Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Security

Hackers Make the First-Ever Ransomware For Smart Thermostats (vice.com) 213

Lorenzo Franceschi-Bicchierai, writing for Motherboard: One day, your thermostat will get hacked by some cybercriminal hundreds of miles away who will lock it with malware and demand a ransom to get it back to normal, leaving you literally in the cold until you pay up a few hundred dollars. This has been a scenario that security experts have touted as one of the theoretical dangers of the rise of the Internet of Things, internet-connected devices that are often insecure. On Saturday, what sounds like a Mr. Robot plot line came one step closer to being reality, when two white hat hackers showed off the first-ever ransomware that works against a "smart" device, in this case, a thermostat. Luckily, Andrew Tierney and Ken Munro, the two security researchers who created the ransomware, actually have no ill intention. They just wanted to make a point: some Internet of Things devices fail to take simple security precautions, leaving users in danger. "We don't have any control over our devices, and don't really know what they're doing and how they're doing it," Tierney told Motherboard. "And if they start doing something you don't understand, you don't really have a way of dealing with it." Tierney and Munro, who both work UK-based security firm Pen Test Partners, demonstrated their thermostat ransomware proof-of-concept at the hacking conference Def Con on Saturday, fulfilling the pessimistic predictions of some people in security world.
This discussion has been archived. No new comments can be posted.

Hackers Make the First-Ever Ransomware For Smart Thermostats

Comments Filter:
  • by The Cisco Kid ( 31490 ) on Monday August 08, 2016 @10:58AM (#52664735)

    COMPLETELY impossible to unscrew the smart thermostat from the wall, unwire it, and (temporarily) install a traditional non-networked thermostat so you could operate your heat (or AC) while you contact the vendor or manufacturer of the smart thermostat for help.

    • by Anonymous Coward on Monday August 08, 2016 @11:03AM (#52664767)

      Actually on my furnace you cannot connect a conventional thermostat. The thermostat talks to the furnace over RS-485 with a proprietary protocol. Now lucky for me it's not a 'smart' internet connected device. But depending on the installation the option of putting in a dumb thermostat may not exist.

      • by Anonymous Coward on Monday August 08, 2016 @11:06AM (#52664789)

        Why the fuck did you buy that?

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      Yes, i'm sure the smart thermostat vendor has a line dedicated for hacked thermostats. And if they don't, I'm sure their technical support folks will have no problem getting past the "is your thermostat connected? No? Then you must connect it for us to help you" part of their script.

      3 days later, you might get to someone in engineering who will say, yup, we raised this at our management meeting. Them marketing folks didnt care. Can't help you.https://it.slashdot.org/story/16/08/08/1449221/hackers-make-t

    • by swb ( 14022 )

      Harder to do when you're in Florida and its -20F at home.

      Pay the ransom or run the risk of burst pipes and destroyed interiors from water damage.

      During the mortgage meltdown, there were at least a couple of "frozen waterfall" houses that turned up in the news when the heating failed. Basements flooded, ceilings collapsed and pretty ice sculptures where you'd normally expect drywall.

    • If you're renting, it could well be.

      • by pla ( 258480 )
        If you're renting, it could well be.

        If I'm renting, I don't care about the cost of getting someone out on a Sunday morning in a blizzard to fix it, because appliances like a furnace count as 100% the problem of the landlord.

        That said, if the landlord drags his feet - A screwdriver still works just fine. Let him try to take me to court for a problem directly resulting from his own negligence.
    • by c ( 8461 )

      Most of these "smart" thermometers have some sort of presence sensing. If you target devices where someone hasn't been home for 2-3 days (say, Monday-Wednesday) you might catch people on vacation. In colder climates, killing the furnace during a cold snap while the owners are away for a couple weeks might be an effective threat.

    • which part of "theoretical dangers" do you not understand? the fact that you can take control of it remotely and have it do your bidding is the point being made.

    • COMPLETELY impossible to unscrew the smart thermostat from the wall, unwire it, and (temporarily) install a traditional non-networked thermostat so you could operate your heat (or AC) while you contact the vendor or manufacturer of the smart thermostat for help.

      Quite often there is an inverse correlation between the "smart" device and the owner, and you ARE talking about a human that needs an app to operate their thermostat so, good luck with that theory.

