Your 'Smart' Thermostat Is Now Vulnerable To Ransomware

from the the-Jetsons-this-ain't dept

We've noted time and time again how the much ballyhooed "internet of things" is a privacy and security dumpster fire, and the check is about to come due. Countless companies and "IoT" evangelists jumped head first into the profit party, few bothering to cast even a worried look over at the reality that basic security and privacy standards hadn't come along for the ride. The result has been an endless parade of not-so-smart devices and appliances that are busy either leaking your personal details or potentially putting your life at risk.

Of course, the Internet of Things hype machine began with smart thermostats and the sexy, Apple-esque advertising of Nest. The fun and games didn't last however, especially after several botched firmware updates resulted in people being unable to heat or cool their homes (relatively essential for a thermostat).
Not quite the future that was advertised. And things are about to get notably more interesting with the news that hackers have figured out a way to load smart thermostats with ransomware. Security researchers Andrew Tierney and Ken Munro demonstrated their thermostat ransomware proof-of-concept at the hacking conference Def Con on Saturday, using the opportunity to highlight how many of these devices aren't transparent and fail utterly at giving users any real control of what's happening on their home network:
"We don’t have any control over our devices, and don’t really know what they’re doing and how they’re doing it,” Tierney told Motherboard. “And if they start doing something you don’t understand, you don’t really have a way of dealing with it."
And again, as we've seen with everything from smart refrigerators to Wi-Fi embedded tea kettles, companies get so excited about the IoT marketing and revenue possibilities, they fail to embed even basic security in supposedly intelligent devices:
"The thermostat in question has a large LCD display, runs the operating system Linux, and has an SD card that allows users to load custom settings or wallpapers. The researchers found that the thermostat didn’t really check what kind of files it was running and executing. In theory, this would allow a malicious hacker to hide malware into an application or what looks like a picture and trick users to transfer it on the thermostat, making it run automatically."
So yeah, imagine waking up one morning to this:
Yes, this is just one thermostat and a proof-of-concept, but worries about the IoT industry's total failure to include security on "smart" devices should not be confused with scaremongering or hyperbole. As Bruce Schneier recently warned, the IoT explosion has resulted in the introduction of thousands of new attack vectors in homes, businesses and vehicles across the country, with vendors and Luddite consumers often ill-prepared to quickly update these products when vulnerabilities are exposed. If smart technology doesn't get smarter soon, the future of smart technology...is going to be dumb technology.
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: iot, ransomware, security, smart thermostat, thermostat


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. icon
    Vidiot (profile), 9 Aug 2016 @ 5:26am

    Unlike other device ransomware, though, this one has a workaround:

    1) Remove device from wall
    2) Too hot? Twist red and green wires together
    3) Cooled down nicely? Untwist wires
    4) Rinse and repeat

    link to this | view in thread ]

  2. identicon
    Anonymous Coward, 9 Aug 2016 @ 6:29am

    Re:

    5) Send POS back demanding a refund

    link to this | view in thread ]

  3. icon
    Ninja (profile), 9 Aug 2016 @ 6:55am

    Re:

    I have a bulletproof solution: use dumb thermostats. Impervious to remote hacking. And you get the bonus of not having to deal with wires whenever you want to change the temp.

    link to this | view in thread ]

  4. identicon
    Anonymous Coward, 9 Aug 2016 @ 7:01am

    Doesn't seem quite the same....

    It might take some help from the company, but wiping one of those out/restoring the base software shouldn't be too big of a problem and there's no worry about data loss like a regular PC.

    link to this | view in thread ]

  5. identicon
    Anonymous Coward, 9 Aug 2016 @ 7:03am

    Re: Doesn't seem quite the same....

    Nice try Nest spokesperson.

    link to this | view in thread ]

  6. identicon
    Anonymous Coward, 9 Aug 2016 @ 7:06am

    Your very personal thermostat can also be hacked...

    but I'm not sure that "You Suck!" is entirely appropriate...

    "the makers of the We collect exactly when the device is used, which of the ten vibration modes they are using, and even ***the temperature of the device.*** All this data is stored on corporate servers and in the terms and conditions of the device the manufacturer reserves the right to pass it on to the authorities."

    http://www.theregister.co.uk/2016/08/07/your_sec_toy_is_spying_on_you_hackers_crack_our _plastic_pals/

    link to this | view in thread ]

  7. icon
    Capt ICE Enforcer (profile), 9 Aug 2016 @ 7:10am

    Thought of the day.

    Capt ICE Enforcer thought of the day.

