-12-10T18:23:55","date_gmt":"2024-12-10T16:23:55","guid":{"rendered":"https:\/\/certitude.consulting\/blog\/?p=3284"},"modified":"2024-12-11T08:11:22","modified_gmt":"2024-12-11T06:11:22","slug":"study-together-with-the-bsi-it-security-of-smart-radiator-thermostats","status":"publish","type":"post","link":"https:\/\/certitude.consulting\/blog\/en\/study-together-with-the-bsi-it-security-of-smart-radiator-thermostats\/","title":{"rendered":"Study together with the BSI: IT security of smart radiator thermostats"},"content":{"rendered":"\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"1024\" src=\"https:\/\/certitude.consulting\/blog\/wp-content\/uploads\/2024\/12\/be25c852-f95a-4ffa-8350-8d2c1fd226b9.jpg\" alt=\"\" class=\"wp-image-3266\" srcset=\"https:\/\/certitude.consulting\/blog\/wp-content\/uploads\/2024\/12\/be25c852-f95a-4ffa-8350-8d2c1fd226b9.jpg 1024w, https:\/\/certitude.consulting\/blog\/wp-content\/uploads\/2024\/12\/be25c852-f95a-4ffa-8350-8d2c1fd226b9-300x300.jpg 300w, https:\/\/certitude.consulting\/blog\/wp-content\/uploads\/2024\/12\/be25c852-f95a-4ffa-8350-8d2c1fd226b9-150x150.jpg 150w, https:\/\/certitude.consulting\/blog\/wp-content\/uploads\/2024\/12\/be25c852-f95a-4ffa-8350-8d2c1fd226b9-768x768.jpg 768w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p><strong>Certitude carried out the technical security testing of smart radiator thermostats on behalf of the Federal Ministry for Information Security (<a href=\"https:\/\/www.bsi.bund.de\" data-type=\"link\" data-id=\"https:\/\/www.bsi.bund.de\" target=\"_blank\" rel=\"noreferrer noopener\">BSI<\/a>). The study that emerged from this project was published today and shows that there is still a lot of catching up to do, particularly when it comes to dealing with vulnerabilities.<\/strong><\/p>\n\n\n\n<p>It should come as no surprise that operating many small computers connected to the Internet poses a challenge for IT security. The BSI has therefore focused on analyzing the IoT product group in households, specifically smart radiator thermostats. The <a href=\"https:\/\/www.bsi.bund.de\/DE\/Service-Navi\/Presse\/Pressemitteilungen\/Presse2024\/240110_Studie_Smarte_Heizkoerperthermostate.html\" data-type=\"link\" data-id=\"https:\/\/www.bsi.bund.de\/DE\/Service-Navi\/Presse\/Pressemitteilungen\/Presse2024\/240110_Studie_Smarte_Heizkoerperthermostate.html\" target=\"_blank\" rel=\"noreferrer noopener\">study<\/a> examined how manufacturers of such consumer products deal with IT security and what security gaps lie dormant in these systems.<\/p>\n\n\n\n<p>For the study, Certitude Consulting and its partner company <a href=\"https:\/\/cyberdanube.com\/\" data-type=\"link\" data-id=\"https:\/\/cyberdanube.com\/\" target=\"_blank\" rel=\"noreferrer noopener\">CyberDanube<\/a> carried out technical analyses of several smart thermostats and the associated operating apps. The scope of the review included the hardware, firmware and mobile apps. As part of the analyses, the conformity of the solutions with ETSI EN 303645 and the OWASP Mobile Application Security Testing Guide was checked. Identified vulnerabilities were reported to the relevant manufacturers through a Coordinated Vulnerability Disclosure (CVD) process. The study also included a survey of the manufacturers, which was carried out by <a href=\"https:\/\/www.infogmbh.de\/\" data-type=\"link\" data-id=\"https:\/\/www.infogmbh.de\/\" target=\"_blank\" rel=\"noreferrer noopener\">INFO GmbH<\/a>.<\/p>\n\n\n\n<p>The vulnerabilities identified included cross-site scripting and unencrypted network communication as well as unclear authorization concepts and inadequate security checks.<\/p>\n\n\n\n<p>Nine out of ten manufacturers did not provide any information regarding a guaranteed minimum period in which the products would be provided with security updates. There is also room for improvement in the way manufacturers deal with security vulnerabilities: more than half of them did not have a responsible disclosure policy; in one case it was found that vulnerabilities were not fixed promptly.<\/p>\n\n\n\n<p>More information about the <a href=\"https:\/\/www.bsi.bund.de\/DE\/Service-Navi\/Presse\/Pressemitteilungen\/Presse2024\/240110_Studie_Smarte_Heizkoerperthermostate.html\" target=\"_blank\" rel=\"noreferrer noopener\">publication<\/a> and the <a href=\"https:\/\/www.bsi.bund.de\/SharedDocs\/Downloads\/DE\/BSI\/Publikationen\/DVS-Berichte\/smarte-heizungsthermostate.html?nn=132646\" data-type=\"link\" data-id=\"https:\/\/www.bsi.bund.de\/SharedDocs\/Downloads\/DE\/BSI\/Publikationen\/DVS-Berichte\/smarte-heizungsthermostate.html?nn=132646\" target=\"_blank\" rel=\"noreferrer noopener\">study<\/a> as a PDF can be found on the BSI website.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Certitude carried out the technical security testing of smart radiator thermostats on behalf of the Federal Ministry for Information Security (BSI). The study that emerged from this project was published today and shows that there is still a lot of catching up to do, particularly when it comes to dealing with vulnerabilities. It should come [&hellip;]<\/p>\n","protected":false},"author":4,"featured_media":3266,"comment_status":"closed","ping_status":"open","sticky":true,"template":"","format":"standard","meta":{"footnotes":""},"categories":[103],"tags":[634,637],"class_list":["post-3284","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-vulnerability-research-en","tag-heizkorperthermostate-en","tag-presse-de-en"],"_links":{"self":[{"href":"https:\/\/certitude.consulting\/blog\/wp-json\/wp\/v2\/posts\/3284","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/certitude.consulting\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/certitude.consulting\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/certitude.consulting\/blog\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/certitude.consulting\/blog\/wp-json\/wp\/v2\/comments?post=3284"}],"version-history":[{"count":2,"href":"https:\/\/certitude.consulting\/blog\/wp-json\/wp\/v2\/posts\/3284\/revisions"}],"predecessor-version":[{"id":3289,"href":"https:\/\/certitude.consulting\/blog\/wp-json\/wp\/v2\/posts\/3284\/revisions\/3289"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/certitude.consulting\/blog\/wp-json\/wp\/v2\/media\/3266"}],"wp:attachment":[{"href":"https:\/\/certitude.consulting\/blog\/wp-json\/wp\/v2\/media?parent=3284"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/certitude.consulting\/blog\/wp-json\/wp\/v2\/categories?post=3284"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/certitude.consulting\/blog\/wp-json\/wp\/v2\/tags?post=3284"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}