Slashdot Mirror
Hackers Make the First-Ever Ransomware For Smart Thermostats (vice.com)
Lorenzo Franceschi-Bicchierai, writing for Motherboard: One day, your thermostat will get hacked by some cybercriminal hundreds of miles away who will lock it with malware and demand a ransom to get it back to normal, leaving you literally in the cold until you pay up a few hundred dollars. This has been a scenario that security experts have touted as one of the theoretical dangers of the rise of the Internet of Things, internet-connected devices that are often insecure. On Saturday, what sounds like a Mr. Robot plot line came one step closer to being reality, when two white hat hackers showed off the first-ever ransomware that works against a "smart" device, in this case, a thermostat. Luckily, Andrew Tierney and Ken Munro, the two security researchers who created the ransomware, actually have no ill intention. They just wanted to make a point: some Internet of Things devices fail to take simple security precautions, leaving users in danger. "We don't have any control over our devices, and don't really know what they're doing and how they're doing it," Tierney told Motherboard. "And if they start doing something you don't understand, you don't really have a way of dealing with it." Tierney and Munro, who both work UK-based security firm Pen Test Partners, demonstrated their thermostat ransomware proof-of-concept at the hacking conference Def Con on Saturday, fulfilling the pessimistic predictions of some people in security world.
Of course they demand bitcoin.
Everything involving the words 'tor' or 'bitcoin' are frauds.
COMPLETELY impossible to unscrew the smart thermostat from the wall, unwire it, and (temporarily) install a traditional non-networked thermostat so you could operate your heat (or AC) while you contact the vendor or manufacturer of the smart thermostat for help.
Hmm... Pay you hundreds of dollars, or replace the damn thing with a $20 model you can't hack remotely. Seems an easy choice for me.
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
They'll be the first in line to use this kind of software-- forget the scammers. I can definitely picture places like Venezuela claiming they need to control your HVAC for the common good, when the problem is that there is an artificial scarcity due to their own incompetence. The Western Europeans will be next, and the USA not far behind.
I was going to say HK would be the first, but I honestly don't know if they have the technical knowledge to do this, and their people all live in government-owned housing already anyway.
Gamingmuseum.com: Give your 3D accelerator a rest.
The more IoT crap gets thrown out there the more we'll hear about this nonsense. In our mad rush to digitize everything, to make it "convenient", to show how 1337 we can be we've forgotten the virtue of simplicity.
You know why light switches are still analog? Because they work. Every time. No having to look at an app and muck about, no trying to get a signal, no being dependent upon someone else to provide connectivity. Finger. Switch. It's that simple.
We will bankrupt ourselves in the vain search for absolute security. -- Dwight D. Eisenhower
This is why I don't understand the rush to have all these IOT devices in the house. I have a couple, but they are isolated, and if they were hacked I could still function without them. There seems to be a rush to have everything, from the washing machine, to the microwave, to the toaster hooked to the internet, and there seems to be even a push to build these devices so that they do not function without an internet connection. I used to be baffled as to why consumers would even want such things. But, of course, it is not the consumers who want all this IOT, but the vendors who sell the devices and the services, trying to turn us into the product.
Proverbs 21:19
Sure, there are malicious cases for this. But most IoT devices like smart thermostats are a bit too dumbed down and don't even operate correctly without an external Internet connection. Their broken security is about the only way to get a proper level of functionality.
Yes, you can unscrew, but this only shows incompetence on your side regarding the ransom business.
What about if the crackers wait for the thermostat to be set to holiday mode and nobody is home and only then start with changing the settings and sending the ransom note? Your choice now becomes to pay or to find someone very fast to go to the home and remove the thermostat, e.g. to prevent bursting pipes in the winter or wasting tons of energy in the summer and killing the indoor plants.
Do you have any idea what a licensed installer charges for an emergency visit on a Sunday morning? That $25 thermostat is $50 because you don't get to buy the one that's on sale at Home Depot, and the cost to knock on your door is going to be close to $150, and then the rate ticks forward at $100/hr. And at the end of your $300 emergency service call, you'll be left with a dumb thermostat and a $200 paperweight.
Is it just my observation, or are there way too many stupid people in the world?
I shove anything like this on a DMZ with limited access. If it doesn't work without unfettered access to the Internet, I return it. Then again, I consider all devices untrusted unless I have complete control, including the ability to flash them to an arbitrary firmware.
The IoT isn't going to make much progress with me.
HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.
I F
O U
T N
Ask me for $300 to get my thermostat back, and my response would be to go buy another $30-50 thermostat and have it taken care of in 5 minutes.
That said, they are absolutely right about IoT being idiotic. My personal favorite is the new fridges with orwellian spycams. THOSE getting hacked would indeed be a workable ransomware.
