Hackers Make the First-Ever Ransomware For Smart Thermostats

Lorenzo Franceschi-Bicchierai, writing for Motherboard: One day, your thermostat will get hacked by some cybercriminal hundreds of miles away who will lock it with malware and demand a ransom to get it back to normal, leaving you literally in the cold until you pay up a few hundred dollars. This has been a scenario that security experts have touted as one of the theoretical dangers of the rise of the Internet of Things, internet-connected devices that are often insecure. On Saturday, what sounds like a Mr. Robot plot line came one step closer to being reality, when two white hat hackers showed off the first-ever ransomware that works against a "smart" device, in this case, a thermostat. Luckily, Andrew Tierney and Ken Munro, the two security researchers who created the ransomware, actually have no ill intention. They just wanted to make a point: some Internet of Things devices fail to take simple security precautions, leaving users in danger. "We don't have any control over our devices, and don't really know what they're doing and how they're doing it," Tierney told Motherboard. "And if they start doing something you don't understand, you don't really have a way of dealing with it." Tierney and Munro, who both work UK-based security firm Pen Test Partners, demonstrated their thermostat ransomware proof-of-concept at the hacking conference Def Con on Saturday, fulfilling the pessimistic predictions of some people in security world.

Yes, because it would be

[The+Cisco+Kid]

COMPLETELY impossible to unscrew the smart thermostat from the wall, unwire it, and (temporarily) install a traditional non-networked thermostat so you could operate your heat (or AC) while you contact the vendor or manufacturer of the smart thermostat for help.

Re:Yes, because it would be

Do you really assume every person who owns one is capable of that?

Re:Yes, because it would be

Actually on my furnace you cannot connect a conventional thermostat. The thermostat talks to the furnace over RS-485 with a proprietary protocol. Now lucky for me it's not a 'smart' internet connected device. But depending on the installation the option of putting in a dumb thermostat may not exist.

Re:Yes, because it would be

Yes, i'm sure the smart thermostat vendor has a line dedicated for hacked thermostats. And if they don't, I'm sure their technical support folks will have no problem getting past the "is your thermostat connected? No? Then you must connect it for us to help you" part of their script.

3 days later, you might get to someone in engineering who will say, yup, we raised this at our management meeting. Them marketing folks didnt care. Can't help you.https://it.slashdot.org/story/16/08/08/1449221/hackers-make-the-first-ever-ransomware-for-smart-thermostats#

Re:Yes, because it would be

Why the fuck did you buy that?

Re:Yes, because it would be

[tripleevenfall]

Probably capable of calling a person to install a $25 thermostat and paying them one hour of labor to do so.

Re:Yes, because it would be

If you can install a thermostat (or have proper backups), ransomware won't seriously effect you. For the other 95% of people, it's a choice between paying for someone else to come and fix it, or paying the ransom.

I've been asked to deal with ransomware on computers a few times; it's generally priced such that it's cheaper to pay the ransom than get me out to look at it, and mostly there's nothing that can be done (strongly encrypted files + no backups, or only one set of now-encrypted backups).

With compromised hardware, there is at least something can be done, but best case scenario is that you spend money on a replacement whilst your expensive IOT device pulls duty as a paperweight. If you wait for the manufacturer to sort it out/send a replacement, then you'll have to put up with extreme hot/cold for at least a couple of days and - unless that manufacturer has got it's shit together since it sold you the piece of crap - as soon as you set it back up you're vulnerable again. In any case, you're probably out more dollars than they were asking for the ransom.

It sucks, but so long as people will pay them, I don't see it going away any time soon.

Re:Yes, because it would be

[cfalcon]

> calling a person to install a $25 thermostat

Because HVAC guys are able to gear up to handle a newly enabled assault on the infrastructure they provide ("Thanks, Computer Science! For bringing all your problems everywhere, from hearth to hospital!"), show up, and have a whole ton of old school thermostats just laying around in case.

Way worse if the attack is distributed top down.

And remember: this specific attack is just about a thermostat. Other "smart" things (read: "will remotely obey your enemies in time of need") will or do include the refrigerator with grandma's insulin, the lock on the front door, and opened or closed status of the garage door, and in some cases, pieces of the plumbing. I can't wait for some smart toilet to yield some kind of resonant attack on the pipes by clever timing of valves.

All this tech, brought to you by a few semi-professionals buying the cheapest commodity chips from gods-know-where. I'm sure they will succeed where security professionals routinely fail.

Re:Yes, because it would be

Where do you live that every piece of tech in your home was made to your exacting specifications? Libertopia? Satoshi's comet? Are you John Galt? Come on man, he probably lives in his house for the same reason as everyone- its close enough to work, and he was able to afford it. Replacing a furnace is a pretty goddamned big deal.

Re:Yes, because it would be

[swb]

Harder to do when you're in Florida and its -20F at home.

Pay the ransom or run the risk of burst pipes and destroyed interiors from water damage.

During the mortgage meltdown, there were at least a couple of "frozen waterfall" houses that turned up in the news when the heating failed. Basements flooded, ceilings collapsed and pretty ice sculptures where you'd normally expect drywall.

Re:Yes, because it would be

[Archangel+Michael]

I am beginning to believe that "smart" devices = "dumb" humans.

Re:Yes, because it would be

[slashrio]

Doesn't the manual mention the possibility of 'hard reset', or 'factory restore'?

Re:Yes, because it would be

[Opportunist]

If you're renting, it could well be.

Re:Yes, because it would be

It's a geothermal system which with a more advanced thermostat can do zoned heating. Have a RS-485 protocol allows you to get away with only 2 wires to the furnace and still be able to have more advanced features. For instance I can see at a glance on the thermostat how much energy the furnace is consuming right now. It also supports staged heating / cooling to conserve energy it can run the compressor at reduced speed when only a little bit of heat is required making the system more efficient. You can also hook up outdoor temperature sensor and have the heat/cool change automatically. It tracks the furnace run time and tells me when to clean the filter, etc. All these 'features' would not be available on a dumb thermostat. It also comes with a 10 year warranty so I'm not particularly worried.

My whole point though was that not all systems are capable of simply replacing the thermostat with a dumb one.

Re:Yes, because it would be

[cfalcon]

I mean, look at how many compromises we make with our computers and computer programs. And many of us are computer professionals. Even if you do go through hoops to have your computer be pretty much perfect, that's because of a passion about that. I don't think anyone has everything set up perfectly, and the mere existence of these things in the market place means that many people are going to end up with them, unless they are passionate haters.

For my part, I actually got a new furnace and AC recently, and I brought up that I didn't want any networking technology, and that an analog ("mechanical") thermostat would be ideal. He was easily able to accommodate the first, but the "mechanical" thermostats were a pain- they were rare and way more expensive because there's not much market for them. What will that conversation sound like in twenty years?

And of course- I was able to accomplish this because I was having just the HVAC work done anyway, and all had to be replaced regardless.

Re:Yes, because it would be

[fustakrakich]

Are you sure your "smart" furnace will work with a regular thermostat?

Re:Yes, because it would be

[pla]

If you're renting, it could well be.

If I'm renting, I don't care about the cost of getting someone out on a Sunday morning in a blizzard to fix it, because appliances like a furnace count as 100% the problem of the landlord.

That said, if the landlord drags his feet - A screwdriver still works just fine. Let him try to take me to court for a problem directly resulting from his own negligence.

Re:Yes, because it would be

[JackieBrown]

Do you really assume every person who owns one is capable of that?

I am sure everyone is able to switch off the power breaker to their AC/Heater unit.

Re:Yes, because it would be

[kheldan]

You, I, and any number of other Slashdot readers could handle installing a thermostat for their HVAC system, even if they've never done it before; not so much for the average person, who needs to whip out a calculator for basic math, needs a YouTube video to help them change a lightbulb, and (back in the day, at least) always had "12:00" flashing on their VCR. You know, the same ones who never thought twice that their computer, one day, suddenly had Windows 10 on it? That's who these assholes will be targeting, the people who can't defend themselves to start with. The rest of us will either not fall for the 'IoT' troll/meme in the first place (like me), or will choose IoT devices that can be on an isolated network or that can otherwise be protected.

