Hackers Make the First-Ever Ransomware For Smart Thermostats

Lorenzo Franceschi-Bicchierai, writing for Motherboard: One day, your thermostat will get hacked by some cybercriminal hundreds of miles away who will lock it with malware and demand a ransom to get it back to normal, leaving you literally in the cold until you pay up a few hundred dollars. This has been a scenario that security experts have touted as one of the theoretical dangers of the rise of the Internet of Things, internet-connected devices that are often insecure. On Saturday, what sounds like a Mr. Robot plot line came one step closer to being reality, when two white hat hackers showed off the first-ever ransomware that works against a "smart" device, in this case, a thermostat. Luckily, Andrew Tierney and Ken Munro, the two security researchers who created the ransomware, actually have no ill intention. They just wanted to make a point: some Internet of Things devices fail to take simple security precautions, leaving users in danger. "We don't have any control over our devices, and don't really know what they're doing and how they're doing it," Tierney told Motherboard. "And if they start doing something you don't understand, you don't really have a way of dealing with it." Tierney and Munro, who both work UK-based security firm Pen Test Partners, demonstrated their thermostat ransomware proof-of-concept at the hacking conference Def Con on Saturday, fulfilling the pessimistic predictions of some people in security world.

Yes, because it would be

[The Cisco Kid]

COMPLETELY impossible to unscrew the smart thermostat from the wall, unwire it, and (temporarily) install a traditional non-networked thermostat so you could operate your heat (or AC) while you contact the vendor or manufacturer of the smart thermostat for help.

Re:Yes, because it would be

[Anonymous Coward]

Actually on my furnace you cannot connect a conventional thermostat. The thermostat talks to the furnace over RS-485 with a proprietary protocol. Now lucky for me it's not a 'smart' internet connected device. But depending on the installation the option of putting in a dumb thermostat may not exist.

Re:Yes, because it would be

[Anonymous Coward]

Why the fuck did you buy that?

Re:

[cfalcon]

I mean, look at how many compromises we make with our computers and computer programs. And many of us are computer professionals. Even if you do go through hoops to have your computer be pretty much perfect, that's because of a passion about that. I don't think anyone has everything set up perfectly, and the mere existence of these things in the market place means that many people are going to end up with them, unless they are passionate haters.

For my part, I actually got a new furnace and AC recently, a

Re:

[DRJlaw]

For my part, I actually got a new furnace and AC recently, and I brought up that I didn't want any networking technology, and that an analog ("mechanical") thermostat would be ideal. He was easily able to accommodate the first, but the "mechanical" thermostats were a pain- they were rare and way more expensive because there's not much market for them. What will that conversation sound like in twenty years?

The first requirement is understandable. The second, I just don't get. I installed a bog-standard Hon

Re:

[tlhIngan]

For my part, I actually got a new furnace and AC recently, and I brought up that I didn't want any networking technology, and that an analog ("mechanical") thermostat would be ideal. He was easily able to accommodate the first, but the "mechanical" thermostats were a pain- they were rare and way more expensive because there's not much market for them. What will that conversation sound like in twenty years?

That's because "dumb" programmable thermostats have basically become the norm - the old analog ones wor

Re:

[Megane]

He's not talking about "exacting specifications", he's talking about the standard fucking 4- or 5-wire connection that most normal thermostats have been using for decades. (The one that somehow operates relays off of 24VAC.) It's a weird spec, but it's a well known one. Even then, there are still home HVAC manufacturers out there that insist on their own special snowflake wiring.

Re:

[Anonymous Coward]

Yes, i'm sure the smart thermostat vendor has a line dedicated for hacked thermostats. And if they don't, I'm sure their technical support folks will have no problem getting past the "is your thermostat connected? No? Then you must connect it for us to help you" part of their script.

3 days later, you might get to someone in engineering who will say, yup, we raised this at our management meeting. Them marketing folks didnt care. Can't help you.https://it.slashdot.org/story/16/08/08/1449221/hackers-make-t

Re:

[swb]

Harder to do when you're in Florida and its -20F at home.

Pay the ransom or run the risk of burst pipes and destroyed interiors from water damage.

During the mortgage meltdown, there were at least a couple of "frozen waterfall" houses that turned up in the news when the heating failed. Basements flooded, ceilings collapsed and pretty ice sculptures where you'd normally expect drywall.

Re:

[Opportunist]

If you're renting, it could well be.

Re:

[pla]

If you're renting, it could well be.

If I'm renting, I don't care about the cost of getting someone out on a Sunday morning in a blizzard to fix it, because appliances like a furnace count as 100% the problem of the landlord.