    Sometimes the dumbest option is the smartest option to go.

    link to this | view in thread ]

  8. icon
    Capt ICE Enforcer (profile), 9 Aug 2016 @ 7:13am

    Business option for ransomware

    Hello internet ransomware companies. Might I recommend that you change your business model. Instead of a one time fee to unlock the device. You should change your EULA to an annual license which charges every year to keep it unlocked. That ways you get more profit.

    link to this | view in thread ]

  9. identicon
    GiGNiC, 9 Aug 2016 @ 7:17am

    Re:

    While your house would be cool, you would no longer be cool.
    That's just not acceptable.

    link to this | view in thread ]

  10. identicon
    Jason Kraftcheck, 9 Aug 2016 @ 7:22am

    Click Bait

    The original article was nothing but click bait.

    1. Physical access to the thermostat is required as the software must be installed with an SD card. Is this even a security hole. Some could argue it is a (dubious) feature. And if an attacker has physical access to your thermostat they could just steal and ransom the actual device. Or something more valuable.

    2. Hacking of things on the "internet of things" is often not as serious of an issue because the many of the "things" are relatively inexpensive and contain no data of value. For example, a *thermostat*. Even if someone *remotely* hacked the thermostat they couldn't ask for much of a ransom because the victim could just go buy a new (hopefully more secure) thermostat. It takes 10 minutes to install a new one.

    link to this | view in thread ]

  11. identicon
    Anonymous Coward, 9 Aug 2016 @ 7:28am

    Re:

    Hey, friends, look at this cool app that I have... It says that it'll control my thermostat but it actually just lets me press these buttons to make what looks like a setting on my thermostat go up and down.

    Way cool, bro.

    Functionality = null;

    link to this | view in thread ]

  12. identicon
    Anonymous Coward, 9 Aug 2016 @ 7:31am

    Re: Doesn't seem quite the same....

    Sounds like that "time saving" device just brought a bunch of effort to the party. Oh, and in the wings, you have a husband/wife/significant other/children/pets that are hassling you as to when the temperature will be comfortable again.

    link to this | view in thread ]

  13. identicon
    Anonymous Coward, 9 Aug 2016 @ 7:31am

    My Bluetooth belt has been hacked --

    I have to pay Bitcoin before I can take my pants off.

    link to this | view in thread ]

  14. identicon
    Anonymous Coward, 9 Aug 2016 @ 7:32am

    Basically the definition of IoT: "So smart, it can - and WILL - get hacked."

    link to this | view in thread ]

  15. icon
    JBDragon (profile), 9 Aug 2016 @ 7:37am

    Re: Click Bait

    Except when it comes to things like Baby Monitor's that have piss poor to no security and others can easily gain access and watch your kid(s) or whatever. IoT really has weak security if used. it was never designed for all the crap it's being used for. I hear they're working on a better version of it. The only thing is it's not compatible with what you may currently have. So just replace everything!!!

    Quite frankly, the secret to saving energy costs for heating and cooling. Set the heat temp down some more and the Cool up some more. Then wear less or wear more. You don't need to cool your house down to 72 or 68, 78 is low enough. Don't need to heat your house to 72 or so either, keep it down to 66. Dress warmer. Do you need a HUGE HOUSE for the 2 of you? Or 4 of you? Bigger the house, the more energy needed. I don't think a Smart thermostat is going to safe you much unless you don't do the most basic things. A dumb, cheap Digital programmable thermostat is good enough.

    link to this | view in thread ]

  16. icon
    nerd bert (profile), 9 Aug 2016 @ 7:39am

    Proud Luddite

    ... with vendors and Luddite consumers often ill-prepared to quickly update these products when vulnerabilities are exposed.

    I am a proud Luddite where these things are concerned. I won't upgrade to an IoT thermostat, refrigerator, etc. There's too little utility to such a device to justify either the price or the compromise in security, or even the new vulnerabilities.

    I don't think most people understand just how vulnerable you are to a misconfigured IoT thermostat, for example. That hacker who took control of your thermostat could actually destroy the AC unit by turning it on an off without letting the compressor cool down sufficiently, for example, and that would cost you much more the 1 bitcoin to replace. There's a reason there are cycle limits built into thermostats.

    link to this | view in thread ]

  17. identicon
    Anonymous Coward, 9 Aug 2016 @ 8:05am

    Re: Click Bait

    The thermostat might be quite cheap, but all the burst pipes and radiators that came from the resulting freeze up can be quite expensive.

    link to this | view in thread ]

  18. icon
    NeghVar (profile), 9 Aug 2016 @ 8:31am

    Re: Re:

    But those dumb thermostats use mercury. It is sooooo eco-unfriendly and must be banned

    link to this | view in thread ]

