Your 'Smart' Thermostat Is Now Vulnerable To Ransomware
from the the-Jetsons-this-ain't dept
We've noted time and time again how the much ballyhooed "internet of things" is a privacy and security dumpster fire, and the check is about to come due. Countless companies and "IoT" evangelists jumped head first into the profit party, few bothering to cast even a worried look over at the reality that basic security and privacy standards hadn't come along for the ride. The result has been an endless parade of not-so-smart devices and appliances that are busy either leaking your personal details or potentially putting your life at risk.Of course, the Internet of Things hype machine began with smart thermostats and the sexy, Apple-esque advertising of Nest. The fun and games didn't last however, especially after several botched firmware updates resulted in people being unable to heat or cool their homes (relatively essential for a thermostat).
@nest @nestsupport It would be nice if your app would let users know when a device is offline due to server issues.
— Chris Berry (@Chris_Berry) July 26, 2016
"We don’t have any control over our devices, and don’t really know what they’re doing and how they’re doing it,” Tierney told Motherboard. “And if they start doing something you don’t understand, you don’t really have a way of dealing with it."And again, as we've seen with everything from smart refrigerators to Wi-Fi embedded tea kettles, companies get so excited about the IoT marketing and revenue possibilities, they fail to embed even basic security in supposedly intelligent devices:
"The thermostat in question has a large LCD display, runs the operating system Linux, and has an SD card that allows users to load custom settings or wallpapers. The researchers found that the thermostat didn’t really check what kind of files it was running and executing. In theory, this would allow a malicious hacker to hide malware into an application or what looks like a picture and trick users to transfer it on the thermostat, making it run automatically."So yeah, imagine waking up one morning to this:
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: iot, ransomware, security, smart thermostat, thermostat
Reader Comments
The First Word
“Click Bait
The original article was nothing but click bait.1. Physical access to the thermostat is required as the software must be installed with an SD card. Is this even a security hole. Some could argue it is a (dubious) feature. And if an attacker has physical access to your thermostat they could just steal and ransom the actual device. Or something more valuable.
2. Hacking of things on the "internet of things" is often not as serious of an issue because the many of the "things" are relatively inexpensive and contain no data of value. For example, a *thermostat*. Even if someone *remotely* hacked the thermostat they couldn't ask for much of a ransom because the victim could just go buy a new (hopefully more secure) thermostat. It takes 10 minutes to install a new one.
Subscribe: RSS
View by: Time | Thread
1) Remove device from wall
2) Too hot? Twist red and green wires together
3) Cooled down nicely? Untwist wires
4) Rinse and repeat
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re:
[ link to this | view in chronology ]
is about as eco-friendly as it gets. Discarding and recycling
that thermostat returns the mercury to the environment.
Even if it's "safely stored" or re-used in some way,
some fraction of that mercury will inevitably escape.
"Smart" thermostats should all have at least one mercury
switch inside so that no external failure causes a complete
loss of control. That's the eco-responsible thing to do.
If "smart" IOT companies did that, failures would frequently
pass with no-one noticing and virtually no energy wasted.
[ link to this | view in chronology ]
Re: Re:
But this story is not even about remote hacking.
[ link to this | view in chronology ]
Re:
That's just not acceptable.
[ link to this | view in chronology ]
Re:
Way cool, bro.
Functionality = null;
[ link to this | view in chronology ]
Doesn't seem quite the same....
[ link to this | view in chronology ]
Re: Doesn't seem quite the same....
[ link to this | view in chronology ]
Re: Doesn't seem quite the same....
[ link to this | view in chronology ]
Re: Re: Doesn't seem quite the same....
[ link to this | view in chronology ]
Your very personal thermostat can also be hacked...
"the makers of the We collect exactly when the device is used, which of the ten vibration modes they are using, and even ***the temperature of the device.*** All this data is stored on corporate servers and in the terms and conditions of the device the manufacturer reserves the right to pass it on to the authorities."
http://www.theregister.co.uk/2016/08/07/your_sec_toy_is_spying_on_you_hackers_crack_our _plastic_pals/
[ link to this | view in chronology ]
Thought of the day.
Sometimes the dumbest option is the smartest option to go.
