Trane Takes 2 Years To Remove Hard-Coded Root Passwords From IoT Thermostat

An anonymous reader writes: It took 22 months for Trane to patch three security bugs in its ComfortLink II XL950 smart Wi-Fi thermostat product, the ComfortLink II XL950, a modern IoT device along the lines of Google Nest, which offers a simple way to manage your apartment's or building's internal temperature. Researchers contacted Trane about their three issues in April 2014, the company fixed the RCE flaws in April 2015 and recently released a firmware update at the end of January to fix the last issue. During all this time, the company barely answered emails and continued to sell an exposed product.

IOT isn't as easy as it sounds.

[blueshift_1]

This has always been a severe issue with specific hardware produced by companies that aren't technology focused (and even some that are). These little debugging/service backdoors worked when there wasn't a vast resource of easy information sharing - and the device wasn't able to be accessed from anywhere. One day these product engineers will figure that out - maybe.

Re:

[Joe_Dragon]

Back when the weather channel was cool and LOT8's was longer then 60sec.

Re:

[Curtman]

Even harder to start one.

Re:

[supremebob]

That said, I bet that security hole would have been fixed a hell of a lot quicker if it was publically announced to the world instead of trying to report it through Trane's security inept support channels.

Re:

[AmiMoJo]

It's basically an impossible situation for security researchers. If they report it only to the manufacturer it can take years to be fixed. If they report it with a note that they will go public in a month they get sued or arrested. If they just report it publicly they are accused of being irresponsible.

When I find an security flaw, if the company has a bug bounty programme or formal submission process I report it to them with a note that I'll post it publicly in a month unless they ask me to do otherwise. I

Re:

[Gr8Apes]

If only they made it LAN only, it would already be infinitely more secure than most of these companies are capable of making a true internet accessible IoT device. It's that simple. Besides, I don't want or need an account with some service to run something on my own network.

Re:

[evolutionary]

True, but then you couldn't control it from the airport with your smartphone. You could argue security issues, but that would result in too many people not feeling the joy of controlling their home from anywhere in the world. Of course they forget others could too...that's besides the point, at least to those seduced by the "cool" factor. (I blame Apple...too use friendly for our own good..)

Re:

[omnichad]

For centrally managed services, that doesn't require an inbound password. That can be done by the device making outbound connections to the central server.

Re:

[Gr8Apes]

(I blame Apple...too use friendly for our own good..)

I'd blame the ISPs that make it so darn difficult to connect directly to your own machines. As for everything else, it truly can be simple, but the manufacturers see $s and want you to pay them more, forever.

Re: IOT isn't as easy as it sounds.

[corychristison]

I think he means lack of non-static IP addresses (especially in North America).

Re:

[Gr8Apes]

Not only lack of non-static IPs, but worse than that, ISPs that actively engage in port blocking because "servers" aren't allowed on their networks. That's dropped off some thanks to games and other PTP applications, but many still filter a set of ports and as of a few years ago will block or degrade large externally originated sources.

Re:

[Curtman]

I'm sure there's a cool factor that means something to somebody. But when you live in a climate that is -40 degrees (celsius and fahrenheit) at times, having your thermostat email you when the furnace has failed is definitely more than cool, it can save you thousands of dollars.

Re: IOT isn't as easy as it sounds.

[corychristison]

Sure, but it definitely doesn't need inbound network access. It shouldn't beed UPnP as the theromostat should simply be polling requests from the central servers.

It could even be used to send a message to your email (outbound connection).

Why these devices require inbound connections at all simply doesn't make sense to me.

Re:

[Brett Buck]

Trane is certainly "focused on technology". Just not computer geek technology. Do you know how to design and manufacture a long-lived air conditioning or heat pump compressor? And successfully and profitable for decades?

      Technology existed before the internet, you know.

Re:IOT isn't as easy as it sounds.

[Thud457]

No. But I'm pretty sure I could spec out cheap crap compressors from China while riding my brand name into the dirt.

Re:

[Anonymous Coward]

"Do you know how to design and manufacture a long-lived air conditioning or heat pump compressor?"
No, but neither does Trane (or Ingersol-Rand for that matter, who owns Trane.) They use another company's compressor now.
Heck, they took the original compressor design they once used from GE, when they bought the division from them years ago. As a matter of fact, the only thing that Trane "owns" in their design is the coils and the cabinets. I believe the coils are actually made by Alcoa.
"Trane" is just a brand

Re:IOT isn't as easy as it sounds.

