Smart radiator thermostats are a useful purchase, especially in the cold season. But the devices pose a great danger to your data.
Even smart thermostats can be hacked by cybercriminals. (Source: Tado)
Energy prices are still high, which is why heating becomes expensive in winter. To ensure energy management is efficient, it can be worth using smart thermostats. But be careful: As is so often the case, the intelligent devices prove to be practical, but the necessary IT security is not available.
As the Federal Office for Information Security (BSI) discovered in a study, the safety properties of smart radiator thermostats are very questionable. In the worst case, your personal data can end up in the wrong hands.
Security defects in nine out of ten devices
As part of the “IT security on the digital consumer market” study series, the BSI examined a random sample of ten smart radiator thermostats. Various tests were carried out on the devices, vulnerability analyzes were carried out and the manufacturers were interviewed. The majority of thermostats comply with basic European safety requirements.
Nine out of ten of the thermostats tested were able to meet three quarters of the tested test cases according to the European standard ETSI EN 303 645 (Cyber Security for Consumer Internet of Things: Baseline Requirements). This means there is no critical risk, but there is still a lot of room for improvement in cybersecurity.
These devices have been tested
- Fritz! Dec. 301 by AVM
- Netatmo thermostat from Netatmo
- V3+ Basic from Tado
- Radiator thermostat II from Bosch
- Evo from Homematic IP/eQ-3 AG
- Hama
- Shelly TRV by Shelly
- ZX5280-944 from Revolt
- HT CZ01 from Brennenstuhl
- Kasa KE 100 from TP-Link
A notice: The BSI study does not reveal which devices the following defects apply to. Even when we asked the Federal Office for Information Security, we were unable to obtain any information about this.
One of the biggest problems is the insecure encryption of your data. Sensitive information is often stored insecurely and only sent to a server with weak encryption. A device even establishes an unencrypted connection. This would make your data easy for cybercriminals to view.
In addition, some thermostats are vulnerable to hacker attacks via the WiFi connection. This also partly applies to the corresponding apps. Data such as name, address and email address is stored there, which hackers can access by exploiting security gaps. With three devices that are operated with a third-party app, the attack surface is significantly larger.
Manufacturers simply take ready-made software and label it with their own brand name. Such applications are much more susceptible to vulnerabilities. What makes it even more difficult is that nine out of ten manufacturers do not provide any information regarding a guaranteed minimum period. It is not possible to predict how long the affected thermostats will receive security updates.
The BSI also found that vulnerabilities in more than five tested devices were not remedied promptly. With this result, AI security falls into your hands. We therefore recommend that you provide as little useful data as necessary when using smart thermostats. This is the only way you can really be sure that your personal information remains safe.
- ” Tip: The best VPN providers for more security and data protection
- » Buy balcony power plant: Comparison of the best solar systems
Don't miss anything with this NETWORK WORLDnewsletter
Every Friday: The most informative and entertaining summary from the world of technology!