    • /.ers tend to forget that they are generally far more comfortable doing things like that than the average person. Would your grandmother, or sister be comfortable doing that? Or your wants-nothing-to-do-with-wiring-stuff son?

      But that sidesteps the bigger point in that this shouldn't even be a concern. It's a thermostat, this feature creep crap is getting out of hand and we'll be lucky to live through it.

      • Do not underestimate grandmothers, granted some of the younger ones now days maybe, but those who grew up in the depression actually have skills. My grandmother plays the sweet old grandma who is into sewing, knitting, house plants, and cooking most of the time but over the years you find out that she can handle herself just fine around tools, machines, firearms, and wild animals as well.
    • by Megane ( 129182 )
      It is also completely impossible to make a smart thermostat that doesn't expose itself to inbound connections from everywhere. I have one that connects out to the cloud service every 3-5 minutes. (It also doesn't have a fancy color display for those l33t pwnz0r screens.) So when you make a change from their web page it may take a few minutes before it happens, but it it's not being a port slut to every kiddie scan out there.
  • by BronsCon ( 927697 ) <social@bronstrup.com> on Monday August 08, 2016 @11:01AM (#52664755) Journal
    Hmm... Pay you hundreds of dollars, or replace the damn thing with a $20 model you can't hack remotely. Seems an easy choice for me.
    • A thermostat is probably a bad example, but take e.g. an oven that may be able to cause a fire or a car that may kill you on the road. Also, larger deployments will be more inclined to pay, e.g. for a company a $5000 ransom may be cheaper than having to replace all 200 thermostats in its various rooms.

      • How much would you pay to get back into your house at 11:30pm on a Saturday night when it's 20 below zero outside and your smart locks have all been hacked? No need for a $5k ransom - it needs only be a couple hundred dollars, repeated many times, to be profitable.

        Or in the case of a thermostat, a remote override that switches a heater on full blast on a hot summer day or - better yet - begins switching between heating and cooling on a heat pump, which will burn out the compressor in under an hour and cost

        • Looks like no more than about $70 [homedepot.com] because other wise I will just pound a slotted screw drive into the lock and attach a pair of vice grips to the screw drive and shear the pins in the tumbler. Then again I wouldn't buy a smart lock either.
        • I would pay the $75 it costs to get a locksmith to come over and spend 5 minutes opening my lock. Plus the cost of the locksmith removing the smart locks and putting some locks that aren't going to cost me future calls to the locksmith.

          After all, I'm going to have to have the locks replaced anyway so no sense paying a ransom AND paying a locksmith vs just paying the locksmith.

          I can sit in my car with the heater running while I'm waiting in the cold weather for the locksmith to show up.

          Or worst case, I'll b

      • $5000 one time might be cheaper, but you're still vulnerable ant it'll happen again next week. $5000 + the cost of replacing thermostats when you learn this fact is still more than the cost of replacing the thermostats in the first place.

        But, you did answer my question. Idiots will pay it.

        It's not like your irreplaceable (because who has proper backups) files on your computer, which is how they're able to demand $5000 to unlock a $600 computer. Your favorite recipes won't be lost when your oven gets hac
      • by pla ( 258480 ) on Monday August 08, 2016 @11:35AM (#52665025) Journal
        Not sure how an oven - Or a refrigerator - Or anything else, for that matter, involves a substantially different solution:

        The IoT is a bad idea, period. I don't need any appliance in my house to have internet access, and will actively go out of my way to make damned sure they don't.

        And before someone says "eventually you won't have any choice" - Of course we will. We might pay a bit a bit extra for the "marine" or "remote cabin" version, but as long as someone has a use case requiring offline use, that will remain an option.
        • And before someone says "eventually you won't have any choice" - Of course we will. We might pay a bit a bit extra for the "marine" or "remote cabin" version, but as long as someone has a use case requiring offline use, that will remain an option.

          Eventually, the power company will want the right to turn your appliances on and off remotely to handle demand whether you like it or not, and there might well be legislation to make it illegal to hook equipment without remote control up to the grid.

          • by pla ( 258480 )
            Eventually, the power company will want the right to turn your appliances on and off remotely to handle demand whether you like it or not, and there might well be legislation to make it illegal to hook equipment without remote control up to the grid.

            Oddly, I agree with you to the extent that I see exactly that as a much more unavoidable risk than random hackers.

            Fortunately, the utility companies have less than 20 years left before solar (or more accurately, storage, since PV itself has already gotten "
      • >Also, larger deployments will be more inclined to pay, e.g. for a company a $5000 ransom may be cheaper than having to replace all 200 thermostats in its various rooms.

        Only of they're short-sighted fools. The insecure devices have to be updated or replaced. Paying the ransom will not secure the thermostats against tomorrow's attack. They need the manufacturer to replace the firmware to fix the lockout and secure against future attacks, or to replace them with a better brand.
      • Paying a ransom without fixing the vulnerability is not going to be cheaper.

        So you pay to fix the problem and ignore the hacker's demands.

    • by cfalcon ( 779563 )

      Ok, but repeat this physical replacement drama for pieces of the stove, the fridge, the internals of the AC once some jackass decides it needs to be firmware updatable from factory, the TV, the front and back doors, the garage door, the stereo, the toilets, and the shower.

      There's always a way to fix a problem. This article *should* make you ask the question- do you want to inject more problem-vectors into everyone's life?

      • This article *should* make you ask the question- do you want to inject more problem-vectors into everyone's life?

        Okay, so we're in agreement and you just don't see it.

        The whole premise of my comment was to replace the hacked item with one which could not be hacked (e.g. a "dumb" model). Or, more to the point, don't install the hackable "smart" version in the first place.

        Do you see it now?

    • by sjames ( 1099 )

      It's the dead of winter at home, but you are vacationing on the sunny beach of some Island nation somewhere for the next 2 weeks. You get the ransom notice, do you cancel the vacation and eat all the pre-paid costs as well as pay for the expensive I need to fly NOW flight home to install that $20 thermostat from Home Depot, or do you pay the ransom?

      • I suppose I'd ask my trusted friend, who has a key to my home and has agreed to keep an eye on things for me while I'm gone, pop in and replace the thermostat for me. Don't you have friends?

        Of course, that assumes they'd have my email address and not just display the ransom notice on the thermostat itself. Know what's funny about your hypothetical situation? They display the ransom notice on the device itself. I guess I'd just come home to find... well, I live in California, so I'd find that everything wa
  • by wcrowe ( 94389 ) on Monday August 08, 2016 @11:06AM (#52664793)

    This is why I don't understand the rush to have all these IOT devices in the house. I have a couple, but they are isolated, and if they were hacked I could still function without them. There seems to be a rush to have everything, from the washing machine, to the microwave, to the toaster hooked to the internet, and there seems to be even a push to build these devices so that they do not function without an internet connection. I used to be baffled as to why consumers would even want such things. But, of course, it is not the consumers who want all this IOT, but the vendors who sell the devices and the services, trying to turn us into the product.

    • I shove anything like this on a DMZ with limited access. If it doesn't work without unfettered access to the Internet, I return it. Then again, I consider all devices untrusted unless I have complete control, including the ability to flash them to an arbitrary firmware.

      The IoT isn't going to make much progress with me.

      • Except in this case, the hack requires you to insert an SD card into the thermostat. So DMZ or no, you could be hacked. Although given you have a DMZ, I seriously doubt you'd be tricked into sticking some unknown SD card into the unit. Basically the article is hype. It is not an exploit if I have to load something into my thermostat. Who would even bother? A phone sure, but a thermostat????

      • I don't think DMZ means what you think it means.

        You want it behind a firewall that tightly controls what can talk to it and what can talk to it.

        • by HBI ( 604924 )

          I think you made a "who" a "what". And I understand entirely what a DMZ is. It's exactly where a device like this belongs, with carefully defined ability to communicate with particular hosts - and assuredly with no inbound access to the internal network. If you can't clearly define what communications it needs, it's getting removed from the network.

    • Because there's not really any other selling angle to household appliances. Those damn things last way too long. It's not like with your TV where you want to get a new one every other year so you can see the wrinkles in your favorite porn star's face or ass in higher resolution or the constant format change in content carrying media that keeps you buying a new player. A fridge pretty much lasts, well, nearly forever. And you don't replace it until it is simply and plainly broken.

