Wifi thermostats

Reply

  #1  
Old 12-08-14, 07:33 AM
Geochurchi's Avatar
Member
Thread Starter
Join Date: Nov 2012
Location: USA
Posts: 4,341
Received 36 Votes on 34 Posts
Wifi thermostats

Hi All,what are the chances of wifi thermostats being Hacked? what are the dangers if it were?
Geo
 
Sponsored Links
  #2  
Old 12-08-14, 09:56 AM
G
Member
Join Date: Oct 2002
Location: Hamilton County, Ohio
Posts: 4,296
Received 2 Votes on 2 Posts
I guess that a hacker could dial it up or down, but that should not cause a serious problem. What fun is that?
However , if you are paranoid, consider that they may be able to read the occupied vs un occupied settings and know when your home is empty and ripe for burglary.
 
  #3  
Old 12-08-14, 10:36 AM
PJmax's Avatar
Group Moderator
Join Date: Oct 2012
Location: Northern NJ - USA
Posts: 56,259
Received 733 Votes on 688 Posts
If you mount the thermostat inside the furnace then it will be behind a firewall.

The thermostat contains the wireless network password. That would be the only thing that I'd be worried about.
 
  #4  
Old 12-08-14, 11:09 AM
G
Member
Join Date: Oct 2002
Location: Hamilton County, Ohio
Posts: 4,296
Received 2 Votes on 2 Posts
Very punny Pete .
 
  #5  
Old 12-08-14, 01:37 PM
P
Temporarily Suspended
Join Date: Jul 2008
Location: NY
Posts: 10,986
Received 0 Votes on 0 Posts
Very Dumb Security For a WiFi Thermostat | Hackaday
Hacking Heatmiser ^^^ thermostat.

Nest Smart Thermostat Can Be Hacked to Spy on Owners
Hacking Google Nest ^^^ thermostat.

https://www.idradar.com/news-stories...o-Easy-To-Hack

General info on wifi thermostat hacks^^^.
 
  #6  
Old 12-10-14, 05:27 AM
Geochurchi's Avatar
Member
Thread Starter
Join Date: Nov 2012
Location: USA
Posts: 4,341
Received 36 Votes on 34 Posts
How is the wifi thermostat detected from outside?I am thinking that if the Stat is password protected(which it is)it would be more difficult to hack.
Geo
 

Last edited by Geochurchi; 12-10-14 at 05:46 AM.
  #7  
Old 12-10-14, 10:13 AM
P
Temporarily Suspended
Join Date: Jul 2008
Location: NY
Posts: 10,986
Received 0 Votes on 0 Posts
I've never tried to hack a wireless thermostat but here are some wifi hacking basics. Most wifi devices connect to a router. The router signal travels as far as 200 feet. Let's say that someone within that range was looking at the signal from the router. He could also see the MAC address, of the devices connected, to it. The normal procedure would be to attempt to hack the router first. Chances are that the thermostat wouldn't be of interest but who knows?

The answer to your question is yes, passwords on the router & the other devices make the hack more difficult. However, most people use birthdays, pet names & other easily guessed words from a dictionary, as their passwords. I saw one where the user name was frog & the password was leap. Things like that are easily cracked, if the hacker can get the encrypted password file. The type of encryption on the router is important too. Don't use WEP. Use WPA2 or variations, of it. Passwords should be a combination of upper & lower case letters, numbers & other symbols. It should be at least 8 characters long but 12 to 15 would be much better.
 
  #8  
Old 12-10-14, 11:56 AM
Z
Forum Topic Moderator
Join Date: Sep 2005
Location: USA
Posts: 5,035
Received 72 Votes on 68 Posts
I see 2 ways WiFi thermostats could be hacked...

1) If you don't use security on your wireless network. It is basically inviting anyone to mess around with anything connected to your network. No one should ever have a unsecured wireless network! Also, as Pulpo said, WEP security is old and rather insecure. It can be broken reasonably easy by anyone who's bored enough to try. Once you get WPA2 or similar, it gets to the point of not being worth trying.

2) The second way is however the wifi thermostat allows it to be controlled via the Internet. If all you do is adjust the temp from inside your house while on your own network, it's pretty secure, no one else can 'see' it, network-wise. But if you allow control from outside, then the theory goes, now you have access, and so does everyone else. At that point, you're relying on the security of the device... and since they are so new, I'm not sure who really knows how they handle passwords, connection security, etc.

In my opinion, if you want one, get one. I personally haven't had the need to set the house temperature while on vacation, but if you do, go for it. As others have said, the worst that should happen is that someone adjusts the temperature in your house - and at the real worst, bricks the thermostat itself. I don't see any way it could hurt your heating/cooling system in any real way.

I'm still looking for a thermostat that looks as nice as the Nest thermostat without all the learning and connectivity but is a simple programmable stat.
 
  #9  
Old 12-10-14, 12:49 PM
Geochurchi's Avatar
Member
Thread Starter
Join Date: Nov 2012
Location: USA
Posts: 4,341
Received 36 Votes on 34 Posts
Thanks All,good info.
Geo
 
  #10  
Old 12-10-14, 06:46 PM
P
Temporarily Suspended
Join Date: Jul 2008
Location: NY
Posts: 10,986
Received 0 Votes on 0 Posts
Let me explain how paragraph 2) of Zorfdt's post might work. For a home owner to be able to control his thermostat, over the internet, he would have to have port forwarding enabled, on his router. Dyndns maybe needed as well but forget about that for the moment. It has nothing to do with wifi. It's strictly over the internet. Let's take a look at the port forwarding instructions for the Heatmiser wifi thermostat. It uses port 8068. I won't get into source ports & destination ports, at the moment.

Port Forwarding the Huawei E355 Router for Heatmiser WiFi Thermostat

So let's say that for some dumb reason, i wanted to see who has that thermostat running on that port. I would start Ostrosoft domain scanner & scan a Class C subnet of port 8068. I won't go into subnets either. Let's say that I found an IP address with that port opened. To connect to it, I may need, the company's software or it may accept a telnet connection, which is rare these days but you get the idea. Note, that I don't know who my victim is. If I want to connect to a particular person's system, I would have to have an idea as to what his IP address might be. If I could get him to send me an email, that could be one way to get that info.
 
Reply
Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Thread Tools
Search this Thread
 
Ask a Question
Question Title:
Description:
Your question will be posted in: