Hackers Make the First-Ever Ransomware For Smart Thermostats

Lorenzo Franceschi-Bicchierai, writing for Motherboard: One day, your thermostat will get hacked by some cybercriminal hundreds of miles away who will lock it with malware and demand a ransom to get it back to normal, leaving you literally in the cold until you pay up a few hundred dollars. This has been a scenario that security experts have touted as one of the theoretical dangers of the rise of the Internet of Things, internet-connected devices that are often insecure. On Saturday, what sounds like a Mr. Robot plot line came one step closer to being reality, when two white hat hackers showed off the first-ever ransomware that works against a "smart" device, in this case, a thermostat. Luckily, Andrew Tierney and Ken Munro, the two security researchers who created the ransomware, actually have no ill intention. They just wanted to make a point: some Internet of Things devices fail to take simple security precautions, leaving users in danger. "We don't have any control over our devices, and don't really know what they're doing and how they're doing it," Tierney told Motherboard. "And if they start doing something you don't understand, you don't really have a way of dealing with it." Tierney and Munro, who both work UK-based security firm Pen Test Partners, demonstrated their thermostat ransomware proof-of-concept at the hacking conference Def Con on Saturday, fulfilling the pessimistic predictions of some people in security world.

Yes, because it would be

[The+Cisco+Kid]

COMPLETELY impossible to unscrew the smart thermostat from the wall, unwire it, and (temporarily) install a traditional non-networked thermostat so you could operate your heat (or AC) while you contact the vendor or manufacturer of the smart thermostat for help.

Re:Yes, because it would be

Actually on my furnace you cannot connect a conventional thermostat. The thermostat talks to the furnace over RS-485 with a proprietary protocol. Now lucky for me it's not a 'smart' internet connected device. But depending on the installation the option of putting in a dumb thermostat may not exist.

Who the f*** would pay this?

[BronsCon]

Hmm... Pay you hundreds of dollars, or replace the damn thing with a $20 model you can't hack remotely. Seems an easy choice for me.

Re:Who the f*** would pay this?

[pla]

Not sure how an oven - Or a refrigerator - Or anything else, for that matter, involves a substantially different solution:

The IoT is a bad idea, period. I don't need any appliance in my house to have internet access, and will actively go out of my way to make damned sure they don't.

And before someone says "eventually you won't have any choice" - Of course we will. We might pay a bit a bit extra for the "marine" or "remote cabin" version, but as long as someone has a use case requiring offline use, that will remain an option.

Re: Emergency service call costs

[WarJolt]

Somehow I feel like in order to graduate from high school one requirement should be to realize thermostats aren't magic. Too bad we can't revoke HS diplomas. Many Americans don't know cell phones work using radios. It's a bit troubling that a 30 minute electricity experiment performed at an elementary school level can provide the necessary insight into the operations of a thermostat and yet most Americans can't figure this shit out.