Re:Yes, because it would be

[c]

Most of these "smart" thermometers have some sort of presence sensing. If you target devices where someone hasn't been home for 2-3 days (say, Monday-Wednesday) you might catch people on vacation. In colder climates, killing the furnace during a cold snap while the owners are away for a couple weeks might be an effective threat.

Re:Yes, because it would be

[Gravis+Zero]

which part of "theoretical dangers" do you not understand? the fact that you can take control of it remotely and have it do your bidding is the point being made.

Re:Yes, because it would be

[geekmux]

COMPLETELY impossible to unscrew the smart thermostat from the wall, unwire it, and (temporarily) install a traditional non-networked thermostat so you could operate your heat (or AC) while you contact the vendor or manufacturer of the smart thermostat for help.

Quite often there is an inverse correlation between the "smart" device and the owner, and you ARE talking about a human that needs an app to operate their thermostat so, good luck with that theory.

Re:Yes, because it would be

[DRJlaw]

For my part, I actually got a new furnace and AC recently, and I brought up that I didn't want any networking technology, and that an analog ("mechanical") thermostat would be ideal. He was easily able to accommodate the first, but the "mechanical" thermostats were a pain- they were rare and way more expensive because there's not much market for them. What will that conversation sound like in twenty years?

The first requirement is understandable. The second, I just don't get. I installed a bog-standard Honeywell programmable electronic thermostat. Programmable in the sense that I can set four temperature/time targets per day (manually); but it doesn't network to anything, doesn't learn anything, and the only input it cares about from outside the house is the temperature of an air-source heat pump as a run/not-run threshold (where not-run simply burns natural gas). A mechanical thermostat would remove most of that functionality in favor of -- surviving an EMP? I'd have bigger problems.

Anyone who can mess with mine can mess with yours -- once you're inside the house and getting your grubby mitts on it, you can change the settings on either one.

Re:Yes, because it would be

[Archangel+Michael]

Smart Thermostats only learn if you're predictable, you still have to figure out how to override them when they don't figure you out correctly, which can be quite annoying. "Hey, I'm not home you stupid thermostat, don't turn on the air/heat automatically" to "Hey, I stayed home today, I still have to turn the air/heat one manually" ...J

Just now, I can do it remotely, just like the hackers!

Re:Yes, because it would be

[tlhIngan]

For my part, I actually got a new furnace and AC recently, and I brought up that I didn't want any networking technology, and that an analog ("mechanical") thermostat would be ideal. He was easily able to accommodate the first, but the "mechanical" thermostats were a pain- they were rare and way more expensive because there's not much market for them. What will that conversation sound like in twenty years?

That's because "dumb" programmable thermostats have basically become the norm - the old analog ones worked but were clunky and had lots of workarounds like setbacks, hysteresis and high-end-start-lockouts. In the end it made for a complex mess of workarounds. (high end start is if the AC has been running and the high pressure line is still pressurized - you should not engage the compressor because it puts on a lot of stress and wear - you have to wait a few minutes for the high pressure line to depressurize before kicking in the compressor)

One thing is, a smart thermostat is way more expensive than a dumb programmable digital one - all the ioT ones cost around $200, while the fanciest of dumb ones still are under $100. And a basic one is often only $30 on sale.

Re:Yes, because it would be

[barc0001]

/.ers tend to forget that they are generally far more comfortable doing things like that than the average person. Would your grandmother, or sister be comfortable doing that? Or your wants-nothing-to-do-with-wiring-stuff son?

But that sidesteps the bigger point in that this shouldn't even be a concern. It's a thermostat, this feature creep crap is getting out of hand and we'll be lucky to live through it.

Re:Yes, because it would be

[Bob+the+Super+Hamste]

needs a YouTube video to help them change a lightbulb

Hey I've done that, granted it was for a light on the interior of my car and I didn't want to destroy anything as the little friction clips used provided a lot more friction than I thought they would have. So given that I wanted to see if there was some dumb little thing I was missing, like slip a slotted screw drive in to press a tab in or something, so that I would only be putting in a $2 bulb instead of putting a whole new light enclosure that would cost $150.

Re:Yes, because it would be

[Bob+the+Super+Hamste]

Do not underestimate grandmothers, granted some of the younger ones now days maybe, but those who grew up in the depression actually have skills. My grandmother plays the sweet old grandma who is into sewing, knitting, house plants, and cooking most of the time but over the years you find out that she can handle herself just fine around tools, machines, firearms, and wild animals as well.

Re:Yes, because it would be

[Megane]

It is also completely impossible to make a smart thermostat that doesn't expose itself to inbound connections from everywhere. I have one that connects out to the cloud service every 3-5 minutes. (It also doesn't have a fancy color display for those l33t pwnz0r screens.) So when you make a change from their web page it may take a few minutes before it happens, but it it's not being a port slut to every kiddie scan out there.

Re:Yes, because it would be

[Megane]

He's not talking about "exacting specifications", he's talking about the standard fucking 4- or 5-wire connection that most normal thermostats have been using for decades. (The one that somehow operates relays off of 24VAC.) It's a weird spec, but it's a well known one. Even then, there are still home HVAC manufacturers out there that insist on their own special snowflake wiring.

Re:Yes, because it would be

[judoguy]

COMPLETELY impossible to unscrew the smart thermostat from the wall, unwire it, and (temporarily) install a traditional non-networked thermostat so you could operate your heat (or AC) while you contact the vendor or manufacturer of the smart thermostat for help.

Yes, it can be. I have a 10 year old system with a thermostat that talks to the controller via some fucking proprietary scheme over cat-5 that simply can't be replaced with a simple switch. It isn't IP addressable, so no problem there, (although, that might be preferable now that I think about it) but when it goes tits up, I'm in a world of hurt. Or around $700 of hurt at current Ebay prices.

So, no, sometimes you can't just wire in a cheap replacement.

Re:Yes, because it would be

[russotto]

Honeywell CT87N. $42 at Big Orange (this is the classic round one). Honeywell CT31A, $20 at Big Orange.

Re:Yes, because it would be

[BronsCon]

And if your counter is then to have a $20 thermostat on hand on the shelf as a backup in case of ransomware, then why have the smart thermostat at all?

Actually, you can find my counter in bold.

Re:Yes, because it would be

[type40]

For 95% of snowbirds this is how that'll go: Hi Kate, it's Jeff ,how are you? Oh thats good to hear. Well, I was wondering if you could get Hank to do me a favor when he gets back from bowling. Some little jerk off in Croatia or somewhere just hacked the thermostat in our house and whats $500 to turn the heat back on. I know, right! For Christ's sake get a job! Ha ha no, I'm sure Hellen isn't behind it but don't go giving her any ideas! Yeah so if Hank could run over to Murphy's and grab a cheepo thermostat to install that'd be awesome. Really, the Henderson's? Well, at least we're not the only ones. You don't say?! If Jenny has time by all means let her take a crack at it. If she can unlock it and keep it from happening again I'll gladly pay her the $500. No, No I insist. She's going to school and'll put it to better use than that little Yugoslavian prick. Well that sounds great then. Yup, just give me a call later. Bye.

Re:Yes, because it would be

[guruevi]

Completely impossible for these thermostats or hell, even newish furnaces to have a freeze sensor that mechanically triggers the heat regardless of it's internal setting?

Or you could place your old thermostat at a low temperature in parallel and hang it in your basement.

Re:Yes, because it would be

[fluffernutter]

I certainly hope you mention it if you sell your home. I'd be pretty pissed off if I bought a house and found out I could only replace with 0.001% of the thermostats available on the market. Not something I or any agent I've used has thought to ask about that. Good reason for getting a home inspection I guess, but do most of those even discover a non-standard furnace connection?

