Become a fan of Slashdot on Facebook


Forgot your password?
Security Technology

Trane Takes 2 Years To Remove Hard-Coded Root Passwords From IoT Thermostat ( 75

An anonymous reader writes: It took 22 months for Trane to patch three security bugs in its ComfortLink II XL950 smart Wi-Fi thermostat product, the ComfortLink II XL950, a modern IoT device along the lines of Google Nest, which offers a simple way to manage your apartment's or building's internal temperature. Researchers contacted Trane about their three issues in April 2014, the company fixed the RCE flaws in April 2015 and recently released a firmware update at the end of January to fix the last issue. During all this time, the company barely answered emails and continued to sell an exposed product.
This discussion has been archived. No new comments can be posted.

Trane Takes 2 Years To Remove Hard-Coded Root Passwords From IoT Thermostat

Comments Filter:
  • This has always been a severe issue with specific hardware produced by companies that aren't technology focused (and even some that are). These little debugging/service backdoors worked when there wasn't a vast resource of easy information sharing - and the device wasn't able to be accessed from anywhere. One day these product engineers will figure that out - maybe.
    • That said, I bet that security hole would have been fixed a hell of a lot quicker if it was publically announced to the world instead of trying to report it through Trane's security inept support channels.

      • by AmiMoJo ( 196126 )

        It's basically an impossible situation for security researchers. If they report it only to the manufacturer it can take years to be fixed. If they report it with a note that they will go public in a month they get sued or arrested. If they just report it publicly they are accused of being irresponsible.

        When I find an security flaw, if the company has a bug bounty programme or formal submission process I report it to them with a note that I'll post it publicly in a month unless they ask me to do otherwise. I

    • by Gr8Apes ( 679165 )
      If only they made it LAN only, it would already be infinitely more secure than most of these companies are capable of making a true internet accessible IoT device. It's that simple. Besides, I don't want or need an account with some service to run something on my own network.
      • True, but then you couldn't control it from the airport with your smartphone. You could argue security issues, but that would result in too many people not feeling the joy of controlling their home from anywhere in the world. Of course they forget others could too...that's besides the point, at least to those seduced by the "cool" factor. (I blame Apple...too use friendly for our own good..)
        • For centrally managed services, that doesn't require an inbound password. That can be done by the device making outbound connections to the central server.

        • by Gr8Apes ( 679165 )

          (I blame Apple...too use friendly for our own good..)

          I'd blame the ISPs that make it so darn difficult to connect directly to your own machines. As for everything else, it truly can be simple, but the manufacturers see $s and want you to pay them more, forever.

        • by Curtman ( 556920 ) *
          I'm sure there's a cool factor that means something to somebody. But when you live in a climate that is -40 degrees (celsius and fahrenheit) at times, having your thermostat email you when the furnace has failed is definitely more than cool, it can save you thousands of dollars.
          • Sure, but it definitely doesn't need inbound network access. It shouldn't beed UPnP as the theromostat should simply be polling requests from the central servers.

            It could even be used to send a message to your email (outbound connection).

            Why these devices require inbound connections at all simply doesn't make sense to me.

    • Trane is certainly "focused on technology". Just not computer geek technology. Do you know how to design and manufacture a long-lived air conditioning or heat pump compressor? And successfully and profitable for decades?

            Technology existed before the internet, you know.

      • by Thud457 ( 234763 ) on Wednesday February 10, 2016 @05:06PM (#51481979) Homepage Journal
        No. But I'm pretty sure I could spec out cheap crap compressors from China while riding my brand name into the dirt.
      • Re: (Score:3, Informative)

        by Anonymous Coward

        "Do you know how to design and manufacture a long-lived air conditioning or heat pump compressor?"
        No, but neither does Trane (or Ingersol-Rand for that matter, who owns Trane.) They use another company's compressor now.
        Heck, they took the original compressor design they once used from GE, when they bought the division from them years ago. As a matter of fact, the only thing that Trane "owns" in their design is the coils and the cabinets. I believe the coils are actually made by Alcoa.
        "Trane" is just a brand

        • by Curtman ( 556920 ) * on Wednesday February 10, 2016 @06:11PM (#51482723)
          Over engineered crap. It definitely is worse than most other manufacturers. I learned this when the inducer motor went on my furnace. They sold a furnace with an ECM inducer motor (for efficiency sake?), then stopped making them. So now in order to replace the inducer motor you need a new circuit board, a standard less efficient than what was advertised PSC motor, and someone to completely rewire the furnace with the new wiring harness. Then you need to pay someone labour and parts markup to install the $1400 in parts which they wont sell to you because you're not "Trained in Trane".

          Fuck you Trane. I hope you get hit by a Train.
          • That's not your inducer moter... it is your blower motor, reponsible for moving air with a squirrel cage through the ductwork in your home.

            The inducer motor is to force or draw combustion gases through the heat exchanger and out the roof vent. ECM motors are frequently unreliable, and expensive to replace, but you can replace one with a PSC motor and relays without changing out the circuit board.