[Curtman]

Over engineered crap. It definitely is worse than most other manufacturers. I learned this when the inducer motor went on my furnace. They sold a furnace with an ECM inducer motor (for efficiency sake?), then stopped making them. So now in order to replace the inducer motor you need a new circuit board, a standard less efficient than what was advertised PSC motor, and someone to completely rewire the furnace with the new wiring harness. Then you need to pay someone labour and parts markup to install the $1400 in parts which they wont sell to you because you're not "Trained in Trane".

Fuck you Trane. I hope you get hit by a Train.

Re:

[rmdingler]

That's not your inducer moter... it is your blower motor, reponsible for moving air with a squirrel cage through the ductwork in your home.

The inducer motor is to force or draw combustion gases through the heat exchanger and out the roof vent. ECM motors are frequently unreliable, and expensive to replace, but you can replace one with a PSC motor and relays without changing out the circuit board.

Re:

[Curtman]

No. It's he inducer motor. If it was the blower motor I could just get a new motor and install it myself. Trust me, I've learned a lot about this furnace since I was suckered into buying it.

Re:

[Curtman]

Also.. Everything except the actual motor is made out of plastic. You cannot remove the impeller from the shaft of the motor without breaking it. Once it's broken it cannot be repaired to work reliably at 3000RPM. Even if you could replace it with an equivalent PSC motor and relays, the circuit board communicates with the inducer motor which is no longer there so it will never light the burner even though the pressure switch is closed.

Re:

[rmdingler]

We've had a metric ton of problems with the ECM blower motors. Many of the first renditions came with the old boards modified, so that there was still a place to install a PSC motor when the very expensive oem motor failed prematurely. In some cases, you were forced to purchase the motor and control module as one unit.

The general movement toward increasingly more efficient equipment forces manufacturers to modify proven technology to eke out higher efficiency plateaus, but the savings enjoyed from an upgra

Re:

[Curtman]

Even on boards without those terminals, you could if you wanted use relays to switch speeds powered by the EAC terminal which is powered any time the fan is on. Except the circuit board is so "smart", that it cant tell how fast the blower motor is spinning anymore and assumes it has failed.

Re:

[bozzy]

Fuck you Trane. I hope you get hit by a Train.

And forced to listen to the band Train...

Re:

[jbengt]

The trend is for single phase motors to go ECM for any application where the speed needs to be adjustable or variable. This is a fact of life for all types and brands of equipment. 10 years ago, we had a job where dozens of ECM motors had to be replaced not long after being installed. The manufacturers seem to have caught on and now use motors that can handle the electronic switching better, so there's very few early failures anymore.
The other trend in appliances is to add digital electronics that fail

Re:

[Curtman]

The problem isn't the switch to ECM. It's that they didn't make replacements for when they broke. So repairing a broken ECM inducer motor requires me to replace almost every electronic component in the furnace along with the associated labour costs to do it, even though I'm fully capable of doing it myself. They will not sell them to me.

Re:

[jbengt]

First, you're talking about their residential lines. Nobody makes small, off-the-shelf refrigeration systems in the US anymore. Everybody makes them in Asia. (I think there's one manufacturer making them in Africa.)
Trane's commercial lines are considered middle-of-the-road: Not the high quality equipment that costs too much for the typical cheap budget, and not the piece of crap that will get the submittal rejected by the specifying engineer.
You are right, though, about branding, though by no means is

Re:

[swb]

Isn't the punchline to this "No, and based on my ownership experience, neither does Trane."

Re:

[stabiesoft]

I imagine it does some of the same stuff my new lennox one does. Health checks etc. Mine for example validates temp outside before kicking in the compressor to avoid destroying it. Also checks static pressures in air flow to check filter flow rate. Keeps track of any error codes thrown by other units (furnace, A/C, etc). And I imagine the trane is also like the lennox. Don't give it your wifi password and it will not go on the interwebs. I like the extra stuff my Tstat can do, but do not want it on the WAN/

Re:I don't understand technology anymore

[Curtman]

No its not. "Legacy" thermostats were essentially a few relays and some operator controls. 24VAC is fed to the thermostat terminal "R" from the furnace or air handler. When it wants the fan to run, it switches 24V to its terminal "G", when it wants heat it puts 24V on terminal "W", Cooling is terminal "Y".

These new "communicating" thermostats are a CANBUS network similar but much more poorly documented than the OBD one in your car. However it does things like send you an email when the furnace is failing, or when the temperature in your house has fallen to where you might have to worry about freezing pipes etc. It can tell you that it failed to ignite several times so you might want to book service before it fails completely.

I wish there was some online presence for people hacking these things. Inside my Lennox iComfort thermostat I found an SD card containing an OS called "MQX RTOS", and a i.MX287 processor.

