Comfort  Automation/ Security System Forums Home
Home Search search Menu menu Not logged in - Login | Register
Comfort Automation/ Security System Forums > Third Party (interfacing to Comfort) > Heatmiser > Heatmiser Thermostats insecure - theregister.co.uk

Heatmiser Thermostats insecure - theregister.co.uk
 Moderated by: admin
 New Topic   Reply   Printer Friendly 
 Rate Topic 
AuthorPost
 Posted: Wednesday Sep 24th, 2014 04:30 pm
   PM  Quote  Reply 
1st Post
palmlodge
Member
 

Joined: Thursday Dec 14th, 2006
Location: United Kingdom
Posts: 507
Status: 
Offline

  back to top

http://www.theregister.co.uk/2014/09/24/heatmiser_digital_thermostat_insecure/



 Posted: Wednesday Sep 24th, 2014 05:14 pm
   PM  Quote  Reply 
2nd Post
juwi_uk
Member


Joined: Friday May 25th, 2007
Location: Newbury, United Kingdom
Posts: 1255
Status: 
Offline

  back to top

As a heatmiser user they sent me an email directly on this so assume have to other users too explaining what to do to workaround at the moment and fix being created.



 Posted: Wednesday Sep 24th, 2014 05:47 pm
   PM  Quote  Reply 
3rd Post
tman
Comfort Distributors
 

Joined: Wednesday Sep 22nd, 2010
Location: United Kingdom
Posts: 22
Status: 
Offline

  back to top

The writeup is for the WiFi thermostats that aren't Heatmiser Neo since that is a different system which has a central gateway unit that connects via Ethernet and the individual thermostats themselves connect to the gateway using some other protocol. If you only have the RS485 networked Heatmisers that the UCM/Heatmiser connects to and don't have any that connect to WiFi or use an Ethernet gateway like the Neo range then you shouldn't be affected by these flaws.

If you do have one then disable both port forwarding rules (80 and 8068) then you should be safe from people messing with it remotely. You'll still be able to adjust the thermostat from your local network. The WiFi thermostats basically have no security at all as the authentication has been extremely badly implemented.

juwi_uk wrote:
As a heatmiser user they sent me an email directly on this so assume have to other users too explaining what to do to workaround at the moment and fix being created.
Updating the firmware on these Heatmiser units appears to be quite annoying to do. You need to pay a deposit and then Heatmiser will loan you a PIC programmer dongle with the new firmware preprogrammed. Once you receive the dongle then you need to open the thermostat to access the ICSP socket. The thermostat doesn't appear to be able to accept firmware updates via WiFi or via the USB port.

Last edited on Wednesday Sep 24th, 2014 05:48 pm by tman



 Posted: Wednesday Sep 24th, 2014 07:53 pm
   PM  Quote  Reply 
4th Post
juwi_uk
Member


Joined: Friday May 25th, 2007
Location: Newbury, United Kingdom
Posts: 1255
Status: 
Offline

  back to top

I have the WiFi one.  I assume BTW that the NEO range isn't supported by the UCM/HM yet is it?



 Posted: Thursday Sep 25th, 2014 05:49 am
   PM  Quote  Reply 
5th Post
tech07
Administrator
 

Joined: Thursday Jan 29th, 2009
Location: Singapore
Posts: 106
Status: 
Offline

  back to top

It is not supported yet



 Current time is 11:14 pm
Comfort Automation/ Security System Forums > Third Party (interfacing to Comfort) > Heatmiser > Heatmiser Thermostats insecure - theregister.co.uk
Top




UltraBB 1.172 Copyright © 2007-2014 Data 1 Systems