Serious flaw found in Bosch thermostats and smart tightening wrenches

ReportJanuary 15, 2024Editorial DepartmentOperational Technology/Cybersecurity

Multiple security vulnerabilities have been disclosed in Bosch BCC100 thermostats and Rexroth NXA015S-36V-B smart locking machines, which, if successfully exploited, could allow an attacker to execute arbitrary code on an affected system.

Romanian cybersecurity company Bitdefender discovered a flaw in Bosch’s BCC100 thermostat last August, which the company said could allow attackers to exploit the issue to change the device’s firmware and plant a malicious version.

This high-severity vulnerability is assigned CVE-2023-49722 (CVSS score: 8.3) and was patched by Bosch in November 2023.

“Network port 8899 in the BCC101/BCC102/BCC50 thermostat products is always open, allowing unauthenticated connections from the local WiFi network,” the company said in an announcement.

The core of this problem affects the WiFi microcontroller that acts as a network gateway to the thermostat’s logic microcontroller.

By exploiting this flaw, an attacker could send commands to the thermostat, including writing malicious updates to the device, which could render the device inoperable or act as a backdoor to sniff traffic, redirect it to other devices, and perform other malicious activities.

Bosch fixed the flaw in firmware version 4.13.33 by closing port 8899, which is said to be used for debugging purposes.

The German engineering technology company also learned of more than two dozen flaws in Rexroth’s Nexo wireless nut driver that could be abused by unauthenticated attackers to disrupt operations, tamper with critical configurations, or even install ransomware.

Nozomi Networks said: “Given that the NXA015S-36V-B is certified for safety-critical missions, an attacker could potentially compromise the security of the assembled product by inducing suboptimal tightening, or cause damage to it by over-tightening.”

The operational technology (OT) security firm added that the flaws could be used to perform remote arbitrary code execution (RCE) with root privileges and demand execution of commands by hijacking the onboard display and deactivating the trigger button, rendering the pneumatic torque wrench inoperable. use. ransom.

“Given how easily this attack can be automated across numerous devices, an attacker could quickly render all tools on the production line inaccessible, potentially causing significant disruption to the end asset owner,” the company added.

Patches for these vulnerabilities affect multiple NXA, NXP and NXV series devices and are expected to be released by Bosch in late January 2024. During this time, users are advised to limit the device’s network accessibility as much as possible and review the accounts that have access to the device.

This development comes as Pentagrid discovered multiple vulnerabilities in the Lantronix EDS-MD IoT gateway for medical devices that could allow users with access to the web interface to execute arbitrary commands as root on the underlying Linux host. Order.