That said, if the landlord drags his feet - A screwdriver still works just fine. Let him try to take me to court for a problem directly resulting from his own negligence.

Re:

[c]

Most of these "smart" thermometers have some sort of presence sensing. If you target devices where someone hasn't been home for 2-3 days (say, Monday-Wednesday) you might catch people on vacation. In colder climates, killing the furnace during a cold snap while the owners are away for a couple weeks might be an effective threat.

Re:

[Gravis Zero]

which part of "theoretical dangers" do you not understand? the fact that you can take control of it remotely and have it do your bidding is the point being made.

Re:

[geekmux]

COMPLETELY impossible to unscrew the smart thermostat from the wall, unwire it, and (temporarily) install a traditional non-networked thermostat so you could operate your heat (or AC) while you contact the vendor or manufacturer of the smart thermostat for help.

Quite often there is an inverse correlation between the "smart" device and the owner, and you ARE talking about a human that needs an app to operate their thermostat so, good luck with that theory.

Re:

[barc0001]

/.ers tend to forget that they are generally far more comfortable doing things like that than the average person. Would your grandmother, or sister be comfortable doing that? Or your wants-nothing-to-do-with-wiring-stuff son?

But that sidesteps the bigger point in that this shouldn't even be a concern. It's a thermostat, this feature creep crap is getting out of hand and we'll be lucky to live through it.

Re:

[Bob the Super Hamste]

Do not underestimate grandmothers, granted some of the younger ones now days maybe, but those who grew up in the depression actually have skills. My grandmother plays the sweet old grandma who is into sewing, knitting, house plants, and cooking most of the time but over the years you find out that she can handle herself just fine around tools, machines, firearms, and wild animals as well.

Re:

[Megane]

It is also completely impossible to make a smart thermostat that doesn't expose itself to inbound connections from everywhere. I have one that connects out to the cloud service every 3-5 minutes. (It also doesn't have a fancy color display for those l33t pwnz0r screens.) So when you make a change from their web page it may take a few minutes before it happens, but it it's not being a port slut to every kiddie scan out there.

Re:Yes, because it would be

[tripleevenfall]

Probably capable of calling a person to install a $25 thermostat and paying them one hour of labor to do so.

Emergency service call costs

[Overzeetop]

Do you have any idea what a licensed installer charges for an emergency visit on a Sunday morning? That $25 thermostat is $50 because you don't get to buy the one that's on sale at Home Depot, and the cost to knock on your door is going to be close to $150, and then the rate ticks forward at $100/hr. And at the end of your $300 emergency service call, you'll be left with a dumb thermostat and a $200 paperweight.

Re:Emergency service call costs

[Waffle Iron]

In the worst case, they could just unscrew the wires from the thermostat and clip the bare ends together with a clothespin to turn on the furnace. That would at least keep the pipes from freezing and cost $0.

Re:

[Frosty Piss]

In the worst case, they could just unscrew the wires from the thermostat and clip the bare ends together with a clothespin to turn on the furnace. That would at least keep the pipes from freezing and cost $0.

"Smart" thermostats ofter communicate with the furnace / cooling via a cat-6 or some other type of communications cable, they are rarly just a switch. On the other hand, you can often buy them at Home Depot / Lowes, and just install a new one yourself and then maybe reset the old one to factory.

Re:

[Anonymous Coward]

>"Smart" thermostats ofter communicate with the furnace / cooling via a cat-6 or some other type of communications cable

No, these smart thermostats are simple replacements, not something requiring a computerized furnace.

Communication protocol

[sjbe]

"Smart" thermostats ofter communicate with the furnace / cooling via a cat-6 or some other type of communications cable, they are rarly just a switch.

No they do not. Retrofitting a cat6 (overkill) cable to run to the HVAC in an existing house would be prohibitively expensive and/or time consuming. They communicate with the HVAC via the same set of wires a "dumb" thermostat would use and gets power over the same cables. They generally communicate with the network via wifi. Nest even kindly color codes everything so that someone who isn't a a licensed technician can do the job.

Re:

[stabiesoft]

The carrier infinity line uses a derivative of RS-485 to allow two wire communications. How do I know? Because I have a carrier unit right now that communicates with the outside condenser unit over the original dumb pair of unshielded standard thermostat wires. The outdoor unit is a 2 speed unit, and reports such things as coil temperature and fault codes to the thermostat. A somewhat negative side effect of this is the outdoor unit now needs a power supply which runs all the time to power the interface. If

Re:

[guruevi]

Never seen one like that and I own and have researched many 'smart' thermostats. Mine and most IoT devices also doesn't just sit exposed to the Internet, not sure why anyone would spend a public IP (because those things sure as hell don't do IPv6) on a thermostat.