Re:Yes, because it would be

[coofercat]

Actually, I have a 'smart' thermostat. I asked a bunch of companies what would happen to their device if their servers stopped working. Nest does almost nothing without the 'cloud'. Hive (via British Gas) never gave me a straight answer. I asked repeatedly, but all they'd say is that I needn't worry, they're not going anywhere and so the servers would always be there. AFAIK, it turns into an ordinary bi-metalic strip type thermostat if there's no cloud.

I ended up with a Heat Genius system because it carries on working (albeit without remote access). It's got a 'cloud' connection, but it's optional. I can either use uPNP, or else I have to open up firewall ports to let the cloud (and support) in. If I don't do so, then it all just works LAN-only.

The system is a hub (with a raspberry pi in it, I believe), and some z-wave radiator valves, UFH valve switches and a few other bits. In theory they're all hackable, although I seriously doubt you could do much that way - the comms between hub and device isn't really up to it. If the actual hub box got p0wned, it'd be a pain in the arse (about £200 to replace, although I'd probably argue enough to get one for free). In the interim period, it's possible to turn it off and let each of the radiator valves work manually (they have some little buttons that set the target temperature). I don't think our underfloor would work at all though.

So... why bother with any of this? Well, when it's working properly, it's actually very good at controlling the temperature in the house. It uses some fancy logic to just about heat the room to the target temperature without over-shooting it. It also maintains temperature very well. My memory of physics suggests this should be cheaper to run than more traditional setups (although I don't have any decent facts either way). If I'm honest, it's got quite a few rough edges, and some annoying bugs. Having said that, I can't fault their support, so getting to the bottom of what's going on pretty quickly.

Re:Yes, because it would be

[mcswell]

Probably as many people choose their house for the furnace it has, as choose their car for the cupholders it has.

Re:Yes, because it would be

[mcswell]

"What's next, light bulbs that need a proprietary protocol to talk to the light switch?": I have a box of incandescent light bulbs stored in my basement for that day.

Who the f*** would pay this?

[BronsCon]

Hmm... Pay you hundreds of dollars, or replace the damn thing with a $20 model you can't hack remotely. Seems an easy choice for me.

Re:Who the f*** would pay this?

[NotInHere]

A thermostat is probably a bad example, but take e.g. an oven that may be able to cause a fire or a car that may kill you on the road. Also, larger deployments will be more inclined to pay, e.g. for a company a $5000 ransom may be cheaper than having to replace all 200 thermostats in its various rooms.

Re:Who the f*** would pay this?

wrong. (not an endorsement, just the first result):

$18.88.

http://www.homedepot.com/p/Lux-7-Day-Manual-or-Programmable-Thermostat-TX100E-006/206605731

Re:Who the f*** would pay this?

[Overzeetop]

How much would you pay to get back into your house at 11:30pm on a Saturday night when it's 20 below zero outside and your smart locks have all been hacked? No need for a $5k ransom - it needs only be a couple hundred dollars, repeated many times, to be profitable.

Or in the case of a thermostat, a remote override that switches a heater on full blast on a hot summer day or - better yet - begins switching between heating and cooling on a heat pump, which will burn out the compressor in under an hour and cost a couple thousand dollars to replace. How many people will think of cutting the breaker in time? Not too many.

Re:Who the f*** would pay this?

[BronsCon]

$5000 one time might be cheaper, but you're still vulnerable ant it'll happen again next week. $5000 + the cost of replacing thermostats when you learn this fact is still more than the cost of replacing the thermostats in the first place.

But, you did answer my question. Idiots will pay it.

It's not like your irreplaceable (because who has proper backups) files on your computer, which is how they're able to demand $5000 to unlock a $600 computer. Your favorite recipes won't be lost when your oven gets hacked, you just replace the $2000 oven with a cheaper model that isn't vulnerable, rather than paying the $5000, and you're protected in the future and you've saved a few grand over paying off the criminals.

Likewise with a car. They want $5000? A used model that isn't vulnerable can be had for less.

It works on computers because you can't get your kid's birthday party photos back if you don't pay. It doesn't work with an oven or a car -- or a thermostat -- that you can replace without losing anything more than (maybe) a couple of features; and you can remove power in the interim in order to prevent the disasters you mention.

Re:Who the f*** would pay this?

[MyLongNickName]

Untrue. A quick search finds I can go lower than $20 for a simple model. This one is $15, and several other models were under $20.

http://www.homedepot.com/p/Lux...

Re:Who the f*** would pay this?

[pr0fessor]

You have never been to homedepot they start around $10 for a non-digital thermostat and go up...

Re:Who the f*** would pay this?

[pla]

Not sure how an oven - Or a refrigerator - Or anything else, for that matter, involves a substantially different solution:

The IoT is a bad idea, period. I don't need any appliance in my house to have internet access, and will actively go out of my way to make damned sure they don't.

And before someone says "eventually you won't have any choice" - Of course we will. We might pay a bit a bit extra for the "marine" or "remote cabin" version, but as long as someone has a use case requiring offline use, that will remain an option.

Re:Who the f*** would pay this?

[cfalcon]

Ok, but repeat this physical replacement drama for pieces of the stove, the fridge, the internals of the AC once some jackass decides it needs to be firmware updatable from factory, the TV, the front and back doors, the garage door, the stereo, the toilets, and the shower.

There's always a way to fix a problem. This article *should* make you ask the question- do you want to inject more problem-vectors into everyone's life?

Re:Who the f*** would pay this?

[jeffmflanagan]

>Also, larger deployments will be more inclined to pay, e.g. for a company a $5000 ransom may be cheaper than having to replace all 200 thermostats in its various rooms.

Only of they're short-sighted fools. The insecure devices have to be updated or replaced. Paying the ransom will not secure the thermostats against tomorrow's attack. They need the manufacturer to replace the firmware to fix the lockout and secure against future attacks, or to replace them with a better brand.

Re:Who the f*** would pay this?

[drinkypoo]

And before someone says "eventually you won't have any choice" - Of course we will. We might pay a bit a bit extra for the "marine" or "remote cabin" version, but as long as someone has a use case requiring offline use, that will remain an option.

Eventually, the power company will want the right to turn your appliances on and off remotely to handle demand whether you like it or not, and there might well be legislation to make it illegal to hook equipment without remote control up to the grid.

Re:Who the f*** would pay this?

[pla]

Oh, make no mistake, I "get" the benefit of having my home HVAC controllable remotely - Why should I need to wait fifteen minutes after getting home for the house to reach a comfortable temperature when I could remotely tell it when I leave work, and it will know exactly when to turn on for my maximum comfort?

That said, until someone can convince me otherwise, I consider the risks as massively outweighing any potential benefits.

Re:Who the f*** would pay this?

[pla]

Eventually, the power company will want the right to turn your appliances on and off remotely to handle demand whether you like it or not, and there might well be legislation to make it illegal to hook equipment without remote control up to the grid.

Oddly, I agree with you to the extent that I see exactly that as a much more unavoidable risk than random hackers.

Fortunately, the utility companies have less than 20 years left before solar (or more accurately, storage, since PV itself has already gotten "good enough") makes them about as relevant as buggy whips.

Sure, I'd rather have a grid tie to fall back on - But the day they start telling me how I can use the power I pay for, I won't hesitate to cut that last cord.

Re:Who the f*** would pay this?

[Bob+the+Super+Hamste]

Looks like no more than about $70 because other wise I will just pound a slotted screw drive into the lock and attach a pair of vice grips to the screw drive and shear the pins in the tumbler. Then again I wouldn't buy a smart lock either.

Re:Who the f*** would pay this?

[naughtynaughty]

Paying a ransom without fixing the vulnerability is not going to be cheaper.

So you pay to fix the problem and ignore the hacker's demands.

Re:Who the f*** would pay this?

[BronsCon]

This article *should* make you ask the question- do you want to inject more problem-vectors into everyone's life?

Okay, so we're in agreement and you just don't see it.