            • by Curtman ( 556920 ) *
              No. It's he inducer motor. If it was the blower motor I could just get a new motor and install it myself. Trust me, I've learned a lot about this furnace since I was suckered into buying it.
            • by Curtman ( 556920 ) *
              Also.. Everything except the actual motor is made out of plastic. You cannot remove the impeller from the shaft of the motor without breaking it. Once it's broken it cannot be repaired to work reliably at 3000RPM. Even if you could replace it with an equivalent PSC motor and relays, the circuit board communicates with the inducer motor which is no longer there so it will never light the burner even though the pressure switch is closed.
              • We've had a metric ton of problems with the ECM blower motors. Many of the first renditions came with the old boards modified, so that there was still a place to install a PSC motor when the very expensive oem motor failed prematurely. In some cases, you were forced to purchase the motor and control module as one unit.

                The general movement toward increasingly more efficient equipment forces manufacturers to modify proven technology to eke out higher efficiency plateaus, but the savings enjoyed from an upgra

                • by Curtman ( 556920 ) *
                  Even on boards without those terminals, you could if you wanted use relays to switch speeds powered by the EAC terminal which is powered any time the fan is on. Except the circuit board is so "smart", that it cant tell how fast the blower motor is spinning anymore and assumes it has failed.
          • by bozzy ( 992580 )

            Fuck you Trane. I hope you get hit by a Train.

            And forced to listen to the band Train...

          • by jbengt ( 874751 )
            The trend is for single phase motors to go ECM for any application where the speed needs to be adjustable or variable. This is a fact of life for all types and brands of equipment. 10 years ago, we had a job where dozens of ECM motors had to be replaced not long after being installed. The manufacturers seem to have caught on and now use motors that can handle the electronic switching better, so there's very few early failures anymore.
            The other trend in appliances is to add digital electronics that fail
            • by Curtman ( 556920 ) *
              The problem isn't the switch to ECM. It's that they didn't make replacements for when they broke. So repairing a broken ECM inducer motor requires me to replace almost every electronic component in the furnace along with the associated labour costs to do it, even though I'm fully capable of doing it myself. They will not sell them to me.
        • by jbengt ( 874751 )
          First, you're talking about their residential lines. Nobody makes small, off-the-shelf refrigeration systems in the US anymore. Everybody makes them in Asia. (I think there's one manufacturer making them in Africa.)
          Trane's commercial lines are considered middle-of-the-road: Not the high quality equipment that costs too much for the typical cheap budget, and not the piece of crap that will get the submittal rejected by the specifying engineer.
          You are right, though, about branding, though by no means is
      • by swb ( 14022 )

        Isn't the punchline to this "No, and based on my ownership experience, neither does Trane."

  • its also hard to get a train GOING.

    Im sure the actual patch writing time was minimal but

    15 different managers had to be consulted/bribed to sign off on the code
    there were 50 different meetings to sort out what the bugs were exactly
    somebody had to be assigned the task of writing the code (and this was a busy person)
    the code had to be audited for serious bugs like nonPC variables
    then it had to be tested
    and packaged for deployment

    do i need to go on??

    • by Anonymous Coward

      I worked there in IT. It's not "Hard to Stop a TRANE", especially once Ingersoll Rand got involved. With the great majority of IT outsourced it's amazing they can get anything done at all !

  • by Anonymous Coward

    At what point is a professional body going to be setup so that we can get a certification like "Ain't Totally F'd Up" for any device that connects to the interwebs?!?

    Surely someone has some kind of idea of how to do interweb connected things anti-ass-backwards (and stop calling me Shirley).

  • by evolutionary ( 933064 ) on Wednesday February 10, 2016 @05:33PM (#51482265)
    Okay, this is just too hilarious. It's like the movie "War Games" when the computer engineer left his dead son's name as a password before he disappeared. This sort of thing tends to happen when a non-engineer want to ensure absolute control in a quick dirty way. Of course anyone with any foresight (AKA IT/Engineering professionals or even Philosophers/Historians I expect) would have pointed out how easy a back door this would be. We already have tons of historical precedence. And then take two years to undo it? Probably a 3rd party pointed out they could be sued for negligence and said "get this". The usual reactive crap when sales/iron grip overrides good judgement for short terms savings. Of course why anyone would want a device like this in their home giving people a potential back door for any hacker to get in through the Internet and play poltergist is slightly puzzling. People need to learn that "Convenience comes at the price of Security". Kind of sounds like: "With Great Power comes great responsibility". Of course nobody seems to learn from either phrase. And here's another one: "Those who forget their history are doomed to repeat it"...whoops...too late...
  • "there's nothing like a Trane" unless it's a nest. Damn good thing.
  • > It took 22 months

    "Nothing Starts a Trane(tm)"

  • Seriously? what kind of noob idiots are they?

Someday your prints will come. -- Kodak