Pay us 10$ daily or we'll run your toaster, turn your heater on in the summer, and turn off your refridgerator.
Why can't these vendors and a $1 switch to lock the firmware from being written to.
Old PC BIOS used to have a jumper you have have to move to be able to update the BIOS.
Problem solved. Flip the switch, update firmware, flip the switch back. Hard hard is that?
What could be simpler than a thermostat? Even a digital thermostat with scheduled temperature changes should still at a basic level, be temperature controlled switch. What's next? Make sure to like my temperature settings on Facebook?
I think my beard may be starting to turn grey.
One day, your thermostat will get hacked by some cybercriminal
No, it won't: I'm not falling for the 'Internet of Things' troll/meme. You won't be hacking my thermostat, lightbulbs, dishwasher, microwave oven, clothes washer, clothes dryer, television, or any other household appliance because there's not a single damned good reason why these NEED to be connected to the Internet.
Are YOU using the TOOL, or is the TOOL using YOU? Think about it!
Oh, Internet-of-Endlessly-Exploitable-Things, ah love yew! (heart emoji x 1000)
Every day a new exploit, it's like an all-you-can-eat buffet of terrible shit, served fresh and piping hot.
Just cruising through this digital world at 33 1/3 rpm...
embedded stuff needed to have os updates that are on there own that come out faster then the app update.
At least some embedded stuff is ARM with cut down linux based os's. But others are full pc's running a big linux install or even windows with a custom app on top of it. And if them alot for the time you need to wait from the app part to be updated before the under lining os get's fixed even for just os security fixes. As the updates just come as full install images.
Some embedded systems have sd cards that can have there os hacked and the hack can stay on the system even after power off. Unlike others where it's flashed with a small nvram area that just holds settings / logs.
Wow this is amazing news after all.
How ever will we figure this one out? Any day now, ninjas drop in from Apache helicopters and hack all of your thermostats.
Or.. US Gov false flag, say Russia or Iran did it, disrupt domestic power grid systems.
Lying is what taxes pay spies to do. What makes you think this story is not a bait for responses story since Slashdot is FBI? They use what you say to play their bullshit. eg. 9/11 was false flag but did you just learn this today?
and why not a simple built-in external override switch on the outside that returns the device to manual? Seems like a selling feature.
Well if you're home is put at risk or damaged due to poor security on a "Smart" thermostat surely the first thing a real American will do is call a lawyer. And sue the Thermostat company for marketing defective goods !
All this talk of fixing it yourself is wholly un American.
Sue the bastards. That will get them to take security seriously.
Is it just me, or do others thing that developing and deploying ransomware should be a capital offense? To me this is just seems like another form of terrorism. If someone were to hold your house for ransom in most jurisdictions you would be allowed to use deadly force to secure your property. At the very least this type of stuff should be a class A felony.
"Smart" thermostats ofter communicate with the furnace / cooling via a cat-6 or some other type of communications cable, they are rarly just a switch.
No they do not. Retrofitting a cat6 (overkill) cable to run to the HVAC in an existing house would be prohibitively expensive and/or time consuming. They communicate with the HVAC via the same set of wires a "dumb" thermostat would use and gets power over the same cables. They generally communicate with the network via wifi. Nest even kindly color codes everything so that someone who isn't a a licensed technician can do the job.
Until we start treating hackers who maliciously destroy people's lives like we do kidnappers or people who throw rocks through your window, this kind of thing is going to keep getting worse. People treat hacking like a hobby where you can cause thousands or millions of dollars in damage with almost no chance of getting caught and with lackluster penalties if you do.
Doubt i'd ever connect my thermostat to the internet anyways. If it's really smart it won't need the internet to help it =P Nor will it need my input.
I've said this before but it needs to be said again. The benefits of a thermostat being an Internet of things device as opposed to a LAN-only device is minimal. The main benefit to these smarter thermostats is just that you can configure them from a web page. This is easier than the older ones with a tiny LCD screen and a small number of buttons. The thing is that many devices such as printers and broadband routers have embedded web pages that demonstrate how you can handle configuration web pages internally. There is no need to connect outside your LAN for this. Really, the only thing that an IoT design allows on top of this is the ability to change settings from anywhere without having to set up a method to get into your local network such as a VPN server (many broadband routers today include one), a service like GoToMyPC or SSH tunneling. I really doubt that this ability to change thermostat settings from anywhere in the world is that useful to most people. You loose security and privacy. The real point of the IoT design is to allow the external site to collect data about you. They can probably infer when you are home or away and when you are awake or asleep from the thermostat data. Are those costs really worth the benefits?
My power company called, last year, to offer me one. I told them not under any circumstances.
mark, who remembers when the 'Net was civilized
Rabble rabble rabble... Honeywell round thermostat. Twenty bucks, no internet connection, and simple enough even my grandparents can operate it.