      We need something to make yo

    • by Anonymous Coward on Monday August 08, 2016 @12:05PM (#52665257)

      A lot of people are glossing over that the newer models with IoT thermostats have much more complicated control systems because the compressor and fan have different power settings. Thus, the signal-to-activation connection is no longer a binary controller that can be hot wired.

      We live near but not in Washington D.C. When we installed new HVAC units we had the option of taking a wireless or regular thermostat, to which I elected "very strongly" to have the regular one or else I would cut the antennas out. The HVAC guy looked up with any amount of shock and said that the last two installs he did the people said the same thing. One was at the CIA and the other at the FBI (according to the HVAC guy. I'm in the DoD).

      Most people just see the functionality, not the risk. No one understands the risk until it becomes a reality. I have tried multiple times to get people to understand this and they refuse. Setting up a computer is no different for the layman---they fiddle with it until it works and stop as soon as it does. Doesn't matter that the firewall is fully open now and sharing is on. It works, and that's all that counts. I'd wager the same goes with IoT. It's about what can be done, not what might happen that you didn't expect.

    • I used to be baffled as to why consumers would even want such things. But, of course, it is not the consumers who want all this IOT, but the vendors who sell the devices and the services, trying to turn us into the product.

      I agree that I can't understand the desire for many IoT devices, but internet control for a thermostat does make a certain amount of sense, particularly for those who are frequently out of town or take long vacations. In those cases, getting an alert that your thermostat is no longer responding correctly could make the difference between realizing your heat or A/C is busted immediately vs. dealing with potentially tens of thousands of dollars in water damage (from frozen pipes in winter), mold damage, or w

    • by sjames ( 1099 )

      It is all marketing crap. I can't think of a reason I want any of my appliances talkking to anything outside of my LAN, ever.

      In the unlikely event I might want to talk to my appliances when I'm not right there, I would rather talk to a well updated server over the net and let it talk to the appliances. Sadly, that is what they make impossible by insisting on proprietary protocols and certs signed by them. So, that leaves the default of no networked anything.

      At least I won't get hacked by the Cylons :-)

  • by omnichad ( 1198475 ) on Monday August 08, 2016 @11:09AM (#52664813) Homepage

    Sure, there are malicious cases for this. But most IoT devices like smart thermostats are a bit too dumbed down and don't even operate correctly without an external Internet connection. Their broken security is about the only way to get a proper level of functionality.

  • by kheldan ( 1460303 ) on Monday August 08, 2016 @11:54AM (#52665183) Journal

    One day, your thermostat will get hacked by some cybercriminal

    No, it won't: I'm not falling for the 'Internet of Things' troll/meme. You won't be hacking my thermostat, lightbulbs, dishwasher, microwave oven, clothes washer, clothes dryer, television, or any other household appliance because there's not a single damned good reason why these NEED to be connected to the Internet.

    • One day, your thermostat will get hacked by some cybercriminal

      No, it won't: I'm not falling for the 'Internet of Things' troll/meme. You won't be hacking my thermostat, lightbulbs, dishwasher, microwave oven, clothes washer, clothes dryer, television, or any other household appliance because there's not a single damned good reason why these NEED to be connected to the Internet.

      Vendor Marketeers: "There's not a single good reason our products should be offline!"

      Good luck fighting it.

      • There will ALWAYS be a market for simple, functional, inexpensive products. If not, I'll fucking build it myself. A thermostat is not complicated. Now quit with the retarded trolling.
        • A simple thermostat certainly isn't complicated. But is it very expensive to have a simple thermostat in many areas of the country.

          Add a tiny bit of smarts like changing the setpoints based on the time of day and day of the week and you can save thousands of dollars a year in areas of the country where time of day electric rates make off peak electricity 1/4th the cost of on peak electricity.

          Even smarter thermostats let me tells my thermostat remotely at a vacation home that I'm coming for the weekend and

    • by b0bby ( 201198 )

      there's not a single damned good reason why these NEED to be connected to the Internet.

