Security-Column
Date:
This article was written by
Partner | Offensive Security
Senior Consultant | Offensive Security
The Offensive Security Team of BDO Cyber Security GmbH identified a security vulnerability in the Bluetooth interface of the CC-RT-BLE radiator thermostat. The vulnerability was promptly reported to the responsible vendor (EQ-3/Eqiva), who subsequently confirmed the security flaw in an internal review. The root cause was an insufficient authentication check implemented on the thermostat itself. After the flaw was disclosed as part of a responsible disclosure process, the manufacturer has recently been able to fix the vulnerability with a corresponding patch. This article provides an overview of the vulnerability, assesses the associated risk, and outlines the remediation measures for the product.
The CC-RT-BLE by EQ-3 is a smart radiator thermostat that can be configured and controlled via a Bluetooth interface.
During the development of an internal security tool, the Offensive Security Team of BDO Cyber Security GmbH identified a flaw in the authentication process for incoming Bluetooth connections. Firmware versions up to and including version 1.46 allowed unsecured access via Bluetooth Low Energy (BLE) without requiring prior pairing with the device. This vulnerability has been assigned the identifier CVE-2024-34268.
This allows an attacker within radio range to establish a connection to the thermostat and gain access to all available functions without first pairing with the device. This enabled complete manipulation of the thermostat, including modification of configuration settings and operational parameters.
The vulnerability was reported to EQ-3 on February 12, 2024. Following an internal investigation, the vendor confirmed the security issue on February 28, 2024. The vulnerability was remediated in firmware version 1.48. The corresponding update can be installed using the current “calor BT” mobile application provided by the manufacturer.
You can find additional CVEs and security advisories disclosed by our team on our advisory overview page. Furthermore, we are available to assist you in identifying or remediating vulnerabilities in systems, applications or IoT devices. In addition, we offer a range of consulting services to complete our portfolio.
For details and to arrange a tailored engagement, please contact us.