The whole premise of my comment was to replace the hacked item with one which could not be hacked (e.g. a "dumb" model). Or, more to the point, don't install the hackable "smart" version in the first place.

Do you see it now?

Re:Who the f*** would pay this?

[naughtynaughty]

I would pay the $75 it costs to get a locksmith to come over and spend 5 minutes opening my lock. Plus the cost of the locksmith removing the smart locks and putting some locks that aren't going to cost me future calls to the locksmith.

After all, I'm going to have to have the locks replaced anyway so no sense paying a ransom AND paying a locksmith vs just paying the locksmith.

I can sit in my car with the heater running while I'm waiting in the cold weather for the locksmith to show up.

Or worst case, I'll bust a $100 pane of glass to get it and pay for a locksmith and the cost of repairing the window.

Pay me a ransom because you'll die if you don't get in your house and I'll just keep bleeding you for more payments until you either freeze to death or you run out of money or run out of stupid.

Re:Who the f*** would pay this?

[sjames]

It's the dead of winter at home, but you are vacationing on the sunny beach of some Island nation somewhere for the next 2 weeks. You get the ransom notice, do you cancel the vacation and eat all the pre-paid costs as well as pay for the expensive I need to fly NOW flight home to install that $20 thermostat from Home Depot, or do you pay the ransom?

Re:Who the f*** would pay this?

[BronsCon]

I suppose I'd ask my trusted friend, who has a key to my home and has agreed to keep an eye on things for me while I'm gone, pop in and replace the thermostat for me. Don't you have friends?

Of course, that assumes they'd have my email address and not just display the ransom notice on the thermostat itself. Know what's funny about your hypothetical situation? They display the ransom notice on the device itself. I guess I'd just come home to find... well, I live in California, so I'd find that everything was fine, no burst pipes or such, and I need to replace my thermostat. Someone living elsewhere might find that they have a bit more damage done to their home, but it's not like they could have done anything about it in the first place, the ransom notice was displayed on their thermostat, not sent to their email, so they didn't see it until they got back.

Sometimes it's worthwhile to actually read the article before posting.

Re:Who the f*** would pay this?

[HiThere]

It *could* be done in a reasonably safe manner. It just isn't being done that way. Ideally the devices would only communicate over 192.0.0.n, and any communication relaying would be done over your computer...and if you turned off your computer, it would only be local. And any messages going out should be encrypted, as should the responses, with a key that is shared between your device (by serial number) and the company that it needs to communicate with (which adds another chunk of numbers). You don't need strong security, just one that is unique to each device, and only allows two failed attempts before it starts requiring increased delays between logon attempts.

All that is purely standard security. That it isn't being should make the manufacturers liable for negligence. And, unfortunately, it should make anyone knowledgeable refuse to use them. Of course, they don't reveal the information before you buy the device, and probably not afterwards, either. Certainly I haven't gotten any warnings about my monitor (which might not be IoT) or my printer (which, unfortunately, is...I didn't find out until after I'd purchased it that it required access to more than my local net).

If anyone has recommendations for multi-function networkable printers that work with Linux and don't require access to anything beyond 198.0.0.n I'd like to hear them.

Re:Who the f*** would pay this?

[BronsCon]

No, utility companies give some significant discounts for you to install heat/AC cutoff devices they control, completely separate from your thermostat. If you consider a one-time payment of $50 to be significant. Yes, it's an easy choice.

Re:Who the f*** would pay this?

[Ungrounded+Lightning]

And before someone says "eventually you won't have any choice" - Of course we will. We might pay a bit a bit extra for the "marine" or "remote cabin" version, ...

In some parts of California you no longer have a choice to not have a computer in your water heater, and will have to put in a computerized one when your current one fails. (Probably within a decade if you don't replace the sacrificial anode(s) every six years or less.)
  - You can only put in an extremely energy-efficient model.
  - These models achieve energy efficiency by using a spark, rather than a pilot light, igniter, and by closing an exhaust vent valve to block convection when the burner is off. They also have sensors to prevent ignition in the presence of flammable fumes (so you don't blow up your garage if you have gasoline fumes or a gas leak).
  - Controlling and interlocking these features is complex enough, and automation chips are cheap enough, that it's cheaper to use a computer than special-purpose logic. So ALL the available ultra-efficiency models have computers.
  - (Fortunately, as of this spring, the radio network interface on the brand I wanted (Rheem) was still an extra-cost optional board, rather than being built into the system-on-a-chip.)

Re:Who the f*** would pay this?

[bluegutang]

Even if you can't buy the offline version at Best Buy, it will be on Amazon and AliExpress.

Governments will love this

[operagost]

They'll be the first in line to use this kind of software-- forget the scammers. I can definitely picture places like Venezuela claiming they need to control your HVAC for the common good, when the problem is that there is an artificial scarcity due to their own incompetence. The Western Europeans will be next, and the USA not far behind.

I was going to say HK would be the first, but I honestly don't know if they have the technical knowledge to do this, and their people all live in government-owned housing already anyway.

Re:Governments will love this

[tripleevenfall]

It's not difficult to imagine California deciding they need the ability to throttle your AC to combat brownouts/global warming/whatever

Re:Governments will love this

[pr0fessor]

It's an opt in and it supposed to help costs and availability during peak hours... They even have those programs in the mid-west.

Re:Governments will love this

[Opportunist]

Governments will love this for a completely different reason. When "hackers" start to bother normal people, normal people will ask for laws that stop this. And they'll get the laws. Not that they stop anything, but you know how it is, once a law is passed, it stays.

Re:Governments will love this

[Cro+Magnon]

Yup! I live in the Midwest. On one of the blazing hot days we had, I had to take off early to deal with something, and came home to a hot house and a thermostat blinking "Saving".

Re:Governments will love this

[pr0fessor]

My retired neighbor opted in and opted out as soon as he realized it was supposed to save by turning it off when they thought most people would be at work.

IoT strikes again

[smooth+wombat]

The more IoT crap gets thrown out there the more we'll hear about this nonsense. In our mad rush to digitize everything, to make it "convenient", to show how 1337 we can be we've forgotten the virtue of simplicity.

You know why light switches are still analog? Because they work. Every time. No having to look at an app and muck about, no trying to get a signal, no being dependent upon someone else to provide connectivity. Finger. Switch. It's that simple.

Re: IoT strikes again

[fyngyrz]

Most light switches are digital. On or off. The correct term is "mechanical."

Re: IoT strikes again

[drinkypoo]

Something is mechanical if it uses potential and kinetic energy of the mechanical system.

It's not electrical, because electricity doesn't power the switch. You do. Hence, it's mechanical. It's not electromechanical, because that's the opposite; a switch is a mechanical device which controls electricity, whereas electromechanical means using electricity to control mechanics.

Re: IoT strikes again

[Bob+the+Super+Hamste]

Hey not all light switches are digital.

Re: IoT strikes again

[fyngyrz]

...I didn't say they were. :)

From consumers to products

[wcrowe]

This is why I don't understand the rush to have all these IOT devices in the house. I have a couple, but they are isolated, and if they were hacked I could still function without them. There seems to be a rush to have everything, from the washing machine, to the microwave, to the toaster hooked to the internet, and there seems to be even a push to build these devices so that they do not function without an internet connection. I used to be baffled as to why consumers would even want such things. But, of course, it is not the consumers who want all this IOT, but the vendors who sell the devices and the services, trying to turn us into the product.

Re:From consumers to products

It is also marketing, marketing, marketing. People see a commercial about how convenient it would be to activate XYZ remotely and then they buy it, just like every other unnecessary kitchen gadget that replaces a knife and cutting board. Its only $20 more with IOT features, she says, lets buy the "best". Little does the customer know its a cheaper $20 toaster with WiFi being sold for $60, next to the actual $40 toaster. IOT is a way to sell inferior products for massively more money than they are worth because the IOT feature is being bought and not the core function. It is ingenious marketing and has little to do with data harveting (for now). It is a symptom of people with "too much money" (or people not saving money as they should) and that do too little research.

