Hi Guys,

Cybersecurity researchers have uncovered significant vulnerabilities in Bosch BCC100 thermostats and Rexroth NXA015S-36V-B smart nutrunners. The vulnerabilities in the Bosch BCC100 thermostats and Rexroth NXA015S-36V-B smart nutrunners could potentially be weaponized by attackers in several ways:

Bosch BCC100 Thermostats:

* Firmware Alteration: Attackers could exploit the vulnerabilities to alter the thermostat’s firmware. By implanting a rogue version of the firmware, they could gain control over the device, potentially leading to unauthorized manipulation of heating and cooling systems. Imagine this scenario in the nuclear industry…

* Backdoor Creation: The vulnerabilities might allow attackers to create a backdoor into the device. This could enable continuous monitoring and control, allowing attackers to collect data or use the device as a launching point for further attacks within the network.

* Device Disruption: By sending malicious commands to the thermostat, attackers could render the device inoperable or manipulate its functionality. This could lead to discomfort, increased energy costs, or even risks to occupant safety in extreme temperature conditions.

Rexroth NXA015S-36V-B Smart Nutrunners:

* Operational Disruption: Attackers could exploit these vulnerabilities to disrupt the normal operations of the nutrunner. This could include tampering with critical configurations, which might lead to incorrect assembly or disassembly in industrial environments, posing safety risks.

* Ransomware Installation: The flaws could allow attackers to install ransomware on these devices. This could lock the device’s functionality or critical data, with attackers demanding a ransom for its release.

* Compromising Safety-Critical Tasks: Since these devices are used for safety-critical tasks, an attacker could compromise the safety of the assembled product. This might involve inducing suboptimal tightening or excessive tightening, potentially causing damage or leading to product failures. Again, Imagine this scenario in the nuclear industry…

How to protect yourself.

Bosch BCC100 Thermostats:

Update Firmware: Ensure your thermostat is updated to the latest firmware version. Bosch has released a fix in firmware version 4.13.33 to address the vulnerabilities.

Rexroth NXA015S-36V-B Smart Nutrunners:

Bosch plans to release patches for the vulnerabilities by the end of January 2024. In the meantime, disconnect this device from the internet so that it cannot be remotely attacked.

If you have any questions or comments, please let me know. Our privacy care team are available 24 hours a day, seven days a week.

All the best,
Max Roberts.