The eQ-3 Eqiva is a smart home thermostat for radiators with an integrated Bluetooth LE interface. The manufacture recommends the following app to control the thermostat using a smartphone: Calor BT.
When using the app to connect to the thermostat a 4 digit PIN code which has to be read from the thermostat must be entered. This is an important security feature to only allow persons that have physical access to the thermostat to control it remotely.
Surprisingly this PIN code is not necessary when sending Bluetooth LE commands directly to the thermostat using the corresponding tools (an Android smartphone is sufficient, see below). This means that anyone within the Bluetooth LE range of around 40m can control and therefore hijack the thermostat.
Attack reasons reach from the sole purpose of changing the settings to blackmailing where the radiator is turned off until a certain amount of money has been paid.
At the moment it has to be advised to turn the Bluetooth feature off completely within the thermostat settings.
https://play.google.com/store/apps/details?id=no.nordicsemi.android.mcp&hl=de
hcitool lescan
Device with name "CC-RT-BLE" is the thermostat.
gatttool -b 00:1A:22:09:DA:10 --char-write-req --handle=0x0411 --value=4501
Change MAC address accordingly.