notabot

Level 14
Hi,

I haven't managed to find security reviews for thermostats. For home cameras AV-Test has some reviews and they were useful in helping me choose our cameras.
Is anyone aware of something similar for thermostats?
 

Slyguy

Level 43
Verified
I am also unaware of any specific reviews regarding security. However, if you follow best practice, you can be pretty effective in securing them. Emerson Sensi is used by a log of folks I know in IT. The reason is, there is a long code printed on the back of the thermostat itself that is required to connect to it. Anyone not having that code paired to their account won't be able to connect or access it in any way.

For IoT I like to do the following;

1) Secure them on their own guest WiFi SSID. (or VLAN)
2) Secure them behind a Gryphon, under a strict USER with 'Toddler' as the policy and only permit the egress necessary for device functionality.

That way, in general, it's not going to be compromised because nothing is WAN facing other than exactly what is needed for the operation, and the device is secured on it's own VLAN (or Guest SSID)
 

notabot

Level 14
I am also unaware of any specific reviews regarding security. However, if you follow best practice, you can be pretty effective in securing them. Emerson Sensi is used by a log of folks I know in IT. The reason is, there is a long code printed on the back of the thermostat itself that is required to connect to it. Anyone not having that code paired to their account won't be able to connect or access it in any way.

For IoT I like to do the following;

1) Secure them on their own guest WiFi SSID. (or VLAN)
2) Secure them behind a Gryphon, under a strict USER with 'Toddler' as the policy and only permit the egress necessary for device functionality.

That way, in general, it's not going to be compromised because nothing is WAN facing other than exactly what is needed for the operation, and the device is secured on it's own VLAN (or Guest SSID)
Thanks for this Slyguy, much appreciated ans useful tips re putting them in a vlan.

Still , I wouldn't want my router to tell me it uses plaintext http after the purchase, this is something I'd rather know in advance. Maybe it uses https but with a very weak cipher, maybe it doesn't update certificates, or the certificate update process is weak, maybe the EULA is very bad on privacy. Maybe it has default passwords, maybe it has ancient firmware that's exploitable. These maybes are not theory, for plenty of consumer devices they're true unfortunately.
 
  • Like
Reactions: Correlate

Slyguy

Level 43
Verified
If you work under the assumption that virtually everything is already compromised (except in a few extremely secure cases), then you will be well served. Because in fact, most things are compromised, it's just that nobody has found out about the compromise in most cases.

IoT should be specifically limited in a home for this reason. I try to limit my IoT, and when possible isolate it to specific VLANS, and always ensure a strict policy on the internet and only allow specific domains required for device operation. Working from the assumption everything is compromised.

Right now, I have a thermostat, smoke alarm and space heater in the guest bedroom as my basic IoT devices. But it is required in the cases of those devices. For example without an App, the space heater cannot be scheduled to go on and off or remotely notify me if it was left on. My thermostat is required, I use the IoT aspect of that constantly. My cameras can't talk out, internal server with cloud storage of the clips. My DVR's are restricted to traverse the WAN only during a short 45 minute window each night for programming updates. That pretty much wraps up the IoT around here.

Once again, my assumption is - it's all been compromised.
 

notabot

Level 14
If you work under the assumption that virtually everything is already compromised (except in a few extremely secure cases), then you will be well served. Because in fact, most things are compromised, it's just that nobody has found out about the compromise in most cases.

IoT should be specifically limited in a home for this reason. I try to limit my IoT, and when possible isolate it to specific VLANS, and always ensure a strict policy on the internet and only allow specific domains required for device operation. Working from the assumption everything is compromised.

Right now, I have a thermostat, smoke alarm and space heater in the guest bedroom as my basic IoT devices. But it is required in the cases of those devices. For example without an App, the space heater cannot be scheduled to go on and off or remotely notify me if it was left on. My thermostat is required, I use the IoT aspect of that constantly. My cameras can't talk out, internal server with cloud storage of the clips. My DVR's are restricted to traverse the WAN only during a short 45 minute window each night for programming updates. That pretty much wraps up the IoT around here.

Once again, my assumption is - it's all been compromised.
Can you configure the thermostat remotely though ?

Also, which cameras work with internal server storage? I've only seen cloud ones (from the subset of cameras that has had a security audit ie the ones from AV test)