Penetration testing of current smart thermostats : Threat modeling and security evaluation of Shelly TRV and Meross Smart Thermostat

Abstract: As smart homes become increasingly common and concerns over Internet of Things (IoT) security grow, this study delves into the vulnerabilities of smart thermostats. These devices offer convenience but also comes with increased risk of cyber attacks. This study evaluates the susceptibility of the Shelly Thermostatic Radiator Valve (TRV) and the Meross Smart Thermostat to potential threats across various attack vectors – encompassing firmware, network, radio, and cloud – through penetration testing guided by the PatrIoT methodology. Findings reveal four unknown vulnerabilities in the Meross Smart Thermostat and two in the Shelly TRV. These vulnerabilities consist of insecure firmware updates, lack of network encryption, exploitable radio communication, and cloud-related gaps. Recommendations aiming at mitigating the found vulnerabilities include implementing secure Wi-Fi access points for both models during setup, and ensuring strong encryption for the Meross Smart Thermostat’s radio communication. The study contributes to an increased awareness of potential security risks associated with these devices, though the extent of vulnerabilities across all smart thermostat models cannot be definitively concluded.