Pierluigi Paganini January 16, 2024

Researchers warn of high-severity vulnerability affecting Bosch BCC100 thermostats.

Researchers from Bitdefender discovered a high-severity vulnerability affecting Bosch BCC100 thermostats.

The researchers discovered a vulnerability, tracked as CVE-2023-49722 (CVSS score: 8.3), that can be exploited by an attacker on the same network to replace the device firmware with a rogue version.

The vulnerability was reported to the vendor in August 2023 and was addressed by the vendor in November 2023.

“A network port 8899 is always open in BCC101/BCC102/BCC50 thermostat products, which allows an un-authencated connection from a local WiFi network.” reads the advisory published by Bosch.

The thermostat is composed of two collaborating microcontrollers, a Hi-Flying chip, HF-LPT230, responsible for managing the Wi-Fi functionality and a chip from STMicroelectronics, STM32F103, which functions as the device’s central processing unit.

The issue impacts the HF-LPT230 microcontroller that acts as a network gateway for the logic microcontroller.

An attacker can exploit the vulnerability to send commands to the thermostat, including writing a malicious update to the device.

“We have discovered that the Wi-Fi chip also listens on TCP port 8899 on the LAN, and will mirror any message received on that port directly to the main microcontroller, through the UART data bus. This means that, if formatted correctly, the microcontroller can’t distinguish malicious messages from genuine ones sent by the cloud server.” reads the advisory published by Bitdefender. “This allows an attacker to send commands to the thermostat, including writing a malicious update to the device.”

The flaw affects the following products:

• Bosch BCC101
  • CVE-2023-49722
    • Version(s): 4.13.20 – v4.13.33 (excluding)
• Bosch BCC102
  • CVE-2023-49722
    • Version(s): 4.13.20 – v4.13.33 (excluding)
• Bosch BCC50
  • CVE-2023-49722
    • Version(s): 4.13.20 – v4.13.33 (excluding)

The vendor addressed the flaw with the release of the WiFi firmware 4.13.33 which closes the port 8899.

“Home users should closely monitor IoT devices and isolate them as completely as possible from the local network. This can be done by setting up a dedicated network exclusively for IoT devices.” concludes the advisory.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Bosch BCC100 thermostats)