[ link to this | view in chronology ]
Business option for ransomware
[ link to this | view in chronology ]
Re: Business option for ransomware
[ link to this | view in chronology ]
Click Bait
1. Physical access to the thermostat is required as the software must be installed with an SD card. Is this even a security hole. Some could argue it is a (dubious) feature. And if an attacker has physical access to your thermostat they could just steal and ransom the actual device. Or something more valuable.
2. Hacking of things on the "internet of things" is often not as serious of an issue because the many of the "things" are relatively inexpensive and contain no data of value. For example, a *thermostat*. Even if someone *remotely* hacked the thermostat they couldn't ask for much of a ransom because the victim could just go buy a new (hopefully more secure) thermostat. It takes 10 minutes to install a new one.
[ link to this | view in chronology ]
Re: Click Bait
Quite frankly, the secret to saving energy costs for heating and cooling. Set the heat temp down some more and the Cool up some more. Then wear less or wear more. You don't need to cool your house down to 72 or 68, 78 is low enough. Don't need to heat your house to 72 or so either, keep it down to 66. Dress warmer. Do you need a HUGE HOUSE for the 2 of you? Or 4 of you? Bigger the house, the more energy needed. I don't think a Smart thermostat is going to safe you much unless you don't do the most basic things. A dumb, cheap Digital programmable thermostat is good enough.
[ link to this | view in chronology ]
Re: Re: Click Bait
[ link to this | view in chronology ]
Re: Click Bait
[ link to this | view in chronology ]
Re: Click Bait
[ link to this | view in chronology ]
Re: Click Bait
I could "hack" your conventional thermostat with a hammer if I had physical access. So this isn't even an IoT story.
OTOH, I'm not on board with point 2. Lots of private data about my presence and patterns can be gleaned from my thermostat. It's not about the risk of the $200 thermostat. There is much more at stake.
[ link to this | view in chronology ]
Re: Re: Click Bait
I could "hack" your conventional thermostat with a hammer if I had physical access. So this isn't even an IoT story.
I agree with you on this point. A maxim of computer security is that you don't have security if you don't have physical security.
[ link to this | view in chronology ]
Re: Re: Click Bait
Knowing this vector, someone nefarious just needs to give the users a reason to download something from the internet and plug it into the thermostat... like a corrupted thermostat upgrade package... or some background 'jpegs'. Since there is no security or code signing, the thermostat will merrily run this code and voila, hacked, and on the internet ready for exploitation.
[ link to this | view in chronology ]
My Bluetooth belt has been hacked --
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Proud Luddite
I am a proud Luddite where these things are concerned. I won't upgrade to an IoT thermostat, refrigerator, etc. There's too little utility to such a device to justify either the price or the compromise in security, or even the new vulnerabilities.
I don't think most people understand just how vulnerable you are to a misconfigured IoT thermostat, for example. That hacker who took control of your thermostat could actually destroy the AC unit by turning it on an off without letting the compressor cool down sufficiently, for example, and that would cost you much more the 1 bitcoin to replace. There's a reason there are cycle limits built into thermostats.
[ link to this | view in chronology ]
Re: Proud Luddite
[ link to this | view in chronology ]
Re: Proud Luddite
Waste tons of money - depending on how they are heating/cooling, you can run up their bills quite quickly
Heat/fire hazard - continuously on heaters in a closed house given enough time... and do you have any children, pets, old people that could succumb to heat stroke before someone realizes and pulls the plug on the thermostat
Freezing temps - If they can tell that the outside temp is below freezing (I'm betting most of these systems have an outside temp gauge), turning on the AC to the max combined with the outside temp can lead to a frozen house with frozen pipes
But most of these things are just nuisance. The big security issue would be with having an inside man that could tell you what people's routines are and when nobody is home so you could rob the place.
[ link to this | view in chronology ]
"Consumer, who replaced a perfectly working thermostat for the sake of an app, now wonders why this new thermostat can't heat or cool their own home. Turns out, it's been hacked."
Translation: consumer lacks common sense, and expects us to feel sympathy for their plight.
Tell me a story about how a 7 year old girl was killed because some asshole was trying to catch cartoon animals while driving their 2000 pound automobile, then I'll show compassion.
Common sense is disappearing from this country at an alarming rate.
Yes, I do blame technology. It's literally keeping people from thinking on their own.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
It's not. It's a feature that has varying degrees of value to different people. To those with a second home, or those away from home for extended periods, it's very sensible.
