Hackers Make the First-Ever Ransomware For Smart Thermostats

Lorenzo Franceschi-Bicchierai, writing for Motherboard: One day, your thermostat will get hacked by some cybercriminal hundreds of miles away who will lock it with malware and demand a ransom to get it back to normal, leaving you literally in the cold until you pay up a few hundred dollars. This has been a scenario that security experts have touted as one of the theoretical dangers of the rise of the Internet of Things, internet-connected devices that are often insecure. On Saturday, what sounds like a Mr. Robot plot line came one step closer to being reality, when two white hat hackers showed off the first-ever ransomware that works against a "smart" device, in this case, a thermostat. Luckily, Andrew Tierney and Ken Munro, the two security researchers who created the ransomware, actually have no ill intention. They just wanted to make a point: some Internet of Things devices fail to take simple security precautions, leaving users in danger. "We don't have any control over our devices, and don't really know what they're doing and how they're doing it," Tierney told Motherboard. "And if they start doing something you don't understand, you don't really have a way of dealing with it." Tierney and Munro, who both work UK-based security firm Pen Test Partners, demonstrated their thermostat ransomware proof-of-concept at the hacking conference Def Con on Saturday, fulfilling the pessimistic predictions of some people in security world.

Yes, because it would be

[The+Cisco+Kid]

COMPLETELY impossible to unscrew the smart thermostat from the wall, unwire it, and (temporarily) install a traditional non-networked thermostat so you could operate your heat (or AC) while you contact the vendor or manufacturer of the smart thermostat for help.

Re:Yes, because it would be

Actually on my furnace you cannot connect a conventional thermostat. The thermostat talks to the furnace over RS-485 with a proprietary protocol. Now lucky for me it's not a 'smart' internet connected device. But depending on the installation the option of putting in a dumb thermostat may not exist.

Re:Yes, because it would be

Yes, i'm sure the smart thermostat vendor has a line dedicated for hacked thermostats. And if they don't, I'm sure their technical support folks will have no problem getting past the "is your thermostat connected? No? Then you must connect it for us to help you" part of their script.

3 days later, you might get to someone in engineering who will say, yup, we raised this at our management meeting. Them marketing folks didnt care. Can't help you.https://it.slashdot.org/story/16/08/08/1449221/hackers-make-the-first-ever-ransomware-for-smart-thermostats#

Re:Yes, because it would be

Why the fuck did you buy that?

Re:Yes, because it would be

[tripleevenfall]

Probably capable of calling a person to install a $25 thermostat and paying them one hour of labor to do so.

Re:Yes, because it would be

[cfalcon]

> calling a person to install a $25 thermostat

Because HVAC guys are able to gear up to handle a newly enabled assault on the infrastructure they provide ("Thanks, Computer Science! For bringing all your problems everywhere, from hearth to hospital!"), show up, and have a whole ton of old school thermostats just laying around in case.

Way worse if the attack is distributed top down.

And remember: this specific attack is just about a thermostat. Other "smart" things (read: "will remotely obey your enemies in time of need") will or do include the refrigerator with grandma's insulin, the lock on the front door, and opened or closed status of the garage door, and in some cases, pieces of the plumbing. I can't wait for some smart toilet to yield some kind of resonant attack on the pipes by clever timing of valves.

All this tech, brought to you by a few semi-professionals buying the cheapest commodity chips from gods-know-where. I'm sure they will succeed where security professionals routinely fail.

Re:Yes, because it would be

[cfalcon]

I mean, look at how many compromises we make with our computers and computer programs. And many of us are computer professionals. Even if you do go through hoops to have your computer be pretty much perfect, that's because of a passion about that. I don't think anyone has everything set up perfectly, and the mere existence of these things in the market place means that many people are going to end up with them, unless they are passionate haters.

For my part, I actually got a new furnace and AC recently, and I brought up that I didn't want any networking technology, and that an analog ("mechanical") thermostat would be ideal. He was easily able to accommodate the first, but the "mechanical" thermostats were a pain- they were rare and way more expensive because there's not much market for them. What will that conversation sound like in twenty years?

And of course- I was able to accomplish this because I was having just the HVAC work done anyway, and all had to be replaced regardless.

Re:Yes, because it would be

[geekmux]

COMPLETELY impossible to unscrew the smart thermostat from the wall, unwire it, and (temporarily) install a traditional non-networked thermostat so you could operate your heat (or AC) while you contact the vendor or manufacturer of the smart thermostat for help.

Quite often there is an inverse correlation between the "smart" device and the owner, and you ARE talking about a human that needs an app to operate their thermostat so, good luck with that theory.

Who the f*** would pay this?

[BronsCon]

Hmm... Pay you hundreds of dollars, or replace the damn thing with a $20 model you can't hack remotely. Seems an easy choice for me.

Re:Who the f*** would pay this?

[pla]

Not sure how an oven - Or a refrigerator - Or anything else, for that matter, involves a substantially different solution:

The IoT is a bad idea, period. I don't need any appliance in my house to have internet access, and will actively go out of my way to make damned sure they don't.

And before someone says "eventually you won't have any choice" - Of course we will. We might pay a bit a bit extra for the "marine" or "remote cabin" version, but as long as someone has a use case requiring offline use, that will remain an option.

From consumers to products

[wcrowe]

This is why I don't understand the rush to have all these IOT devices in the house. I have a couple, but they are isolated, and if they were hacked I could still function without them. There seems to be a rush to have everything, from the washing machine, to the microwave, to the toaster hooked to the internet, and there seems to be even a push to build these devices so that they do not function without an internet connection. I used to be baffled as to why consumers would even want such things. But, of course, it is not the consumers who want all this IOT, but the vendors who sell the devices and the services, trying to turn us into the product.