AFTER the purchase they realize that between setting up the device, trouble shooting, and using it one time, that it is actually not any easier to use your smart phone to turn on your toaster. And that amazing use-case they showed on TV only occurs once every six months and, then you forgot about it because you use it so infrequently. Then the app stops working 2 years later and the adapter/hub/etc. is no longer supported and it is worthless for IOT features unless you want to run a second/third set of IOT hubs and devices.

Re:From consumers to products

[Opportunist]

Because there's not really any other selling angle to household appliances. Those damn things last way too long. It's not like with your TV where you want to get a new one every other year so you can see the wrinkles in your favorite porn star's face or ass in higher resolution or the constant format change in content carrying media that keeps you buying a new player. A fridge pretty much lasts, well, nearly forever. And you don't replace it until it is simply and plainly broken.

We need something to make you want the new gadget! And that's why you need the IoT. Ok, you don't. The vendor does. But you're supposed to buy it!

Re:From consumers to products

A lot of people are glossing over that the newer models with IoT thermostats have much more complicated control systems because the compressor and fan have different power settings. Thus, the signal-to-activation connection is no longer a binary controller that can be hot wired.

We live near but not in Washington D.C. When we installed new HVAC units we had the option of taking a wireless or regular thermostat, to which I elected "very strongly" to have the regular one or else I would cut the antennas out. The HVAC guy looked up with any amount of shock and said that the last two installs he did the people said the same thing. One was at the CIA and the other at the FBI (according to the HVAC guy. I'm in the DoD).

Most people just see the functionality, not the risk. No one understands the risk until it becomes a reality. I have tried multiple times to get people to understand this and they refuse. Setting up a computer is no different for the layman---they fiddle with it until it works and stop as soon as it does. Doesn't matter that the firewall is fully open now and sharing is on. It works, and that's all that counts. I'd wager the same goes with IoT. It's about what can be done, not what might happen that you didn't expect.

Re:From consumers to products

[AthanasiusKircher]

I used to be baffled as to why consumers would even want such things. But, of course, it is not the consumers who want all this IOT, but the vendors who sell the devices and the services, trying to turn us into the product.

I agree that I can't understand the desire for many IoT devices, but internet control for a thermostat does make a certain amount of sense, particularly for those who are frequently out of town or take long vacations. In those cases, getting an alert that your thermostat is no longer responding correctly could make the difference between realizing your heat or A/C is busted immediately vs. dealing with potentially tens of thousands of dollars in water damage (from frozen pipes in winter), mold damage, or whatever when you get home a week or more later. And there are lots of less dire situations where someone who takes frequent trips might benefit from being able to make adjustments remotely. (And even if you don't travel, if you set back your thermostat during the day, this could be a convenient feature to have if you plan to come home a little earlier than expected and want your house warmer or cooler when you get there, etc.)

Anyhow, obviously such things need adequate security, and they should never REQUIRE an internet connection to function correctly. But at least in the case of thermostats, I can imagine quite a few cases where consumers might actually like the connectivity as an option.

Re:From consumers to products

[sjames]

It is all marketing crap. I can't think of a reason I want any of my appliances talkking to anything outside of my LAN, ever.

In the unlikely event I might want to talk to my appliances when I'm not right there, I would rather talk to a well updated server over the net and let it talk to the appliances. Sadly, that is what they make impossible by insisting on proprietary protocols and certs signed by them. So, that leaves the default of no networked anything.

At least I won't get hacked by the Cylons :-)

Re:From consumers to products

[skam240]

Who watches porn on their TV nowadays? What is this, the 80's?

I actually prefer it hackable

[omnichad]

Sure, there are malicious cases for this. But most IoT devices like smart thermostats are a bit too dumbed down and don't even operate correctly without an external Internet connection. Their broken security is about the only way to get a proper level of functionality.

Re:I actually prefer it hackable

[samwichse]

Nest will work just fine with no internet connection.

Re:I actually prefer it hackable

[Megane]

I've got two in different houses. I'm moving out of one of those houses, and the thermostat will come with me, even if I don't have a place for it right away. They also support a JSON local control protocol, so they won't be bricks if/when the cloud service dies.

Re:Bitcoin

[sirber]

You can send me 1 bitcoin to get a +1 score

Re: Bitcoin

[fyngyrz]

You forgot "cloud."

Emergency service call costs

[Overzeetop]

Do you have any idea what a licensed installer charges for an emergency visit on a Sunday morning? That $25 thermostat is $50 because you don't get to buy the one that's on sale at Home Depot, and the cost to knock on your door is going to be close to $150, and then the rate ticks forward at $100/hr. And at the end of your $300 emergency service call, you'll be left with a dumb thermostat and a $200 paperweight.

Re:Emergency service call costs

[Waffle+Iron]

In the worst case, they could just unscrew the wires from the thermostat and clip the bare ends together with a clothespin to turn on the furnace. That would at least keep the pipes from freezing and cost $0.

Re:Emergency service call costs

[Frosty+Piss]

In the worst case, they could just unscrew the wires from the thermostat and clip the bare ends together with a clothespin to turn on the furnace. That would at least keep the pipes from freezing and cost $0.

"Smart" thermostats ofter communicate with the furnace / cooling via a cat-6 or some other type of communications cable, they are rarly just a switch. On the other hand, you can often buy them at Home Depot / Lowes, and just install a new one yourself and then maybe reset the old one to factory.

Re:Emergency service call costs

[Lord+Apathy]

I doubt that most people could do that. To a lot of people something as simple as thermostat might as well be magic to them.

Re:Emergency service call costs

>"Smart" thermostats ofter communicate with the furnace / cooling via a cat-6 or some other type of communications cable

No, these smart thermostats are simple replacements, not something requiring a computerized furnace.

Re:Emergency service call costs

[Frosty+Piss]

Consumer HVAC systems are not intelligent.

Modern as in :new" ones certainly are, and the communications between the "switch" is today more often than not just a little tiny bit more than On/Off ...

Re: Emergency service call costs

[WarJolt]

Somehow I feel like in order to graduate from high school one requirement should be to realize thermostats aren't magic. Too bad we can't revoke HS diplomas. Many Americans don't know cell phones work using radios. It's a bit troubling that a 30 minute electricity experiment performed at an elementary school level can provide the necessary insight into the operations of a thermostat and yet most Americans can't figure this shit out.

Re:Emergency service call costs

"Smart" thermostats ofter communicate with the furnace / cooling via a cat-6 or some other type of communications cable, they are rarly just a switch.

They are almost always just a switch.

Actually a bunch of switches. For example, in my house, I have one for turning on the furnace blower, one for turning on the AC, and one for turning on the heat. There's a 24V common (or multiple 24V lines), which comes in, and is routed to the blower, AC or heat to turn them on.

Practically, it's either blower + heat or blower + AC for most things, depending on if I'm heating or cooling.

The only reason why CAT5 is used is because it's cheap and it gives multiple wires to play with. Practically, most systems are probably using only 4 or 5 of the wires. Telephone wiring (2 pairs) is also used in older systems.

Your smart thermostat does not know what the HVAC system is doing. It can only tell a system to turn on or off, and monitor its environment.

Re: Emergency service call costs

[UnknownSoldier]

Part of problem is that people have more money then time.

They would rather remain ignorant and pay someone else to solve the problem.

Re:Emergency service call costs

[guruevi]

Never seen one like that and I own and have researched many 'smart' thermostats. Mine and most IoT devices also doesn't just sit exposed to the Internet, not sure why anyone would spend a public IP (because those things sure as hell don't do IPv6) on a thermostat.

Re: Emergency service call costs

[AthanasiusKircher]

Somehow I feel like in order to graduate from high school one requirement should be to realize thermostats aren't magic. Too bad we can't revoke HS diplomas.

I still remember the reactions I got when I told people I replaced the basic thermostat model I had in a house when I moved in with a basic programmable model that I could setback during the day or at night for energy savings, etc.