  19. identicon
    Michael, 9 Aug 2016 @ 8:32am

    Re: Business option for ransomware

    The actual thermostat companies already have a patent on that business model.

    link to this | view in thread ]

  20. identicon
    Dennis Gartman, 9 Aug 2016 @ 9:04am

    Re: Re: Click Bait

    How very dare you inject common sense into this article! Really though, good & practical advice. :)

    link to this | view in thread ]

  21. icon
    Violynne (profile), 9 Aug 2016 @ 9:05am

    Let's re-write this article a bit differently, to show why it's funny:

    "Consumer, who replaced a perfectly working thermostat for the sake of an app, now wonders why this new thermostat can't heat or cool their own home. Turns out, it's been hacked."

    Translation: consumer lacks common sense, and expects us to feel sympathy for their plight.

    Tell me a story about how a 7 year old girl was killed because some asshole was trying to catch cartoon animals while driving their 2000 pound automobile, then I'll show compassion.

    Common sense is disappearing from this country at an alarming rate.

    Yes, I do blame technology. It's literally keeping people from thinking on their own.

    link to this | view in thread ]

  22. identicon
    Anonymous Coward, 9 Aug 2016 @ 9:07am

    Re: Re: Re:

    All of them?

    link to this | view in thread ]

  23. identicon
    Anonymous Coward, 9 Aug 2016 @ 9:10am

    Re: Click Bait

    Nice try apologist from Nest

    link to this | view in thread ]

  24. identicon
    Anonymous Coward, 9 Aug 2016 @ 9:11am

    Re: Proud Luddite

    Refusing to use silly "new" products because they are stupid does not mean you are a luddite.

    link to this | view in thread ]

  25. This comment has been flagged by the community. Click here to show it
    icon
    Eugenia Ramos (profile), 9 Aug 2016 @ 9:12am

    Opinion

    me encanta conocer cosas nuevas, tambien amo el ingles, por eso leo estos articulos durante mi tiempo libre. gracias

    link to this | view in thread ]

  26. icon
    John Fenderson (profile), 9 Aug 2016 @ 9:12am

    Re: Re: Re: Re:

    No, not all of them. The use of mercury switches has been in the process of being phased out for a while now. There are lots of mercury-free dumb thermostats available.

    link to this | view in thread ]

  27. identicon
    Anonymous Coward, 9 Aug 2016 @ 9:13am

    Re:

    Blame the idiot get rich quick schemers, not the tools they use.

    link to this | view in thread ]

  28. identicon
    Anonymous Coward, 9 Aug 2016 @ 9:29am

    Re: Re: Doesn't seem quite the same....

    I mean it obviously sucks, but it's not the same level of hassle as "your data is all gone unless you pay up." That can't be fixed with a software reinstall/rollback.

    link to this | view in thread ]

  29. icon
    Aaron Walkhouse (profile), 9 Aug 2016 @ 9:36am

    Keeping that mercury under glass and doing something useful
    is about as eco-friendly as it gets. ‌ Discarding and recycling
    that thermostat returns the mercury to the environment.

    Even if it's "safely stored" or re-used in some way,
    some fraction of that mercury will inevitably escape.

    "Smart" thermostats should all have at least one mercury
    switch inside so that no external failure causes a complete
    loss of control. ‌ That's the eco-responsible thing to do.

    If "smart" IOT companies did that, failures would frequently
    pass with no-one noticing and virtually no energy wasted.

    link to this | view in thread ]

  30. identicon
    TripMN, 9 Aug 2016 @ 10:04am

    Re: Proud Luddite

    There are a lot of problems you can cause if you get control of a thermostat beyond locking the users out and/or destroying their A/C unit.

    Waste tons of money - depending on how they are heating/cooling, you can run up their bills quite quickly

    Heat/fire hazard - continuously on heaters in a closed house given enough time... and do you have any children, pets, old people that could succumb to heat stroke before someone realizes and pulls the plug on the thermostat

    Freezing temps - If they can tell that the outside temp is below freezing (I'm betting most of these systems have an outside temp gauge), turning on the AC to the max combined with the outside temp can lead to a frozen house with frozen pipes

    But most of these things are just nuisance. The big security issue would be with having an inside man that could tell you what people's routines are and when nobody is home so you could rob the place.

    link to this | view in thread ]

  31. identicon
    Oh That Brian!, 9 Aug 2016 @ 10:04am

    Mercury?

    Thermostats haven't used mercury in decades. The inexpensive ones are bi-metal springs, the more expensive ones use thermistors or other semiconductor devices.

    link to this | view in thread ]

  32. icon
    Derek Kerton (profile), 9 Aug 2016 @ 10:10am

    Not On Board 100%

    I agree that security is not being implemented enough in IOT, but Karl, you seem to have a chip on your shoulder against IoT for some other reason, and are using the security weakness as a hammer.

