Hackers Make the First-Ever Ransomware For Smart Thermostats

Lorenzo Franceschi-Bicchierai, writing for Motherboard: One day, your thermostat will get hacked by some cybercriminal hundreds of miles away who will lock it with malware and demand a ransom to get it back to normal, leaving you literally in the cold until you pay up a few hundred dollars. This has been a scenario that security experts have touted as one of the theoretical dangers of the rise of the Internet of Things, internet-connected devices that are often insecure. On Saturday, what sounds like a Mr. Robot plot line came one step closer to being reality, when two white hat hackers showed off the first-ever ransomware that works against a "smart" device, in this case, a thermostat. Luckily, Andrew Tierney and Ken Munro, the two security researchers who created the ransomware, actually have no ill intention. They just wanted to make a point: some Internet of Things devices fail to take simple security precautions, leaving users in danger. "We don't have any control over our devices, and don't really know what they're doing and how they're doing it," Tierney told Motherboard. "And if they start doing something you don't understand, you don't really have a way of dealing with it." Tierney and Munro, who both work UK-based security firm Pen Test Partners, demonstrated their thermostat ransomware proof-of-concept at the hacking conference Def Con on Saturday, fulfilling the pessimistic predictions of some people in security world.

Yes, because it would be

[The+Cisco+Kid]

COMPLETELY impossible to unscrew the smart thermostat from the wall, unwire it, and (temporarily) install a traditional non-networked thermostat so you could operate your heat (or AC) while you contact the vendor or manufacturer of the smart thermostat for help.

Re:Yes, because it would be

Yes, i'm sure the smart thermostat vendor has a line dedicated for hacked thermostats. And if they don't, I'm sure their technical support folks will have no problem getting past the "is your thermostat connected? No? Then you must connect it for us to help you" part of their script.

3 days later, you might get to someone in engineering who will say, yup, we raised this at our management meeting. Them marketing folks didnt care. Can't help you.https://it.slashdot.org/story/16/08/08/1449221/hackers-make-the-first-ever-ransomware-for-smart-thermostats#

Re:Yes, because it would be

Why the fuck did you buy that?

Re:Yes, because it would be

[tripleevenfall]

Probably capable of calling a person to install a $25 thermostat and paying them one hour of labor to do so.

Who the f*** would pay this?

[BronsCon]

Hmm... Pay you hundreds of dollars, or replace the damn thing with a $20 model you can't hack remotely. Seems an easy choice for me.

Re:Who the f*** would pay this?

[pla]

Not sure how an oven - Or a refrigerator - Or anything else, for that matter, involves a substantially different solution:

The IoT is a bad idea, period. I don't need any appliance in my house to have internet access, and will actively go out of my way to make damned sure they don't.

And before someone says "eventually you won't have any choice" - Of course we will. We might pay a bit a bit extra for the "marine" or "remote cabin" version, but as long as someone has a use case requiring offline use, that will remain an option.

From consumers to products

[wcrowe]

This is why I don't understand the rush to have all these IOT devices in the house. I have a couple, but they are isolated, and if they were hacked I could still function without them. There seems to be a rush to have everything, from the washing machine, to the microwave, to the toaster hooked to the internet, and there seems to be even a push to build these devices so that they do not function without an internet connection. I used to be baffled as to why consumers would even want such things. But, of course, it is not the consumers who want all this IOT, but the vendors who sell the devices and the services, trying to turn us into the product.

Emergency service call costs

[Overzeetop]

Do you have any idea what a licensed installer charges for an emergency visit on a Sunday morning? That $25 thermostat is $50 because you don't get to buy the one that's on sale at Home Depot, and the cost to knock on your door is going to be close to $150, and then the rate ticks forward at $100/hr. And at the end of your $300 emergency service call, you'll be left with a dumb thermostat and a $200 paperweight.

Re:Emergency service call costs

[Waffle+Iron]

In the worst case, they could just unscrew the wires from the thermostat and clip the bare ends together with a clothespin to turn on the furnace. That would at least keep the pipes from freezing and cost $0.

Re:Emergency service call costs

>"Smart" thermostats ofter communicate with the furnace / cooling via a cat-6 or some other type of communications cable

No, these smart thermostats are simple replacements, not something requiring a computerized furnace.

Re: Emergency service call costs

[WarJolt]

Somehow I feel like in order to graduate from high school one requirement should be to realize thermostats aren't magic. Too bad we can't revoke HS diplomas. Many Americans don't know cell phones work using radios. It's a bit troubling that a 30 minute electricity experiment performed at an elementary school level can provide the necessary insight into the operations of a thermostat and yet most Americans can't figure this shit out.

Bullshit, never going to happen

[kheldan]

One day, your thermostat will get hacked by some cybercriminal

No, it won't: I'm not falling for the 'Internet of Things' troll/meme. You won't be hacking my thermostat, lightbulbs, dishwasher, microwave oven, clothes washer, clothes dryer, television, or any other household appliance because there's not a single damned good reason why these NEED to be connected to the Internet.