Internet of Things HVAC?

I just got a text from my mother asking for "the wifi password." (Didn't specify 2.4 or 5 GHz, which are different names and passwords.) This seemed suspicious, so I called her up, and she did indeed send that message.
Apparently, Carrier HVAC equipment (or at least the unit my mom got to replace her old one) has an app that you can use to control your temperature (I'm guessing that this is the app, but I'm 2 hours away from her so I can't confirm it in person).

I Googled a bit and can't find any articles covering this besides how it's benefitting the HVAC industry. Has anyone else used these? I'm sure there are security vulnerabilities, but I know my mom's not about to let her "investment" go to waste (disable the wifi capabilities) unless there are some actual threats I can cite.

Also, in the event that I can't get my mom to disconnect it from wifi, any tips on isolating this to help reduce attack surface? I was thinking making a guest network or a private VLAN, and preventing non-LAN connections, but what else can I do short of running wireshark and setting up a spare Raspberry Pi as a dedicated SPI firewall device?

We've heard a lot about how insecure IoT generally is, and considering how relatively sparse press coverage about this has been, it's probably at an even greater risk of getting exploited. I don't think this has ever been covered on L1News or The Tek before the split.

Edit: Actually, I probably will run wireshark next time I'm at her house to make sure it's not phoning home to advertisement servers at the minimum.

I use to work in the HVAC industry. Having heating and air units connected to the internet is a fairly old technology. Most of the Schools, Movie Theaters and bog box stores - Home Depot, Lowes, Target, Walmart, all have their units connected to a central system through the internet. I would think that the app software is a modified version of the commercial software and should be pretty protected. However, there are always going to be risk, but I don't think that it is something I would stress over to much. In the commercial world, mainly schools and hospitals, the heating and air system operates over independent servers and infrastructure, so if you wanted to mimic that use a Raspberyy Pi for a firewall it should make you more than safe from outside attacks.

The target breach (last?) year was done via their HVAC system. It was covered extensively at that time but that industrial, I don't have answer about your personal use but as with everything else on the internet, it probably is compromised somewhere. Just assume everything internet connected is compromised.

If i had one I'd do what you're suggesting and just vlan it out.

2 Likes

Power companies will offer you a free wifi thermostat too. The gotcha is they are monitoring your usage and have the ability to modify your set-points during peak usage times.
Internet connected everything now days. Just the other day I saw Rheem hot water tanks also have their own internet of shit connectivity.

No thanks, ill roll my own.

"Your IoT HVAC sucked up my child"
Did you attach an iPhone?
"Uhhh"
..........Stop calling us.