If they hold your thermostat ransom for $300, why not just use the $300 to buy a new thermostat and tell the hackers to get lost? I can pick up the Nest Thermostat at my local big box home improvement store today for $249.99; why would I pay more to the hackers?
Granted, my thermostat cost a lot less than that - and doesn't have the fancy features of the nest - but if I was someone inclined to purchase a thermostat for $300 I don't see why I would pay the same amount to get it back from hackers if I could replace it instead and tell them to take a hike.
Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
... when you are in control of the device's internet connectivity, and can put it behind a firewall and a private-only IP that will permit outgoing access only, similar to a NAT. If that causes the device to behave badly, then the device is already broken and useless. If you want to control the device from outside of your firewall, you can still do so via a secured system that is behind the firewall that *can* accept incoming connections, where any incoming connection to the other system can go through authorization procedures that are otherwise necessary to remotely connect to that system (such as what you might use for ssh, etc).
File under 'M' for 'Manic ranting'
You call yourself Frosty Piss, and you can't send binary down the line using a 9V battery, some paper clips, and a resistor (to get it down to 5V)? Whatever happened to Slashdot?!
I'm working on a plan to have an IOT shower head. It has a camera built into it that watches the steam coming from the shower to judge if it is hot enough or not- the shower head will then automatically adjust the temperature. Internet connectivity will ensure firmware updates.
Any backers for my device? Camera is for watching steam only.
Anyone who responds would go on a hacker sucker list.
What's next, someone is going to hack a lightbulb and demand $100 or threaten to leave it on 24/7?
A decent new programmable thermostat is $40 at home depot. If I had a so-called "smart" thermostat and it got hacked, you can bet I'm neither going to pay the ransom nor replace it with another so-called "smart" thermostat.
I played this when it was called Megaman Battle Network. It didn't end too well IIRC.
Initially, I thought the same as many other comments - just replace the thermostat with a basic contact closure type not connected to the net. I think that probably misses the main point of the exercise, though, which is to demonstrate how simple taking over IoT devices can be. Some devices are mission critical and taking them offline or losing reliable control could be detrimental. I think the real point of the exercise might be that mission critical devices need to be designed so that they can be unplugged from the net without consequence, and there must also be design considerations to keep unwanted attackers from gaining any sort of control. Seems obvious, but proof of need seems to be necessary, especially when people can't see the forest for the trees. Just sayin.
Internet of Shit
All your baseboard are belong to us!
Well, said human can expend time and mental energy to figure out something, which will have little benefit to him/herself, or call someone whom deals with said problem frequently. That someone could be a bottom third high school graduate whom took a one year course on said problem, and knows the details, but does not know the science behind said problem: sort of like cable TV installers.
A dumb thermostat isn't always an option. My pellet stove for example uses a proprietary thermostat. The thermostat is the actual brains for the pellet stove.
Actually on my furnace you cannot connect a conventional thermostat. The thermostat talks to the furnace over RS-485 with a proprietary protocol. Now lucky for me it's not a 'smart' internet connected device. But depending on the installation the option of putting in a dumb thermostat may not exist.
I ran into something like that when I had to replace a water heater - in Silicon Valley.
In some areas of California, environmental regulations require you to install an extremely energy-efficient water heater. Part of the way this efficiency is obtained, with gas water heaters, is by not using a pilot light, which burns substantial gas all the time. (The pilot-light in my Nevada place's water heater puts out enough heat that, even with the heater set to "vacation" in the dead of winter, the tank's water is only about 10 degrees F below the normal setpoint when I arrive after weeks away.)
Instead, they have a furnace-style spark igniter - and a computerized thermostat to control it.
One downside is that, in a power failure, the tank won't heat. (After a couple showers I need to start the emergency genny and make sure the water heater is on the backed-up circuit.)
But another downside is that the heater is able to hook up to your home network via WiFi - for convenient monitoring and remote control.
(Fortunately, as of this spring, the WiFi hookup is an add-on board, which I presume contains the radio. So I just didn't buy the board. But with radio-capable systems-on-a-chip becoming so cheap, due to the IoT, I expect that the next models will have the radio built-in and always-on. That will let the bad guys track whether, and when, the building is occupied by looking at the water heating load, or just screw around with the settings.)
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
Or buy a new one for few hundred dollars, because that is what they cost new?
It also assumes the if no way to force a factory Bootload.
It also assume the Targeted House would not just call for service since the heat is broken.
How else are we going to save the planet unless the government has control over your thermostat?
how hard is it to walk over to the thermostat, do you really need to control it with your phone - and why do you need to turn the heat on when you aren't home? just to waste energy? It's like remote start on a car - just start the damned car when you get in it - it seems like tech for tech's sake and not for problem solving.