Home sweet Home

Image courtesy of Der Spiegel

Domestic cyber attacks are still something very abstract. First of all Home Area Networks (HAN) and network / internet-enabled appliances are still at their infancy and not widely deployed yet. And even if you could break into and mess around with such an installation, what damage could you do… switch on the patio light?

A small glimpse of what the potential risks are showed a recently discovered security hole of a combined heat and power unit offered by Vaillant, one of Europe’s leading heating technology manufacturer.

The ecoPOWER 1.0 is a domestic small-scale system that burns natural gas to provide heating and power for family homes. To date around 800 systems of this type have been installed.
The system can be remote-controlled and remotely serviced via its internet connection.
A web interface allows home owners to control heating settings, while service technicians can use it to remotely service / diagnose the appliance.

However, the German trade journal BHKW-Infothek recently published a report about a security hole in this web interface that allows the recovery of plain text passwords of customers, service technicians and even developers.

Using these credentials attackers can mess around with the system, and for example shut down the entire appliance (frozen pipes in winter time are no fun) or increase the temperature above safe margins, which can cause structural damage to houses. The developer credential allows attackers to go even deeper and access the internal CAN bus directly.

A detailed video (in German) can be found here.

The problem is exacerbated by the fact that all appliances are registered with Vaillant’s own DynDNS service, so devices can be found via trial and error.

In recent days Vaillant has sent all its customers a warning, recommending they manually disconnect the appliances from the network. According to Der Spiegel Vaillant plans to retrofit all ecoPOWER 1.0 systems with VPN boxes.

Speak Your Mind


This site uses Akismet to reduce spam. Learn how your comment data is processed.