Many people I know -- a lot of them with graduate degrees -- looked at me like I had told them I just built my own car after smelting and processing the metal from raw ore I had dug out of a mine myself. I'm frankly astounded at how few people have ANY knowledge of basic electrical stuff. Swapping out a bad switch or an old ceiling fan or whatever is really basic stuff (as long as you follow truly basic safety measures), but for some reason everyone acts like this is rocket science... or at least way too difficult and dangerous for anyone except a "licensed electrician" to attempt.

Anyhow, whenever I think of thermostats and the public, I always remember my grandmother, who had grown up in the days before air conditioning was at all widespread. But she had central air installed when she was older and to the day she died, she could not comprehend that turning the dial to a LOWER number meant that the air conditioning effect would increase. She was stuck on this idea that a thermostat was just some sort of arbitrary numbers where higher meant "more" or something. And, frankly, she was a pretty smart person otherwise... she just couldn't get that.

I don't know what it is about thermostats that people just are incapable of understanding. Most people seem to think that by turning the numbers much higher or lower that the system will "work harder" (even though that's only true in a minority of setups, and only under certain conditions). Even fewer people understand the impact of humidity on comfort perception and realize how to make thermostat adjustments accordingly.

I agree -- this should be taught in schools.

Re: Emergency service call costs

[HiThere]

Yes, that should be taught in schools.

Unfortunately, knowing that doesn't really solve the problem. Different control systems take different voltages. (In the discussion above I've seen explicit mention of 9 V and 24 V. Presumably both were DC, but that's not guaranteed.) And different devices have different control signals.

If your thermostat was retrofitted onto an old system, you've got a simple job. If you're using some system a manufacturer put together to work as a system, he's got a positive incentive to make it unable to take a simple replacement. So expect that it won't. And there's no requirement that he should make the internal communications documentation available to you, so you can't count on being able to hack together a replacement.

Now if you're knowledgeable, you might be able to figure it out (they aren't really obfuscating things yet), but if you're knowledgeable, why in the world would you buy into such a thing in the first place? Were I doing it (I'm not going to. I see no real benefit in IOT thermostats.) I'd probably use a raspberry pi or some such and hack together a system attached to a real computer (i.e., one with a keyboard and monitor) and allow THAT access to the internet over a protocol that I wrote. But I don't like fiddling around with hardware, and I see no real benefit in the IoT devices. I intend to avoid them as long as I can. (But I do already have a printer that I can't block off from internet access without disabling an automatic ink purchase program. I think this was a bad idea, but my wife like not needing to go out to buy ink.)

Re:Emergency service call costs

[BronsCon]

And you're still ahead. A single bitcoin is nearly double that at the moment.

Re: Emergency service call costs

[BlytheBowman]

I would rather have a "dumb" furnace I could connect just about any kind of thermostat to, whether it's a 1950s era entirely mechanical unit, or an 80s/90s era digital thermostat, or even a "smart" thermostat which electricaly operates as a regular thermostat and does not use proprietary bullshit to try and lock you in to any one product. If it does get hacked, and is doing something real dangerous, I could break it off the wall if I have to in a pinch, do some minor repair to the dry wall, and reinstall the old thermostat.

Re: Emergency service call costs

[mcswell]

We should trade. You can have my old thermostat, and I'll take yours. Except it's too late:I got tired of setting the smart (but not networked) thermostat: every day of the week was at least four (IIRC) separate settings (morning/ evening, summer/ winter), and half the time when I got through all of them, the setting didn't "stick." So I took the smart thermostats (one upstairs, one down) off the wall and replaced them with dumb thermostats from Home Box (name changed to protect the guilty). Two settings each (summer/ winter) and I'm done.

Re:Emergency service call costs

[mcswell]

Three to five amps? For what? This is a relay controller, not a motor starter. Low voltage, and afaik low amperage. I don't think those itty bitty wires that the thermostat is wired to would handle that many watts (24 volts * 3-5 amps).

Re:Emergency service call costs

[arglebargle_xiv]

Actually a bunch of switches. For example, in my house, I have one for turning on the furnace blower, one for turning on the AC, and one for turning on the heat. There's a 24V common (or multiple 24V lines), which comes in, and is routed to the blower, AC or heat to turn them on.

Sounds horribly complicated. I just have a cord pull to summon the boy to deal with the fire, and another to summon the girl to top up the drinks. They connect to a bell that rings in their quarters or something. Not really sure how it all works, they just come when we need them.

IoT is nothing without user control

[HBI]

I shove anything like this on a DMZ with limited access. If it doesn't work without unfettered access to the Internet, I return it. Then again, I consider all devices untrusted unless I have complete control, including the ability to flash them to an arbitrary firmware.

The IoT isn't going to make much progress with me.

Re:IoT is nothing without user control

[stabiesoft]

Except in this case, the hack requires you to insert an SD card into the thermostat. So DMZ or no, you could be hacked. Although given you have a DMZ, I seriously doubt you'd be tricked into sticking some unknown SD card into the unit. Basically the article is hype. It is not an exploit if I have to load something into my thermostat. Who would even bother? A phone sure, but a thermostat????

Re:IoT is nothing without user control

[naughtynaughty]

I don't think DMZ means what you think it means.

You want it behind a firewall that tightly controls what can talk to it and what can talk to it.

Re:IoT is nothing without user control

[HBI]

I think you made a "who" a "what". And I understand entirely what a DMZ is. It's exactly where a device like this belongs, with carefully defined ability to communicate with particular hosts - and assuredly with no inbound access to the internal network. If you can't clearly define what communications it needs, it's getting removed from the network.

Re:Yes, you can unscrew, but ...

or wait for the thermostat to be in holiday mode and then go rob the place.

Hackers chatge Alphaben I.O.T. = FUcking Nightmare

[burni2]

I F
O U
T N

Re: Bitcoin

[slashrio]

No he didn't. Bitcoin and tor work against vested interests and therefore 'need' to be outlawed. The Cloud doesn't.

Bullshit, never going to happen

[kheldan]

One day, your thermostat will get hacked by some cybercriminal

No, it won't: I'm not falling for the 'Internet of Things' troll/meme. You won't be hacking my thermostat, lightbulbs, dishwasher, microwave oven, clothes washer, clothes dryer, television, or any other household appliance because there's not a single damned good reason why these NEED to be connected to the Internet.

Re:Bullshit, never going to happen

[geekmux]

One day, your thermostat will get hacked by some cybercriminal

No, it won't: I'm not falling for the 'Internet of Things' troll/meme. You won't be hacking my thermostat, lightbulbs, dishwasher, microwave oven, clothes washer, clothes dryer, television, or any other household appliance because there's not a single damned good reason why these NEED to be connected to the Internet.

Vendor Marketeers: "There's not a single good reason our products should be offline!"

Good luck fighting it.

Re:Bullshit, never going to happen

[kheldan]

There will ALWAYS be a market for simple, functional, inexpensive products. If not, I'll fucking build it myself. A thermostat is not complicated. Now quit with the retarded trolling.

Re:Bullshit, never going to happen

[b0bby]

there's not a single damned good reason why these NEED to be connected to the Internet.

Need is a stretch, but there are some compelling uses for an internet connected thermostat. I'm thinking second home, where you want to be able to adjust the thermostat remotely, after your short term renters leave. Sure, it's not imperative, but the positives outweigh the (so far) theoretical negatives. I have an ecobee, and being able to set it to vacation when I'm already an hour away is pretty nice. If it gets hacked, I'll unplug it. Meantime, it has a remote temp sensor so my upstairs temperature is much better than my old thermostat, which was the real reason I got it.

Re:Bullshit, never going to happen

[naughtynaughty]

One day, your thermostat will get hacked by some cybercriminal

No, it won't: I'm not falling for the 'Internet of Things' troll/meme. You won't be hacking my thermostat, lightbulbs, dishwasher, microwave oven, clothes washer, clothes dryer, television, or any other household appliance because there's not a single damned good reason why these NEED to be connected to the Internet.

