Andrew Tierney had a close look at Heatmiser’s popular wifi-enabled thermostat and found it to be riddled with security vulnerabilities.
Tierney was testing an older version of the Heatmiser firmware, and some of these errors might have been patched since, assuming that the customers with the old firmware didn’t have their thermostats fatally compromised so that they would not run future patches. The kinds of mistakes that Tierney documents are part of a wider pattern of bad Internet-of-Things security practices (see, for example, Ang Cui’s work on smart phones and printer malware).
But, at this point, it looks like security is the last thing on the list of priorities for Heatmiser.
If you want a thermostat that can’t be activated by just about anyone, then I would suggest returning your Heatmiser WiFi thermostat.
My recommendation would be to stop port-forwarding to both port 80 and 8068. You will lose remote control, but would still be able to access the thermostat from inside you house.
Heatmiser WiFi thermostat vulnerabilities
(via /.)