    "companies get so excited about the IoT marketing and revenue possibilities, they fail to embed even basic security in supposedly intelligent devices:"

    That may be true of some, or even most IoT. But it does not justify painting the entire category as stupid.

    Just about every innovative technology starts with security as an afterthought. It's not "right". But it is standard practice. Why would the first innovators worry about security when they have hundreds of other issues to work through, AND when 'obscurity' is pretty good security given the devices are a new category. As I said, it's not right, but it's normal.

    Orville and Wilbur Wright did not worry about hijacking defenses. Should they have?

    Carmakers computerized the CANBUS network and the OBDII in cars long ago. Should they have made it hack-proof?

    The first smartphones (PalmOS, Windows Mobile) had few deliberate defenses against virus and attacks. But almost no attacks occurred.

    Once again, I agree with you that this is not the best. It's better if security is built in from the start. But it almost never is. So why all the specific hate for IoT?

    link to this | view in thread ]

  33. icon
    Derek Kerton (profile), 9 Aug 2016 @ 10:12am

    Re:

    So, the ability to save money and pollution by gaining remote access to your thermostat is a lack of common sense?

    It's not. It's a feature that has varying degrees of value to different people. To those with a second home, or those away from home for extended periods, it's very sensible.

    link to this | view in thread ]

  34. icon
    Derek Kerton (profile), 9 Aug 2016 @ 10:18am

    Re: Click Bait

    Jason's first point is right. Is IoT even relevant if physical access is required?

    I could "hack" your conventional thermostat with a hammer if I had physical access. So this isn't even an IoT story.


    OTOH, I'm not on board with point 2. Lots of private data about my presence and patterns can be gleaned from my thermostat. It's not about the risk of the $200 thermostat. There is much more at stake.

    link to this | view in thread ]

  35. icon
    Derek Kerton (profile), 9 Aug 2016 @ 10:20am

    Re: Re:

    " Impervious to remote hacking."

    But this story is not even about remote hacking.

    link to this | view in thread ]

  36. icon
    John Fenderson (profile), 9 Aug 2016 @ 11:04am

    Re: Not On Board 100%

    I'm not Karl, but my opposition to IoT is pretty straightforward: the way everyone is developing them requires that they interact with a third party server. This is unacceptable data leakage to entities that make it clear they will be selling or otherwise monetizing it.

    link to this | view in thread ]

  37. identicon
    Enif, 9 Aug 2016 @ 11:16am

    You can't spell IDIOT...

    without IOT.

    link to this | view in thread ]

  38. icon
    That One Guy (profile), 9 Aug 2016 @ 11:19am

    "They're doing it too" is not an acceptable defense

    Just about every innovative technology starts with security as an afterthought. It's not "right". But it is standard practice.

    ...

    Once again, I agree with you that this is not the best. It's better if security is built in from the start. But it almost never is. So why all the specific hate for IoT?


    Just because it may be 'standard practice' or 'normal' doesn't mean it should be given a pass. If you're going to be making a product and selling it to the public and you don't put at least some effort into making sure that the product is safe and secure then you absolutely deserve to get called out on your lousy practices.

    It doesn't matter in the slightest that others may have shoddy practices too, all that means is that they deserve their share of blame for their actions(or more often inaction) as well.

    link to this | view in thread ]

  39. identicon
    Jim, 9 Aug 2016 @ 1:04pm

    But:

    Iot sounded interesting, when it first came out, use an app to turn on whatever, but then, they added stuff to the devices. Sensors for sound levels, brightness of the light, location monitoring, impedance sensors, burgler aids, everything to sense if you are here or there. Why? It would not save energy, being on 24/7. And the way our power grid is on the verge of brownouts, good luck.

    link to this | view in thread ]

  40. identicon
    Saiph, 9 Aug 2016 @ 1:06pm

    Re: Not On Board 100%

    Just about every innovative technology starts with security as an afterthought.

    IoT isn't all that innovative and to compare it to the invention of the airplane is ridiculous. IoT is basically taking a few well established technologies and throwing them together to make a fast buck with little to no regard to the consequences for the buying public.

    Orville and Wilbur Wright did not worry about hijacking defenses. Should they have?