[ link to this | view in chronology ]
Opinion
[ link to this | view in chronology ]
Re: Opinion
It just say that she likes learning, and reading English articles like this in her spare time.
[ link to this | view in chronology ]
Re: Re: Opinion
[ link to this | view in chronology ]
Mercury?
[ link to this | view in chronology ]
Not On Board 100%
"companies get so excited about the IoT marketing and revenue possibilities, they fail to embed even basic security in supposedly intelligent devices:"
That may be true of some, or even most IoT. But it does not justify painting the entire category as stupid.
Just about every innovative technology starts with security as an afterthought. It's not "right". But it is standard practice. Why would the first innovators worry about security when they have hundreds of other issues to work through, AND when 'obscurity' is pretty good security given the devices are a new category. As I said, it's not right, but it's normal.
Orville and Wilbur Wright did not worry about hijacking defenses. Should they have?
Carmakers computerized the CANBUS network and the OBDII in cars long ago. Should they have made it hack-proof?
The first smartphones (PalmOS, Windows Mobile) had few deliberate defenses against virus and attacks. But almost no attacks occurred.
Once again, I agree with you that this is not the best. It's better if security is built in from the start. But it almost never is. So why all the specific hate for IoT?
[ link to this | view in chronology ]
Re: Not On Board 100%
[ link to this | view in chronology ]
Re: Re: Not On Board 100%
FYI, though it's not fully true. I use a number of IoT devices which are not cloud services, but rather things that I manage and access myself. It's technically much harder to do, so not mass market, but it's also available.
And of course, it's still vulnerable, as any connected device is.
[ link to this | view in chronology ]
Re: Re: Re: Not On Board 100%
As do I, but almost none of the commercially available devices are like this. The "IoT" == "cloud" (or at least phone-home) equivalency holds very well in the commercial space.
[ link to this | view in chronology ]
"They're doing it too" is not an acceptable defense
...
Once again, I agree with you that this is not the best. It's better if security is built in from the start. But it almost never is. So why all the specific hate for IoT?
Just because it may be 'standard practice' or 'normal' doesn't mean it should be given a pass. If you're going to be making a product and selling it to the public and you don't put at least some effort into making sure that the product is safe and secure then you absolutely deserve to get called out on your lousy practices.
It doesn't matter in the slightest that others may have shoddy practices too, all that means is that they deserve their share of blame for their actions(or more often inaction) as well.
[ link to this | view in chronology ]
Re: "They're doing it too" is not an acceptable defense
But what I'm calling out is the inordinate, out of proportion distaste Karl has for IoT. Has he been similarly sour about every other innovation that had security as an afterthought? Because most of them did.
MOST startups here in Silicon Valley struggle to build an MVP (a Minimum Viable Product), and then to shove that product out to market as fast as possible. There are massive pressures from first-to-market, to cash flow, to investor pressure. Most of these startups tend to look at security as a distraction from their race to grab market share fast. They figure they'll worry about security when security becomes a problem. If anyone here would like to debate this assertion, I'd be interested. But I think most would agree.
I have absolutely never asserted that this is right. Simply that this is true.
So to act like IoT is unique is misleading.
To act like IoT is a stupid idea because lots of it is insecure is short-sighted and untrue.
[ link to this | view in chronology ]
Re: Not On Board 100%
IoT isn't all that innovative and to compare it to the invention of the airplane is ridiculous. IoT is basically taking a few well established technologies and throwing them together to make a fast buck with little to no regard to the consequences for the buying public.
Orville and Wilbur Wright did not worry about hijacking defenses. Should they have?
Orville and Wilbur did not invent passenger airliners. And even when airliners were first developed hijacking was not a known threat. The types of security vulnerabilities present in IoT devices are generally of types well known on the day the devices are introduced but ignored by the manufacturers for cost savings reasons. I don't see much excuse for that.
[ link to this | view in chronology ]
Re: Re: Not On Board 100%
Once again. Not the right decision, but very common, and not limited to IoT.
Once security is a problem with IoT (around the current time frame), then security will be the problem that people work to solve. Then it will be adequately addressed (because security cannot be fully solved).
[ link to this | view in chronology ]
You can't spell IDIOT...
[ link to this | view in chronology ]
But:
[ link to this | view in chronology ]
While they're at it, how about a reset switch? Press it and all user settings and files are wiped while the firmware is restored to the factory default from a copy stored in ROM.
[ link to this | view in chronology ]