"vulnerability that lets an attacker on the same network replace the device firmware with a rogue version." If you let the attacker roam on your network, you have a bigger problem than being worried that the hacker will play with your thermostat's set points.
For this type of issue, I always set my temperature limits in the thermostat menu to very close to where we normally set.
Unfortunately my Honeywell T6 Pro only sets the max for heat and min for A/C. My old Pearl would limit both high and low for both heat and A/C
Yup
CVE-2023-49722
CVE description: Network port 8899 open in WiFi firmware of BCC101/BCC102/BCC50 products, that allows an attacker to connect to the device via same WiFi network.
So first they have to be on your LAN, which in itself would mitigate the issues for 99.9% of people.
Article is clickbait designed to create fear and panic, causing people to post it all over the place to warn others, and get more clicks and more ad revenue.
While I agree with the sentiment, I don't think I can agree with the 99.9% part. Last time I saw a statistic, something like 40% of households had residents that had shared wifi passwords with persons who were not members of the household.
While most of us here are experienced IT people, we are the minority in the real world. In the real world, many people just don't take the same care that we do.
True, I have a check coming for 22 cents 
. Seriously it was on my Google feed, so not surprised
WAN to LAN attacks aren’t common, but internet connected devices like this can be troublesome, especially when average Joe may not know that their router could possibly open the port inbound or like seen around the internet when uneducated people recommend port forwarding because something isn’t working as expected.
This CVE seems to have already been mitigated though back in October 2023.
A fix has been made in new WiFi firmware 4.13.33 by closing the port 8899, which was used for the WiFi module development debugging purpose. The new firmware v4.13.33 has been updated to the customer field devices in Oct 2023.
Pretty common reason for vulnerabilities like this, “development debugging purpose”, especially when proper Software Development Lifecycles aren’t followed.
I don't think that qualifies for running down the block like a Prior on Fire.
Just saying. . . Still, tinfoil is never a bad idea.
This topic was automatically closed 365 days after the last reply. New replies are no longer allowed.
