

Raspberry Pi (lower than version 3 additional Bluetooth USB adapter)



Eqiva Bluetooth Smart Thermostats (model 141771E0)



Magnetic switches for each window





An attacker has to be in near distance (50-100m away) to access your thermostats,



and the attacker can only change the temperature in your rooms.



I built a thermostat controlling system because we regularly forgot to turn off the heating when opening the window in the same room. The system turns off the heating in the room when the window is opened and turns it on again after the window is closed again. And since I was at it, I also added the feature to control each thermostat in the apartment with the mobile phone.The problem my family had was this: when ventilating the room in the morning (or when needed) more often we forgot to turn off the heating. And if it is cold outside, this is a really bad habit. Not only for the costs of the energy that is wasted, but in regards to our global heating crisis this definitely has to stop. We tried different stuff to get rid of this bad habit, however, this did not work for long. After a while, when your head is back in the "So, what is my TODO-list for today?"-mode in the morning, we forgot the heating again. So, a more clever solution is needed.When planing this, I had to consider the network and things I already had installed at home. In every room in my apartment I have a Raspberry Pi running connected to the network. Additionally, I already have magnetic switches on each window as part of the alarm system. The switches are connected to the Raspberry Pis. Hence, I only need thermostats that can communicate with the Raspberry Pis. Since version 3 of the Pi has Bluetooth built-in, I searched for Bluetooth LE compatible thermostats which I can talk to. The only thermostats fitting this requirement were the. Furthermore, there is a Python library which can communicate with these thermostats. This makes life way easier. For all Raspberry Pis below version 3, I just bought a USB Bluetooth adapter.So, the overall hardware requirements for this project were:However, hardware alone does not help us much. We need software which glues together everything. Since I run an AlertR setup at home, it was an obvious choice to hijack this environment to control the thermostats. The AlertR infrastructure already monitors and communicates every sensor state in the apartment so I can use it to transfer the temperature of the thermostats. AlertR was not directly built for this purpose, however, its design allows us to easily integrate the thermostats into it. On a high-level, the infrastructure we want to build looks like the following:Before we can start integrating the thermostats in the AlertR infrastructure, we have to build something that is able to talk to the thermostats. I implemented a small service that communicates with the thermostats (if we want to be fancy we can call it "micro service"). This service takes commands via a local FIFO file such as changing the temperature or reacting to an open window. We can easily instrument this with AlertR by executing local scripts that write into this FIFO file on triggered events . However, somehow this service has to tell AlertR about the current state of the thermostat (such as temperature or battery state). For this, AlertR offers the possibility to take sensor readings via a local FIFO file . In short, the AlertR infrastructure and the thermostat service communicate with each other via FIFO files on the local host.AlertR groups events into AlertLevels. The setup we want to create has actually two types of events we have to react on: window open/close and set temperature. The AlertR infrastructure design looks like the following:On first glance, this seems really complicated. But it is not. Let us go through it step by step.First, we start with the window open/close event. The window sensor (top left in the image) gives the AlertR sensor client running on the Raspberry Pi the signal that the window was opened/closed. This sensor transmits the information to the AlertR server. The window open/close event is part ofwhich then triggers the event. It is transmitted to the AlertR executer client which then writes into the FIFO file of the thermostat service that the window was opened/closed. The thermostat service then turns off/on the heating by setting the temperature accordingly. This is everything we need to react to an window open/close event.Before we start to look into how the temperature is controlled, let us take a look at how the temperature of the thermostat is processed by AlertR. The thermostat service reads periodically the temperature from the thermostat and writes this information into a FIFO file of an AlertR sensor (bottom left in the image). This information is transfered to the AlertR server which stores it. AlertR uses manager clients to control it. One of these manager clients keeps a copy of the system data in a database to share it with external components . For example, a website can read this data and display it. In this case, a small website shows the temperatures of the thermostats.Now let us take a look how the temperature is controlled. Since this website shows the current temperature of the thermostats, it is the best place to give the user the possibility to control the temperature. When the user changes the temperature, the website writes this new value into a FIFO file of an AlertR sensor (bottom right in the image). This sensor is part ofwhich triggers an event. This set temperature event is transmitted to the AlertR executer client which then writes the new temperature into the FIFO file of the thermostat service. The thermostat service then sets the new temperature on the thermostat.It would be cooler if the website for the thermostat is easily controllable by a mobile phone. So I wrote the website with this goal in mind. Next to the thermostat data it also shows the data of separated temperature sensors which I have placed in the rooms as well as local weather data.If you are interested in building something similar, the source code for AlertR is available as Github repository . Since the code for the website and the thermostat service is rather specific for my needs, I did not publish it (though everything is configurable). However, if anyone is interested in it, just contact me. I am happy to share the code.One big problem remaining is the security of the thermostats. When you are using the official App for the thermostats, you have to pair your mobile phone with the thermostats by entering a PIN code that is displayed on the thermostats. However, it seems that this is just for show. Because when you are using the Python library, you can just access it without any pairing. And this is not just a read-only access, you can set any configuration available. Meaning everyone in Bluetooth LE distance can change settings on your thermostats. This is really bad and the reason I hesitated to build this. However, the attacker capability is as follows:If an attacker changes the temperature in your rooms you will notice it after a while (since you either start sweating or it is getting too cold). Meaning no big harm is done here. However, this is still an annoying issue. One way I thought about to tackle this issue is to use the thermostat service as an intrusion detection system (IDS). The thermostat service can monitor the values of the thermostat and notify the user if they are changing unreasonable. Then the user can react accordingly. It can also act as an intrusion prevention system (IPS) by restoring the thermostat state to the intended state. Overall, this is an interesting topic since most IoT devices have security issues which will not be patched and you have to cope with it (the same problem exists for medical devices and is part of current security research).