Boilers from Vaillant from the ecoPower 1.0 series contain a serious bug in the web interface for remote control of the heating system. This allows attackers the boilers remotely disable or even damage.
The ecoPower 1.0-installation of the German Vaillant can be done via a web interface remotely be controlled by the end user, for example, before returning home, the heating already on. However, it appears that by a vulnerability in the firmware it appears possible to beheerwachtwoorden that as plain text are stored, to find out. With this information an attacker can get access to features that are normally intended for service technicians. For example, the boiler, which also can generate power, to be remotely disabled. In the winter, it can cause damage, if the central heating pipes to freeze, while in the summer the temperature is set higher than the safety limits normally allow. Even then damage may occur.
Vaillant shows for the handing out of ip addresses to ecoPower boilers, so that they are accessible via an application or web browser, has it’s own dhcp server to use. By addresses to recommend, where by the server is easy to guess addresses are handed out, it would be together with the captured login data is relatively easy to be vulnerable systems to find and attack.
The leak in the ecoPower-software, which is found by a reader of the German magazine BHKW Infothek, it is so severe that Vaillant users with vulnerable boilers and advises the ecoPower systems directly to disconnect from the internet. Only when a service technician new firmware has installed, the problem would have been fixed. Continue to divide the boiler manufacturer vpn boxes out to customers that a service contract had been concluded, so the internet connections will be encrypted.
Update, april 18, 2013: Vaillant late Tweakers know that the ecoPower series is not sold in the Netherlands.
