Security hole can damage heating systems
It has been discovered that heating systems from German company Vaillant contain a serious security hole. The ecoPower 1.0 models of central heating and power systems include a vulnerability that allows attackers to turn the system off and potentially even damage the system in the process. In a message sent to its customers, the manufacturer recommends physically disconnecting the affected products from the network until a service technician can fix them on site.
The ecoPower 1.0 is a small-scale combined heat and power unit that uses natural gas to provide heating and power for one or two family homes. The system is connected to the internet and provides a web interface that allows home owners to remotely control the heating in their house. However, a security hole in this web interface makes it easy to access plain text passwords for the systems.
Aside from the customer administration passwords, attackers can then gain access to the functions usually reserved for service technicians working for Vaillant. With these remote administration credentials, attackers can shut down the system completely, which in winter months could damage the heating system were it to freeze up. In summer months, increasing the temperature above safe margins can overheat certain heating elements if they are not attached to independent limiters. The situation is exacerbated because of the way the heating systems in question are connected to the internet: because the systems are hooked up to Vaillant's own dynamic DNS service, it is relatively easy to find all of the ecoPower systems that are online by simple trial and error.
The hole was discovered by a reader of the German trade journal BHKW-Infothek. The industry journal collaborated with The H's associates at heise Security and CERT Bund at the German Federal Office for Information Security (BSI) to reproduce the problem and develop a fix. This fix is now being rolled out by Vaillant to affected customers. Vaillant is also working on offering customers a VPN box that encrypts the heating system's connection to the manufacturer. This VPN box will be provided free of charge to customers with a service contract. Other customers will have the option to buy the add-on for a currently undisclosed price.