Re:

[Frosty Piss]

Consumer HVAC systems are not intelligent.

Modern as in :new" ones certainly are, and the communications between the "switch" is today more often than not just a little tiny bit more than On/Off ...

Re:

[Lord Apathy]

I doubt that most people could do that. To a lot of people something as simple as thermostat might as well be magic to them.

Re: Emergency service call costs

[WarJolt]

Somehow I feel like in order to graduate from high school one requirement should be to realize thermostats aren't magic. Too bad we can't revoke HS diplomas. Many Americans don't know cell phones work using radios. It's a bit troubling that a 30 minute electricity experiment performed at an elementary school level can provide the necessary insight into the operations of a thermostat and yet most Americans can't figure this shit out.

Re:

[UnknownSoldier]

Part of problem is that people have more money then time.

They would rather remain ignorant and pay someone else to solve the problem.

Re:

[AthanasiusKircher]

Somehow I feel like in order to graduate from high school one requirement should be to realize thermostats aren't magic. Too bad we can't revoke HS diplomas.

I still remember the reactions I got when I told people I replaced the basic thermostat model I had in a house when I moved in with a basic programmable model that I could setback during the day or at night for energy savings, etc.

Many people I know -- a lot of them with graduate degrees -- looked at me like I had told them I just built my own car after smelting and processing the metal from raw ore I had dug out of a mine myself. I'm frankly astounded at how few people have ANY knowledge of basic electr

Re:

[cfalcon]

> calling a person to install a $25 thermostat

Because HVAC guys are able to gear up to handle a newly enabled assault on the infrastructure they provide ("Thanks, Computer Science! For bringing all your problems everywhere, from hearth to hospital!"), show up, and have a whole ton of old school thermostats just laying around in case.

Way worse if the attack is distributed top down.

And remember: this specific attack is just about a thermostat. Other "smart" things (read: "will remotely obey your enemies

Re:

[Archangel Michael]

I am beginning to believe that "smart" devices = "dumb" humans.

Re:

[Archangel Michael]

Smart Thermostats only learn if you're predictable, you still have to figure out how to override them when they don't figure you out correctly, which can be quite annoying. "Hey, I'm not home you stupid thermostat, don't turn on the air/heat automatically" to "Hey, I stayed home today, I still have to turn the air/heat one manually" ...J

Just now, I can do it remotely, just like the hackers!

Re:

[JackieBrown]

Do you really assume every person who owns one is capable of that?

I am sure everyone is able to switch off the power breaker to their AC/Heater unit.

Re:

[kheldan]

You, I, and any number of other Slashdot readers could handle installing a thermostat for their HVAC system, even if they've never done it before; not so much for the average person, who needs to whip out a calculator for basic math, needs a YouTube video to help them change a lightbulb, and (back in the day, at least) always had "12:00" flashing on their VCR. You know, the same ones who never thought twice that their computer, one day, suddenly had Windows 10 on it? That's who these assholes will be target

Re:

[Bob the Super Hamste]

needs a YouTube video to help them change a lightbulb

Hey I've done that, granted it was for a light on the interior of my car and I didn't want to destroy anything as the little friction clips used provided a lot more friction than I thought they would have. So given that I wanted to see if there was some dumb little thing I was missing, like slip a slotted screw drive in to press a tab in or something, so that I would only be putting in a $2 bulb instead of putting a whole new light enclosure that would cost $150.

Who the f*** would pay this?

[BronsCon]

Hmm... Pay you hundreds of dollars, or replace the damn thing with a $20 model you can't hack remotely. Seems an easy choice for me.

Re:

[NotInHere]

A thermostat is probably a bad example, but take e.g. an oven that may be able to cause a fire or a car that may kill you on the road. Also, larger deployments will be more inclined to pay, e.g. for a company a $5000 ransom may be cheaper than having to replace all 200 thermostats in its various rooms.

Re:

[Overzeetop]

How much would you pay to get back into your house at 11:30pm on a Saturday night when it's 20 below zero outside and your smart locks have all been hacked? No need for a $5k ransom - it needs only be a couple hundred dollars, repeated many times, to be profitable.

Or in the case of a thermostat, a remote override that switches a heater on full blast on a hot summer day or - better yet - begins switching between heating and cooling on a heat pump, which will burn out the compressor in under an hour and cost

Re:

[Bob the Super Hamste]

Looks like no more than about $70 [homedepot.com] because other wise I will just pound a slotted screw drive into the lock and attach a pair of vice grips to the screw drive and shear the pins in the tumbler. Then again I wouldn't buy a smart lock either.

