Redazione RHC : 29 July 2025 08:07
Networked smart devices are no longer simple helpers, but potential enemies. With every new thermostat or TV connected to the internet, a new flaw opens up in the digital infrastructure of our homes.
This reminds us of a new threat discovered in the widely used Network Thermostat X-Series WiFi thermostats. The vulnerability is considered critical: on the CVSS scale, it received 9.8 out of 10 points. If such a device is connected to the internet, it is defenseless. But even behind a firewall, it can be used as an access point to a corporate or industrial network.
According to cybersecurity researcher Sovik Kandar of MicroSec, the web server integrated into these thermostats does not require authentication. An attacker only needs to be connected to the same network or gain access via port forwarding to delete the credentials and take full control of the device. This scenario is entirely possible, especially in an environment where IoT devices rarely receive updates and are often left unattended.
This is certainly not the first attack on thermostats. Last year, Bosch devices faced a similar threat: they allowed arbitrary firmware to be uploaded and completely compromised. The problem lies in the overall IoT architecture. These devices are not protected by default, and their distribution in critical areas, from offices to manufacturing, makes them a convenient launching pad for attacks.
But that’s not all. In the same report, a MicroSec representative disclosed another dangerous vulnerability, this time in LG Innotek video surveillance systems. The obsolete LNV5110R model is still actively used in commercial facilities, despite having already been removed from support. The vulnerability allows remote execution of arbitrary code at the administrator level. This bug is sufficient to load a special HTTP POST request into the camera’s non-volatile memory. The bug opens the door to full control of the video surveillance system, with the ability to install Trojans, covert video surveillance, or access other network segments.
But these aren’t the weaknesses, according to Kandar. He argues that Smart TVs are the main Achilles heel of any modern infrastructure. Almost all Android models have open debugging via the ADB port, which isn’t protected by a password or a warning. These TVs are everywhere: from conference rooms to hospital wards, from airports to server rooms. Control can be taken remotely, and this is no longer a theory: a practical demonstration is publicly available on YouTube. Through TV, it’s possible not only to access the screen, but also to launch a large-scale attack on the entire local network.
Kandar, which has 21 CVE vulnerabilities under its belt, draws a disturbing line: IoT devices aren’t just risks, but active, invisible, and familiar attack vectors. Many of them are initially considered trustworthy by the system, rarely receive updates, and their hacking doesn’t arouse suspicion until it’s too late.
Bitdefender, another threat monitoring company, recommends completely isolating all IoT devices from the main network, restricting access via a VLAN or a separate router. It’s especially important to eliminate any direct access to the Internet. Even VPNs, often used for secure access, can become vulnerable if not updated and configured properly. As CISA notes, VPN security is determined not so much by encryption as by the state of the connected equipment.
CISA has not yet recorded any attempts to exploit the new vulnerabilities, but has issued bulletins about them. But it’s only a matter of time. The agency urges you to urgently limit the network visibility of all industrial and IoT devices, eliminating external access, and using secure communication methods only when absolutely necessary. These are not recommendations, but survival instructions.
Redazione