    Orville and Wilbur did not invent passenger airliners. And even when airliners were first developed hijacking was not a known threat. The types of security vulnerabilities present in IoT devices are generally of types well known on the day the devices are introduced but ignored by the manufacturers for cost savings reasons. I don't see much excuse for that.

    link to this | view in thread ]

  41. identicon
    Saiph, 9 Aug 2016 @ 1:09pm

    Re: Re: Click Bait

    Jason's first point is right. Is IoT even relevant if physical access is required?

    I could "hack" your conventional thermostat with a hammer if I had physical access. So this isn't even an IoT story.


    I agree with you on this point. A maxim of computer security is that you don't have security if you don't have physical security.

    link to this | view in thread ]

  42. identicon
    TripMN, 9 Aug 2016 @ 1:19pm

    Re: Re: Click Bait

    But what is physical access in this case? They were saying there is a security vector involving getting the user to download something onto a drive and then plug it into the thermostat and then run the file. No one is stupid enough to randomly download shit off the internet and run it on an unsecured machine... right? Wait, isn't that how a ton of malware is done on regular computers all the time?

    Knowing this vector, someone nefarious just needs to give the users a reason to download something from the internet and plug it into the thermostat... like a corrupted thermostat upgrade package... or some background 'jpegs'. Since there is no security or code signing, the thermostat will merrily run this code and voila, hacked, and on the internet ready for exploitation.

    link to this | view in thread ]

  43. identicon
    Rekrul, 9 Aug 2016 @ 5:16pm

    I have to wonder how "smart" these devices are when the designers of them are so stupid. If the device absolutely has to have updateable firmware (what am I saying, the whole world would grind to a halt if electronic devices couldn't be updated!!!) just install a button that the user has to hold down to physically enable write access. No button, the firmware can't be changed.

    While they're at it, how about a reset switch? Press it and all user settings and files are wiped while the firmware is restored to the factory default from a copy stored in ROM.

    link to this | view in thread ]

  44. icon
    Derek Kerton (profile), 10 Aug 2016 @ 11:11am

    Re: Re: Not On Board 100%

    Fair enough, John. Your argument is cautious and sensible.

    FYI, though it's not fully true. I use a number of IoT devices which are not cloud services, but rather things that I manage and access myself. It's technically much harder to do, so not mass market, but it's also available.

    And of course, it's still vulnerable, as any connected device is.

    link to this | view in thread ]

  45. icon
    Derek Kerton (profile), 10 Aug 2016 @ 11:18am

    Re: "They're doing it too" is not an acceptable defense

    Well, that's exactly what I meant when I said "It's not right."

    But what I'm calling out is the inordinate, out of proportion distaste Karl has for IoT. Has he been similarly sour about every other innovation that had security as an afterthought? Because most of them did.

    MOST startups here in Silicon Valley struggle to build an MVP (a Minimum Viable Product), and then to shove that product out to market as fast as possible. There are massive pressures from first-to-market, to cash flow, to investor pressure. Most of these startups tend to look at security as a distraction from their race to grab market share fast. They figure they'll worry about security when security becomes a problem. If anyone here would like to debate this assertion, I'd be interested. But I think most would agree.

    I have absolutely never asserted that this is right. Simply that this is true.

    So to act like IoT is unique is misleading.

    To act like IoT is a stupid idea because lots of it is insecure is short-sighted and untrue.

    link to this | view in thread ]

  46. icon
    Derek Kerton (profile), 10 Aug 2016 @ 11:23am

    Re: Re: Not On Board 100%

    The point is that startups and inventors start with a vision, and then work through each problem and barrier as it presents itself. They have dozens of such problems, thus are rather focused on what is stopping them from the goal. They are not focused on the problems that WILL present themselves AFTER they reach the goal of building the working invention.

    Once again. Not the right decision, but very common, and not limited to IoT.

    Once security is a problem with IoT (around the current time frame), then security will be the problem that people work to solve. Then it will be adequately addressed (because security cannot be fully solved).

    link to this | view in thread ]

  47. icon
    Derek Kerton (profile), 10 Aug 2016 @ 11:25am

    Re: Opinion

    Why was the comment in Spanish flagged as abuse?

    It just say that she likes learning, and reading English articles like this in her spare time.

    link to this | view in thread ]

  48. icon
    John Fenderson (profile), 10 Aug 2016 @ 3:18pm

    Re: Re: Opinion

    It was spam for a car sales site.

    link to this | view in thread ]

  49. icon
    John Fenderson (profile), 10 Aug 2016 @ 3:23pm

    Re: Re: Re: Not On Board 100%

    "I use a number of IoT devices which are not cloud services, but rather things that I manage and access myself."

    As do I, but almost none of the commercially available devices are like this. The "IoT" == "cloud" (or at least phone-home) equivalency holds very well in the commercial space.

    link to this | view in thread ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.