Re:

[CharlieG]

Unless (like my den) someone decided to save a few bucks (basically the price of the transformer and a relay) and installed a high voltage thermostat, and then you have 110 volts right on the stat. You'd think...
Has caused me enough issues that I think come this spring, I'll do it (Dad would be laughing - he was an HVAC mechanic, and would do it 'whenever' - and of course, I don't have a spare relay...)

Re:

[Frederic54]

Oh nice, I worked with Precise/MQX and its RTCS stack, I implemented SNMP v2c for our products running this OS.

Re:

[Curtman]

Every manufacturer seems to be doing it now at least in the higher end models. Lennox has iComfort [lennox.com], Trane has this POS from the topic, Carrier has Infinity [carrier.com]. The thermostats are connected to the furnace with 4 wires. R = 24v, C = Common, "i+", and "i-". There's those same terminals at the Air Conditioner. The gas valve has Tx and Rx blinky lights, the blower motor too. The thermostat reads the outdoor temp from the air conditioner's thermistor through the bus, all sorts of sensors in the furnace are rea

Re:

[Curtman]

This patent [google.com] is the best reference I've found so far. It's all proprietary though, Lennox thermostats won't work on a Carrier furnace or air conditioner, etc. And the software seems to be really terrible on all of them.

Re:

[Gr8Apes]

How many thermostat controllers do you need?

Apparently more than I thought I would, as I'm looking at buying my 6th and 7th ones, and possibly another 3.

Re:

[Gr8Apes]

Mansion? Who said they were all for one house? I've replaced a lot of these over the years, I'm pretty sure the number is higher than what I stated, I just recall changing out at least 5. As for the last 3, I would use them for single room zone controls. I've been looking at the duct work, and believe that I can actually use them to control the heat better and only cool/heat the areas I wish.

Re:

[Gr8Apes]

I would be more concerned about the sub 32 degree house

Re:

[rmdingler]

With the focus of late on the latest, greatest, and ever more complicated, your potential points of failure increase.

Now, something short of a power outage is enough to freeze your water pipes... say a wifi outage or low voltage interruption to the Nest.

Buy some insurance. Wire in an Accustat as a backup that kicks heat on at 10 degrees Celsius.

Re:

[Gr8Apes]

Or, don't use a Nest to begin with. Why on earth does Google need to know the temperature settings in my house at any given time?

Re:

[jbengt]

Most of those points wouldn't be controlled by the thermostat (I would hope), but by the internal controls in the equipment. Even if they were accessible thru the thermostat, you shouldn't be able to change things like the anti-short cycle timer or the compressor low ambient lock-out.

The flip side to "its hard to stop a Trane"

[laurencetux]

its also hard to get a train GOING.

Im sure the actual patch writing time was minimal but

15 different managers had to be consulted/bribed to sign off on the code
there were 50 different meetings to sort out what the bugs were exactly
somebody had to be assigned the task of writing the code (and this was a busy person)
the code had to be audited for serious bugs like nonPC variables
then it had to be tested
and packaged for deployment

do i need to go on??

Re:

[Anonymous Coward]

I worked there in IT. It's not "Hard to Stop a TRANE", especially once Ingersoll Rand got involved. With the great majority of IT outsourced it's amazing they can get anything done at all !

Sounds like it's time for a certification

[Anonymous Coward]

At what point is a professional body going to be setup so that we can get a certification like "Ain't Totally F'd Up" for any device that connects to the interwebs?!?

Surely someone has some kind of idea of how to do interweb connected things anti-ass-backwards (and stop calling me Shirley).

Would you like to play a game..

[evolutionary]

Okay, this is just too hilarious. It's like the movie "War Games" when the computer engineer left his dead son's name as a password before he disappeared. This sort of thing tends to happen when a non-engineer want to ensure absolute control in a quick dirty way. Of course anyone with any foresight (AKA IT/Engineering professionals or even Philosophers/Historians I expect) would have pointed out how easy a back door this would be. We already have tons of historical precedence. And then take two years to undo it? Probably a 3rd party pointed out they could be sued for negligence and said "get this fixed...now". The usual reactive crap when sales/iron grip overrides good judgement for short terms savings. Of course why anyone would want a device like this in their home giving people a potential back door for any hacker to get in through the Internet and play poltergist is slightly puzzling. People need to learn that "Convenience comes at the price of Security". Kind of sounds like: "With Great Power comes great responsibility". Of course nobody seems to learn from either phrase. And here's another one: "Those who forget their history are doomed to repeat it"...whoops...too late...

Oh yeh

[djent]

"there's nothing like a Trane" unless it's a nest. Damn good thing.

Chew chew

[Impy the Impiuos Imp]

> It took 22 months

"Nothing Starts a Trane(tm)"

Thats a special kind of pathetic

[Revek]

Seriously? what kind of noob idiots are they?