Re:From consumers to products

A lot of people are glossing over that the newer models with IoT thermostats have much more complicated control systems because the compressor and fan have different power settings. Thus, the signal-to-activation connection is no longer a binary controller that can be hot wired.

We live near but not in Washington D.C. When we installed new HVAC units we had the option of taking a wireless or regular thermostat, to which I elected "very strongly" to have the regular one or else I would cut the antennas out. The HVAC guy looked up with any amount of shock and said that the last two installs he did the people said the same thing. One was at the CIA and the other at the FBI (according to the HVAC guy. I'm in the DoD).

Most people just see the functionality, not the risk. No one understands the risk until it becomes a reality. I have tried multiple times to get people to understand this and they refuse. Setting up a computer is no different for the layman---they fiddle with it until it works and stop as soon as it does. Doesn't matter that the firewall is fully open now and sharing is on. It works, and that's all that counts. I'd wager the same goes with IoT. It's about what can be done, not what might happen that you didn't expect.

I actually prefer it hackable

[omnichad]

Sure, there are malicious cases for this. But most IoT devices like smart thermostats are a bit too dumbed down and don't even operate correctly without an external Internet connection. Their broken security is about the only way to get a proper level of functionality.

Re:Bitcoin

[sirber]

You can send me 1 bitcoin to get a +1 score

Re:Governments will love this

[tripleevenfall]

It's not difficult to imagine California deciding they need the ability to throttle your AC to combat brownouts/global warming/whatever

Re: Bitcoin

[fyngyrz]

You forgot "cloud."

Emergency service call costs

[Overzeetop]

Do you have any idea what a licensed installer charges for an emergency visit on a Sunday morning? That $25 thermostat is $50 because you don't get to buy the one that's on sale at Home Depot, and the cost to knock on your door is going to be close to $150, and then the rate ticks forward at $100/hr. And at the end of your $300 emergency service call, you'll be left with a dumb thermostat and a $200 paperweight.

Re:Emergency service call costs

[Waffle+Iron]

In the worst case, they could just unscrew the wires from the thermostat and clip the bare ends together with a clothespin to turn on the furnace. That would at least keep the pipes from freezing and cost $0.

Re:Emergency service call costs

>"Smart" thermostats ofter communicate with the furnace / cooling via a cat-6 or some other type of communications cable

No, these smart thermostats are simple replacements, not something requiring a computerized furnace.

Re: Emergency service call costs

[WarJolt]

Somehow I feel like in order to graduate from high school one requirement should be to realize thermostats aren't magic. Too bad we can't revoke HS diplomas. Many Americans don't know cell phones work using radios. It's a bit troubling that a 30 minute electricity experiment performed at an elementary school level can provide the necessary insight into the operations of a thermostat and yet most Americans can't figure this shit out.

Re: Emergency service call costs

[UnknownSoldier]

Part of problem is that people have more money then time.

They would rather remain ignorant and pay someone else to solve the problem.

Re: Bitcoin

[slashrio]

No he didn't. Bitcoin and tor work against vested interests and therefore 'need' to be outlawed. The Cloud doesn't.

Re:Governments will love this

[pr0fessor]

It's an opt in and it supposed to help costs and availability during peak hours... They even have those programs in the mid-west.

Re:Governments will love this

[Opportunist]

Governments will love this for a completely different reason. When "hackers" start to bother normal people, normal people will ask for laws that stop this. And they'll get the laws. Not that they stop anything, but you know how it is, once a law is passed, it stays.

Bullshit, never going to happen

[kheldan]

One day, your thermostat will get hacked by some cybercriminal

No, it won't: I'm not falling for the 'Internet of Things' troll/meme. You won't be hacking my thermostat, lightbulbs, dishwasher, microwave oven, clothes washer, clothes dryer, television, or any other household appliance because there's not a single damned good reason why these NEED to be connected to the Internet.

embedded need to have os updates that are on there

[Joe_Dragon]

embedded stuff needed to have os updates that are on there own that come out faster then the app update.

At least some embedded stuff is ARM with cut down linux based os's. But others are full pc's running a big linux install or even windows with a custom app on top of it. And if them alot for the time you need to wait from the app part to be updated before the under lining os get's fixed even for just os security fixes. As the updates just come as full install images.

Some embedded systems have sd cards that can have there os hacked and the hack can stay on the system even after power off. Unlike others where it's flashed with a small nvram area that just holds settings / logs.

Communication protocol

[sjbe]

"Smart" thermostats ofter communicate with the furnace / cooling via a cat-6 or some other type of communications cable, they are rarly just a switch.

No they do not. Retrofitting a cat6 (overkill) cable to run to the HVAC in an existing house would be prohibitively expensive and/or time consuming. They communicate with the HVAC via the same set of wires a "dumb" thermostat would use and gets power over the same cables. They generally communicate with the network via wifi. Nest even kindly color codes everything so that someone who isn't a a licensed technician can do the job.

Re: Bitcoin

[gtall]

Errr....Tor was (and still is) supported by the U.S. Naval Research Laboratory which, last we checked, was under the Office of Naval Research of the U.S. Navy. So Tor is being developed to work against which vested interest exactly? Maybe if you took a fixed point in the right space, you'd get the answer you want to believe, but I doubt it.

Re: Bitcoin

[fyngyrz]

Yeah, he did. The cloud is the perfect petri dish for fraud, and that's exactly how it's used most of the time, to suck money and/or information out of bewildered users.

"We'll just keep "your" music and "your" video in the cloud for you"

uh-huh...