Unless the only things you have hooked to your TV are an antenna and a DVD player the chances are it already is connected to the Internet or whatever you are using to view videos is connected. There are great reasons to connect a TV to the internet, watching all the content you can get from the internet.

A smart dishwasher might be sending sensor information to the manufacturer where early signs of failure can be identified and you alerted prior to the dishwasher failing.

A microwave oven might have a voice interactive control system and the voice recognition is done in the cloud.

Your dryer might communicate with the power company who gives you a discounted rate if they are allowed to shut it off for short intervals to minimize peak power draw.

Your washing machine might get updated with new, better washing algorithms or send information about how well wash cycles are working back to the manufacturer so they can get your clothes cleaner or as clean in less time.

I suppose there isn't a single damn reason why you need to connect to Slashdot and leave comments. But you enjoy it so have at it. Other people might enjoy talking to their microwave while you want to turn a dial and press start. Different strokes for different folks.

Re:Bullshit, never going to happen

[Megane]

It can also let you know when a house in another city is having HVAC trouble. But there's still no need for it to be exposed to the live internet, when it can simply poll a cloud service every few minutes for updates.

Re:Bullshit, never going to happen

[naughtynaughty]

A simple thermostat certainly isn't complicated. But is it very expensive to have a simple thermostat in many areas of the country.

Add a tiny bit of smarts like changing the setpoints based on the time of day and day of the week and you can save thousands of dollars a year in areas of the country where time of day electric rates make off peak electricity 1/4th the cost of on peak electricity.

Even smarter thermostats let me tells my thermostat remotely at a vacation home that I'm coming for the weekend and to please switch from away mode to present mode.

Much smarter thermostats let utilities even out peak demand by keeping everyone's AC from running at the same time.

But you are always free to buy the $10 model at Home Depot if it meets your needs or build your own.

Re:Bullshit, never going to happen

[knorthern+knight]

> Add a tiny bit of smarts like changing the setpoints based on the time of day and day of
> the week and you can save thousands of dollars a year in areas of the country where
> time of day electric rates make off peak electricity 1/4th the cost of on peak electricity.

*A PROGRAMMABLE DIGITAL THERMOSTAT DOES NOT NEED TO BE INTERNET CONNECTED*

> Even smarter thermostats let me tells my thermostat remotely at a vacation home that
> I'm coming for the weekend and to please switch from away mode to present mode.

If you can connect over the internet, so can the bad guys. If you want to risk a major security breach at your place for the convenience of not having to wait 2 hours for the temperature to get comfortable, your priorities are ass backwards.

Re:Bullshit, never going to happen

[knorthern+knight]

> Unless the only things you have hooked to your TV are an antenna and a
> DVD player the chances are it already is connected to the Internet or
> whatever you are using to view videos is connected. There are great reasons to
> connect a TV to the internet, watching all the content you can get from the internet.

I prefer to connect an HDMI cable from my computer, which I know is updated/firewalled properly. BTW, a 30-foot HDMI cable is only 30 dollars Canadian at Home Depot http://www.primecables.com/p-3...

> A smart dishwasher might be sending sensor information to the manufacturer where
> early signs of failure can be identified and you alerted prior to the dishwasher failing.

Beyond stupid. Howsabout a "trouble light" like in your car? Again, it's absolutely unnecessary for packets to traverse the internet for that to happen.

>A microwave oven might have a voice interactive control
> system and the voice recognition is done in the cloud.

Beyond beyond stupid.

> Your dryer might communicate with the power company who gives you a discounted
> rate if they are allowed to shut it off for short intervals to minimize peak power draw.

Or like, you know, do your laundry, etc, on weekends or after 7:00 PM weekdays to take advantage of "Time-of-Use Pricing" http://www.ontario-hydro.com/c...

Re:Bullshit, never going to happen

[wyHunter]

Indeed, it means you have to buy the highest quality, most reliable things you can find NOW and plan never to replace them if you possibly can. It isn't easy. But I'm with you.

Re:Bullshit, never going to happen

[wyHunter]

I hear what you are saying but... 1. I don't have a television. 2. I'd rather have my dishwasher output a code to its panel. 3. I can't imagine not just hitting '1 minute' or 'dinner plate' button on my microwave BUT I can see a use for this if the individual is handicapped. 4. The dryer has a point but on the other hand, I'd just as soon not dry clothes during peak times, leaving them to dry at night or something. This is truly my preference, but I live quite a nice life WITHOUT IoT stuff and, frankly, can't imagine ever wanting IoT things.

Lol, oh my

[JustAnotherOldGuy]

Oh, Internet-of-Endlessly-Exploitable-Things, ah love yew! (heart emoji x 1000)

Every day a new exploit, it's like an all-you-can-eat buffet of terrible shit, served fresh and piping hot.

embedded need to have os updates that are on there

[Joe_Dragon]

embedded stuff needed to have os updates that are on there own that come out faster then the app update.

At least some embedded stuff is ARM with cut down linux based os's. But others are full pc's running a big linux install or even windows with a custom app on top of it. And if them alot for the time you need to wait from the app part to be updated before the under lining os get's fixed even for just os security fixes. As the updates just come as full install images.

Some embedded systems have sd cards that can have there os hacked and the hack can stay on the system even after power off. Unlike others where it's flashed with a small nvram area that just holds settings / logs.

Re:Add a switch..

[JustAnotherOldGuy]

Why can't these vendors and a $1 switch

Because it would cost a dollar, a whole fucking dollar, that's why.

(Actually a switch to enable/disable firmware updates would only cost a few cents, but even that's too much to spend on security.)

Come on America. Think Lawyers !

Well if you're home is put at risk or damaged due to poor security on a "Smart" thermostat surely the first thing a real American will do is call a lawyer. And sue the Thermostat company for marketing defective goods !

All this talk of fixing it yourself is wholly un American.

Sue the bastards. That will get them to take security seriously.

Re:Come on America. Think Lawyers !

[Megane]

It's the "smart" TVs that worry me more. There are a lot more of those out there.

Communication protocol

[sjbe]

"Smart" thermostats ofter communicate with the furnace / cooling via a cat-6 or some other type of communications cable, they are rarly just a switch.

No they do not. Retrofitting a cat6 (overkill) cable to run to the HVAC in an existing house would be prohibitively expensive and/or time consuming. They communicate with the HVAC via the same set of wires a "dumb" thermostat would use and gets power over the same cables. They generally communicate with the network via wifi. Nest even kindly color codes everything so that someone who isn't a a licensed technician can do the job.

Re:Communication protocol

[stabiesoft]

The carrier infinity line uses a derivative of RS-485 to allow two wire communications. How do I know? Because I have a carrier unit right now that communicates with the outside condenser unit over the original dumb pair of unshielded standard thermostat wires. The outdoor unit is a 2 speed unit, and reports such things as coil temperature and fault codes to the thermostat. A somewhat negative side effect of this is the outdoor unit now needs a power supply which runs all the time to power the interface. If I had 4 wires to the outdoor unit, 2 would have been used for power/gnd and the outdoor unit would not have the separate power supply. The thermostat does not need wifi for operations. If I want it to talk to my phone, I would need to enable the wifi, but I don't have a need for that so I did not enable it.

Consequences

[DidgetMaster]

Until we start treating hackers who maliciously destroy people's lives like we do kidnappers or people who throw rocks through your window, this kind of thing is going to keep getting worse. People treat hacking like a hobby where you can cause thousands or millions of dollars in damage with almost no chance of getting caught and with lackluster penalties if you do.

Re:Consequences

[HiThere]

I hope the outrage makes you feel better, because it serves no other purpose. People tend to discount future rewards and threats. What would make people less likely to do this is more the certainty of getting caught than a severe punishment.