      Need is a stretch, but there are some compelling uses for an internet connected thermostat. I'm thinking second home, where you want to be able to adjust the thermostat remotely, after your short term renters leave. Sure, it's not imperative, but the positives outweigh the (so far) theoretical negatives. I have an ecobee, and being able to set it to vacation when I'm already an hour away is pretty nice. If it gets hacked, I'll unplug it. Meantime, it has a remote temp sensor so my upstairs temperature is mu

      • by Megane ( 129182 )
        It can also let you know when a house in another city is having HVAC trouble. But there's still no need for it to be exposed to the live internet, when it can simply poll a cloud service every few minutes for updates.
    • One day, your thermostat will get hacked by some cybercriminal

      No, it won't: I'm not falling for the 'Internet of Things' troll/meme. You won't be hacking my thermostat, lightbulbs, dishwasher, microwave oven, clothes washer, clothes dryer, television, or any other household appliance because there's not a single damned good reason why these NEED to be connected to the Internet.

      Unless the only things you have hooked to your TV are an antenna and a DVD player the chances are it already is connected to the Internet or whatever you are using to view videos is connected. There are great reasons to connect a TV to the internet, watching all the content you can get from the internet.

      A smart dishwasher might be sending sensor information to the manufacturer where early signs of failure can be identified and you alerted prior to the dishwasher failing.

      A microwave oven might have a voice

  • Oh, Internet-of-Endlessly-Exploitable-Things, ah love yew! (heart emoji x 1000)

    Every day a new exploit, it's like an all-you-can-eat buffet of terrible shit, served fresh and piping hot.

  • embedded stuff needed to have os updates that are on there own that come out faster then the app update.

    At least some embedded stuff is ARM with cut down linux based os's. But others are full pc's running a big linux install or even windows with a custom app on top of it. And if them alot for the time you need to wait from the app part to be updated before the under lining os get's fixed even for just os security fixes. As the updates just come as full install images.

    Some embedded systems have sd cards that can have there os hacked and the hack can stay on the system even after power off. Unlike others where it's flashed with a small nvram area that just holds settings / logs.

  • Until we start treating hackers who maliciously destroy people's lives like we do kidnappers or people who throw rocks through your window, this kind of thing is going to keep getting worse. People treat hacking like a hobby where you can cause thousands or millions of dollars in damage with almost no chance of getting caught and with lackluster penalties if you do.
  • I've said this before but it needs to be said again. The benefits of a thermostat being an Internet of things device as opposed to a LAN-only device is minimal. The main benefit to these smarter thermostats is just that you can configure them from a web page. This is easier than the older ones with a tiny LCD screen and a small number of buttons. The thing is that many devices such as printers and broadband routers have embedded web pages that demonstrate how you can handle configuration web pages inter
  • My power company called, last year, to offer me one. I told them not under any circumstances.

                mark, who remembers when the 'Net was civilized

  • If they hold your thermostat ransom for $300, why not just use the $300 to buy a new thermostat and tell the hackers to get lost? I can pick up the Nest Thermostat at my local big box home improvement store today for $249.99; why would I pay more to the hackers?

    Granted, my thermostat cost a lot less than that - and doesn't have the fancy features of the nest - but if I was someone inclined to purchase a thermostat for $300 I don't see why I would pay the same amount to get it back from hackers if I cou
    • Not only that, when you pay ransom you have no guarantee at all that they will fulfill their promises. They might just take your money and leave you hanging with a dead thermostat. Since they are already the scum of the Earth, why think they would ever give you control back?
    • What makes more sense is:

      1) Write an automated hack for some company's thermostats (I'm sure most of these companies have some report home feature that means you could get them all in one once you scoop up their list)
      2) Wait till terrible weather time (January in the US)
      3) Pwn all 500k of the units in people's houses
      4) Set the ransom somewhere low like $5-10
      5) Profit

  • ... when you are in control of the device's internet connectivity, and can put it behind a firewall and a private-only IP that will permit outgoing access only, similar to a NAT. If that causes the device to behave badly, then the device is already broken and useless. If you want to control the device from outside of your firewall, you can still do so via a secured system that is behind the firewall that *can* accept incoming connections, where any incoming connection to the other system can go through
  • Anyone who responds would go on a hacker sucker list.

    What's next, someone is going to hack a lightbulb and demand $100 or threaten to leave it on 24/7?

It is better to give than to lend, and it costs about the same.

Working...