Potential vulnerability detected in routers for older heat pumps

A potential SMS vulnerability has been identified in the Teltonika routers supplied with the remote heat pumps that require action from users of the device.

The potential vulnerability applies to older Gebwell heat pumps that have been remotely connected to a Teltonika router that works with a Siemens OZW web server used for the remote connection. This does not apply to remote connections for devices in Gebwell’s new product family (Taurus EVI, Taurus Inverter Pro, Gemini Inverter, T3 Inverter, Aries series products).

The potential vulnerability is located in the SMS control of the Teltonika router. The SMS feature is not enabled on Gebwell devices, but it still allows the user to take over the SMS features of the device, after which the device can send text messages undetected. The vulnerability is malicious if text messages are enabled on the subscription.

Therefore, customers who use that router and have SMS enabled on their subscription should contact their telecommunications operator as soon as possible and request that they turn off SMS services on their subscription. After that, the issue is in order and the device will no longer be able to send any text messages.

If anomalous traffic is noticed in the subscription bill, a criminal complaint must be filed at that stage so that the operator can follow up on the matter. Gebwell will separately inform its customers of possible follow-up actions and instructions on what to do with potentially vulnerable routers.

The Teltonika router is not manufactured by Gebwell Ltd, but is a device for general sale.

Gebwell is in contact with contractors whose deliveries have gone to a potentially vulnerable router. Gebwell or the contractor communicates with end customers, property owners, and others who may be in possession of a potentially vulnerable router.

We are updating this page with information about router vulnerabilities. If you have any questions, please contact Gebwell service department by phone, tel. +358 20 1230 888