Over the last several weeks the security team at Jigsaw Security has been monitoring issues reported by Honeywell Home Connect Comfort in which users began reporting instances where their credentials have been used to login to their accounts and set either extremely high or low temperatures on their thermostats. At first reports were few and far between but over the last several weeks the number and frequency of this type of reporting has increased.
After an extensive review of data from
the dark web we started finding references to discussions in which pranksters and hackers alike have reportedly found ways in which to directly access and modify temperatures utilizing credentials that have been reused elsewhere or through other methods to include network manipulation.
We highly suggest that manufacturers implement 2 factor authentication to stop unauthorized manipulation of these devices and warn users not to reuse their passwords as changing temperatures just for kicks appears to actually be a thing.
Note: Many of the reported cases we were able to confirm for this story involved password reuse attacks. While no specific security vulnerabilities were noted in the devices themselves, it appears as though passwords are being shared and thousands upon thousands of these devices are Internet accessible with a quick search on public websites exposing the model numbers through banners and other methods. We recommend never using NAT port mapping for IOT devices as this also appears to be an issue that was observed.