To help the French control their energy costs, the Government will make these accessories compulsory in homes. But a recent study reveals that they suffer from numerous security vulnerabilities.
The connected thermostat is all the rage at the moment! This tool, which is directly connected to the heating, adjusts itself according to the ambient temperature, the time of day or its setting, room by room. You can even control the device remotely via your smartphone, and therefore adjust the temperature of the home while being outside. Energy consumption is thus closer to actual needs. They are therefore very popular with consumers, which pushes the market to offer a growing range of devices.
In order to combat the overconsumption of electricity caused by heating homes, the Government has decided that all households must be equipped with a programmable regulation device by 1is January 2027, as stipulated in Decree No. 2023-444 published in the Official Journal on June 7, 2023 – it is therefore not necessarily a connected thermostat, but a device having at least the basic programming functions of the temperature.
But installing this type of device is not without risk. Germany's Federal Office for Information Security (BSI) took a closer look at ten models of smart heating thermostats, including well-known names such as Bosch, Tado and AVM (Fritzbox). It turns out that IT security often takes a back seat during product development.
This comes with missing or inadequate security by design. Many products have vulnerabilities that could allow attackers to access devices or intercept user data. Because, since these devices are often networked with other smart home components, they could serve as a gateway for hackers.
Thus, three of the devices tested were based on so-called white label solutions, whose security standards are not always transparent. Several products have also been found to not securely store sensitive data such as passwords. Two iOS applications, which allow you to control the device, thus transmitted sensitive information without encryption. Researchers also discovered that some thermostats download updates without sufficient protection mechanisms. Some devices notably lacked basic security measures, such as protection against firmware attacks.
Despite the gaps identified, the BSI emphasizes that most of the vulnerabilities found do not pose an immediate threat to consumers. Nevertheless, the authority strongly recommends that manufacturers strengthen their safety measures and implement established standards more consistently. Let's hope they review their copy quickly!
