Table of Contents
Bypassing the internet
The device consists of two parts: the base station and the thermostat itself. The base station connects to the internet via an Ethernet cable and wirelessly connects to the thermostat. You have to mount the thermostat to your existing two-wire thermostat mount on the wall.
The first obvious step in my journey to make the device independent of the manufacturer’s services, is the connection between the base station and the thermostat. It immediately crossed my mind this could be a simple 433 MHz connection used in many remote controller devices like remote garage doors, keyfobs, remote lighting etc. Some research in the datasheet quickly learned me this is instead a 868 MHz connection using a proprietary protocol by ICY which is used in many of their products. This fact, combined with my lack of knowledge and tools to analyze this signal, led me to find another way.
So unless we can succesfully reverse engineer this protocol, there is no way to remotely control the device without the base station. The next step was to see how well protected the connections are to the ICY webservice and see if we can try a man-in-the-middle-attack there. Sniffing all the traffic between the base station and the internet, showed me this was actually well executed. Better than I expected for such an old device. All the traffic between the station and the server was encrypted with TLSv1.1 using both client and server certificate verification. I still tried some DNS attacks to see if the certificate was actually verified on the device, but the device kept sending DNS requests as soon as I pointed it to somewhere else then ICY’s servers. So I assumed the server’s certificate was indeed verified.