So how are you willing to improve their "certainty of getting caught"? Are you willing to make all internet communication traceable? Even that wouldn't work, as those who do this will often be in other countries. So even just making all methods of payment traceable wouldn't suffice, but you'll notice that these people usually want to be paid in bitcoins. Son if you eliminated untraceable currency, you'd reduce it a lot. Is the game worth the candle to you?

In London one of the favorite places for pickpockets to work used to be the place where they hanged people for, among other things, being a pickpocket. Threat of punishment doesn't deter people well unless there's a high likelihood of being caught. And if there's a high likelihood you don't need severe punishment. Restitution + damages + a small fine should suffice. Restitution and damages should be generously calculated to benefit the person injured. Fines should be moderate, say twice the court cost + the bill for police services needed. And the perpetrator (i.e., the person/persons found guilty of committing the act) should have the right to challenge the bill for any of the costs involved, though then they would need to pay for the independent auditor unless the bill was found to be in error.

Online everything?

[Lumby]

Doubt i'd ever connect my thermostat to the internet anyways. If it's really smart it won't need the internet to help it =P Nor will it need my input.

Little benefit to IoT

[Shadow+IT+Ninja]

I've said this before but it needs to be said again. The benefits of a thermostat being an Internet of things device as opposed to a LAN-only device is minimal. The main benefit to these smarter thermostats is just that you can configure them from a web page. This is easier than the older ones with a tiny LCD screen and a small number of buttons. The thing is that many devices such as printers and broadband routers have embedded web pages that demonstrate how you can handle configuration web pages internally. There is no need to connect outside your LAN for this. Really, the only thing that an IoT design allows on top of this is the ability to change settings from anywhere without having to set up a method to get into your local network such as a VPN server (many broadband routers today include one), a service like GoToMyPC or SSH tunneling. I really doubt that this ability to change thermostat settings from anywhere in the world is that useful to most people. You loose security and privacy. The real point of the IoT design is to allow the external site to collect data about you. They can probably infer when you are home or away and when you are awake or asleep from the thermostat data. Are those costs really worth the benefits?

Just because we can, doesn't mean we should

[whitroth]

My power company called, last year, to offer me one. I told them not under any circumstances.

            mark, who remembers when the 'Net was civilized

honeywell?

[mangamaster03]

Rabble rabble rabble... Honeywell round thermostat. Twenty bucks, no internet connection, and simple enough even my grandparents can operate it.

Sounds short-sighted to me

[damn_registrars]

If they hold your thermostat ransom for $300, why not just use the $300 to buy a new thermostat and tell the hackers to get lost? I can pick up the Nest Thermostat at my local big box home improvement store today for $249.99; why would I pay more to the hackers?

Granted, my thermostat cost a lot less than that - and doesn't have the fancy features of the nest - but if I was someone inclined to purchase a thermostat for $300 I don't see why I would pay the same amount to get it back from hackers if I could replace it instead and tell them to take a hike.

Re:Sounds short-sighted to me

[DidgetMaster]

Not only that, when you pay ransom you have no guarantee at all that they will fulfill their promises. They might just take your money and leave you hanging with a dead thermostat. Since they are already the scum of the Earth, why think they would ever give you control back?

Re:Sounds short-sighted to me

[samwichse]

What makes more sense is:

1) Write an automated hack for some company's thermostats (I'm sure most of these companies have some report home feature that means you could get them all in one once you scoop up their list)
2) Wait till terrible weather time (January in the US)
3) Pwn all 500k of the units in people's houses
4) Set the ransom somewhere low like $5-10
5) Profit

Re:Sounds short-sighted to me

[sjames]

Most will do just that, and the bad guy loses nothing. A few are away and it would cost them considerably more than $300 to get back and replace the thermostat before the pipes freeze. That's where they get the money.

Re: Bitcoin

[gtall]

Errr....Tor was (and still is) supported by the U.S. Naval Research Laboratory which, last we checked, was under the Office of Naval Research of the U.S. Navy. So Tor is being developed to work against which vested interest exactly? Maybe if you took a fixed point in the right space, you'd get the answer you want to believe, but I doubt it.

IOT *only* makes some sense....

[mark-t]

... when you are in control of the device's internet connectivity, and can put it behind a firewall and a private-only IP that will permit outgoing access only, similar to a NAT. If that causes the device to behave badly, then the device is already broken and useless. If you want to control the device from outside of your firewall, you can still do so via a secured system that is behind the firewall that *can* accept incoming connections, where any incoming connection to the other system can go through authorization procedures that are otherwise necessary to remotely connect to that system (such as what you might use for ssh, etc).

Kids today...

You call yourself Frosty Piss, and you can't send binary down the line using a 9V battery, some paper clips, and a resistor (to get it down to 5V)? Whatever happened to Slashdot?!

A few hundred dollars?

[naughtynaughty]

Anyone who responds would go on a hacker sucker list.

What's next, someone is going to hack a lightbulb and demand $100 or threaten to leave it on 24/7?

A few hundred dollars?

[EmagGeek]

A decent new programmable thermostat is $40 at home depot. If I had a so-called "smart" thermostat and it got hacked, you can bet I'm neither going to pay the ransom nor replace it with another so-called "smart" thermostat.

Re:Add a switch..

[naughtynaughty]

8 smoke alarms, 1 smart thermostat, 4 smart locks, 48 smart lightbulbs and someone needs to go flip a switch on each of them every time a firmware update is needed? No thanks.

IoS

[GrumpyNope]

Internet of Shit

All your base

[npslider]

All your baseboard are belong to us!

Re:Add a switch..

[JustAnotherOldGuy]

8 smoke alarms, 1 smart thermostat, 4 smart locks, 48 smart lightbulbs and someone needs to go flip a switch on each of them every time a firmware update is needed? No thanks.

I would be glad to flip a switch on each of them every time a firmware update is needed if it kept them from being hacked.

What's more important, a few minutes of your time once in a while or some fairly bulletproof security?

Re:Yes, you can unscrew, but ...

[BronsCon]

Send the ransom note... where? RTFA, they display the ransom note on the thermostat itself because, well, they don't have your email address.

Re:Bitcoin

[fluffernutter]

And if I give you a +1 score? Oh shoot I've commented now, never mind.

Re: Bitcoin

[fyngyrz]

Yeah, he did. The cloud is the perfect petri dish for fraud, and that's exactly how it's used most of the time, to suck money and/or information out of bewildered users.

"We'll just keep "your" music and "your" video in the cloud for you"

uh-huh...

Ran into something similar with water heaters.

[Ungrounded+Lightning]

Actually on my furnace you cannot connect a conventional thermostat. The thermostat talks to the furnace over RS-485 with a proprietary protocol. Now lucky for me it's not a 'smart' internet connected device. But depending on the installation the option of putting in a dumb thermostat may not exist.

I ran into something like that when I had to replace a water heater - in Silicon Valley.

In some areas of California, environmental regulations require you to install an extremely energy-efficient water heater. Part of the way this efficiency is obtained, with gas water heaters, is by not using a pilot light, which burns substantial gas all the time. (The pilot-light in my Nevada place's water heater puts out enough heat that, even with the heater set to "vacation" in the dead of winter, the tank's water is only about 10 degrees F below the normal setpoint when I arrive after weeks away.)

Instead, they have a furnace-style spark igniter - and a computerized thermostat to control it.

One downside is that, in a power failure, the tank won't heat. (After a couple showers I need to start the emergency genny and make sure the water heater is on the backed-up circuit.)

But another downside is that the heater is able to hook up to your home network via WiFi - for convenient monitoring and remote control.

(Fortunately, as of this spring, the WiFi hookup is an add-on board, which I presume contains the radio. So I just didn't buy the board. But with radio-capable systems-on-a-chip becoming so cheap, due to the IoT, I expect that the next models will have the radio built-in and always-on. That will let the bad guys track whether, and when, the building is occupied by looking at the water heating load, or just screw around with the settings.)

It's not a bug. It's a feature.

[RogueWarrior65]

How else are we going to save the planet unless the government has control over your thermostat?