Security experts have identified multiple vulnerabilities within Bosch BCC100 thermostats and Rexroth NXA015S-36V-B smart nutrunners, which could allow cyber attackers to execute arbitrary code on these devices. The potential risks include unauthorized access and manipulation of device firmware, putting users at risk of significant operational disruptions.
Bitdefender, a Romanian cybersecurity firm, first uncovered the vulnerabilities in the Bosch thermostats in August. Their research indicated that an attacker could exploit these weaknesses to replace legitimate device firmware with malicious versions, posing a serious threat to users and their devices.
The most pressing vulnerability, registered as CVE-2023-49722 with a high CVSS score of 8.3, was remedied by Bosch in November 2023. According to an advisory from Bosch, the issues stemmed from an always-open network port (8899) in various thermostat models, allowing unauthenticated access through local WiFi connections.
At the core of the problem is the WiFi microcontroller serving as a gateway for the thermostat’s logic microcontroller. Through this vulnerability, an attacker could issue commands to the thermostat, including the potential to upload harmful updates that could compromise the device’s operation or serve as a vector for other malicious activities.
Bosch addressed this vulnerability in firmware version 4.13.33 by closing the vulnerable port, originally intended for debugging. The company is also aware of over two dozen vulnerabilities present in the Rexroth NXA015S-36V-B cordless nutrunners, allowing unauthorized attackers to manipulate critical configurations, disrupt processes, and potentially deploy ransomware.
Nozomi Networks highlighted that as the NXA015S-36V-B device is certified for tasks considered safety-critical, the vulnerabilities could endanger product safety by causing suboptimal or excessive tightening during assembly, thus damaging the final product.
The vulnerabilities analyzed by Nozomi could enable remote execution of arbitrary code (RCE) with root privileges, allowing attackers to take over the pneumatic torque wrench’s functionality, disrupt operations, and potentially hold the tools for ransom.
This situation signifies heightened risks associated with automation in industrial settings, where a coordinated attack could rapidly incapacitate tools across an entire production line, resulting in substantial operational delays and commercial losses.
Patches for these vulnerabilities affecting the NXA, NXP, and NXV series devices are anticipated to be released by Bosch by the end of January 2024. In the interim, users are advised to restrict device network connectivity and reassess account access permissions.
This development follows closely after Pentagrid’s revelation of several vulnerabilities in the Lantronix EDS-MD IoT gateway for medical devices, including one that could allow users with web interface access to execute commands as root on the associated Linux host. Such incidents highlight the critical need for enhanced security measures as vulnerabilities in IoT devices continue to surface, posing serious implications for both personal and organizational cybersecurity strategies.
