Hackers Make the First-Ever Ransomware For Smart Thermostats

Lorenzo Franceschi-Bicchierai, writing for Motherboard: One day, your thermostat will get hacked by some cybercriminal hundreds of miles away who will lock it with malware and demand a ransom to get it back to normal, leaving you literally in the cold until you pay up a few hundred dollars. This has been a scenario that security experts have touted as one of the theoretical dangers of the rise of the Internet of Things, internet-connected devices that are often insecure. On Saturday, what sounds like a Mr. Robot plot line came one step closer to being reality, when two white hat hackers showed off the first-ever ransomware that works against a "smart" device, in this case, a thermostat. Luckily, Andrew Tierney and Ken Munro, the two security researchers who created the ransomware, actually have no ill intention. They just wanted to make a point: some Internet of Things devices fail to take simple security precautions, leaving users in danger. "We don't have any control over our devices, and don't really know what they're doing and how they're doing it," Tierney told Motherboard. "And if they start doing something you don't understand, you don't really have a way of dealing with it." Tierney and Munro, who both work UK-based security firm Pen Test Partners, demonstrated their thermostat ransomware proof-of-concept at the hacking conference Def Con on Saturday, fulfilling the pessimistic predictions of some people in security world.

I actually prefer it hackable

[omnichad]

Sure, there are malicious cases for this. But most IoT devices like smart thermostats are a bit too dumbed down and don't even operate correctly without an external Internet connection. Their broken security is about the only way to get a proper level of functionality.

Re:Governments will love this

[tripleevenfall]

It's not difficult to imagine California deciding they need the ability to throttle your AC to combat brownouts/global warming/whatever

Re:From consumers to products

A lot of people are glossing over that the newer models with IoT thermostats have much more complicated control systems because the compressor and fan have different power settings. Thus, the signal-to-activation connection is no longer a binary controller that can be hot wired.

We live near but not in Washington D.C. When we installed new HVAC units we had the option of taking a wireless or regular thermostat, to which I elected "very strongly" to have the regular one or else I would cut the antennas out. The HVAC guy looked up with any amount of shock and said that the last two installs he did the people said the same thing. One was at the CIA and the other at the FBI (according to the HVAC guy. I'm in the DoD).

Most people just see the functionality, not the risk. No one understands the risk until it becomes a reality. I have tried multiple times to get people to understand this and they refuse. Setting up a computer is no different for the layman---they fiddle with it until it works and stop as soon as it does. Doesn't matter that the firewall is fully open now and sharing is on. It works, and that's all that counts. I'd wager the same goes with IoT. It's about what can be done, not what might happen that you didn't expect.