Once an attacker has gained access they can quickly extract all information from the device including the home heating and cooling schedule, current operation mode, current temperature, chat and alarm history, serial number, active socket connections, trusted URLs, secret IDs, software version info and detailed address and installer information. These will allow attackers to perform a number of dangerous operations. This includes forcing the device to maintain the maximum heating setting or disabling the device continuously thereby overriding user input. Attackers can also remove and create trusted server connections permanently disconnecting the device from the corporate command and control servers.
Below shows the exploit that affect the device. The "Get Connected" banner at the top of the screen is a marketing prompt indicating that the device is not enrolled in any remote services or special features.