Re:

[naughtynaughty]

I would pay the $75 it costs to get a locksmith to come over and spend 5 minutes opening my lock. Plus the cost of the locksmith removing the smart locks and putting some locks that aren't going to cost me future calls to the locksmith.

After all, I'm going to have to have the locks replaced anyway so no sense paying a ransom AND paying a locksmith vs just paying the locksmith.

I can sit in my car with the heater running while I'm waiting in the cold weather for the locksmith to show up.

Or worst case, I'll b

Re:

[BronsCon]

$5000 one time might be cheaper, but you're still vulnerable ant it'll happen again next week. $5000 + the cost of replacing thermostats when you learn this fact is still more than the cost of replacing the thermostats in the first place.

But, you did answer my question. Idiots will pay it.

It's not like your irreplaceable (because who has proper backups) files on your computer, which is how they're able to demand $5000 to unlock a $600 computer. Your favorite recipes won't be lost when your oven gets hac

Re:Who the f*** would pay this?

[pla]

Not sure how an oven - Or a refrigerator - Or anything else, for that matter, involves a substantially different solution:

The IoT is a bad idea, period. I don't need any appliance in my house to have internet access, and will actively go out of my way to make damned sure they don't.

And before someone says "eventually you won't have any choice" - Of course we will. We might pay a bit a bit extra for the "marine" or "remote cabin" version, but as long as someone has a use case requiring offline use, that will remain an option.

Re:

[drinkypoo]

And before someone says "eventually you won't have any choice" - Of course we will. We might pay a bit a bit extra for the "marine" or "remote cabin" version, but as long as someone has a use case requiring offline use, that will remain an option.

Eventually, the power company will want the right to turn your appliances on and off remotely to handle demand whether you like it or not, and there might well be legislation to make it illegal to hook equipment without remote control up to the grid.

Re:

[pla]

Eventually, the power company will want the right to turn your appliances on and off remotely to handle demand whether you like it or not, and there might well be legislation to make it illegal to hook equipment without remote control up to the grid.

Oddly, I agree with you to the extent that I see exactly that as a much more unavoidable risk than random hackers.

Fortunately, the utility companies have less than 20 years left before solar (or more accurately, storage, since PV itself has already gotten "

Re:

[pla]

Oh, make no mistake, I "get" the benefit of having my home HVAC controllable remotely - Why should I need to wait fifteen minutes after getting home for the house to reach a comfortable temperature when I could remotely tell it when I leave work, and it will know exactly when to turn on for my maximum comfort?

That said, until someone can convince me otherwise, I consider the risks as massively outweighing any potential benefits.

Re:

[Jeff Flanagan]

>Also, larger deployments will be more inclined to pay, e.g. for a company a $5000 ransom may be cheaper than having to replace all 200 thermostats in its various rooms.

Only of they're short-sighted fools. The insecure devices have to be updated or replaced. Paying the ransom will not secure the thermostats against tomorrow's attack. They need the manufacturer to replace the firmware to fix the lockout and secure against future attacks, or to replace them with a better brand.

Re:

[naughtynaughty]

Paying a ransom without fixing the vulnerability is not going to be cheaper.

So you pay to fix the problem and ignore the hacker's demands.

Re:

[cfalcon]

Ok, but repeat this physical replacement drama for pieces of the stove, the fridge, the internals of the AC once some jackass decides it needs to be firmware updatable from factory, the TV, the front and back doors, the garage door, the stereo, the toilets, and the shower.

There's always a way to fix a problem. This article *should* make you ask the question- do you want to inject more problem-vectors into everyone's life?

Re:

[BronsCon]

This article *should* make you ask the question- do you want to inject more problem-vectors into everyone's life?

Okay, so we're in agreement and you just don't see it.

The whole premise of my comment was to replace the hacked item with one which could not be hacked (e.g. a "dumb" model). Or, more to the point, don't install the hackable "smart" version in the first place.

Do you see it now?

Re:

[sjames]

It's the dead of winter at home, but you are vacationing on the sunny beach of some Island nation somewhere for the next 2 weeks. You get the ransom notice, do you cancel the vacation and eat all the pre-paid costs as well as pay for the expensive I need to fly NOW flight home to install that $20 thermostat from Home Depot, or do you pay the ransom?

Re:

[BronsCon]

I suppose I'd ask my trusted friend, who has a key to my home and has agreed to keep an eye on things for me while I'm gone, pop in and replace the thermostat for me. Don't you have friends?

Of course, that assumes they'd have my email address and not just display the ransom notice on the thermostat itself. Know what's funny about your hypothetical situation? They display the ransom notice on the device itself. I guess I'd just come home to find... well, I live in California, so I'd find that everything wa

Re:

[MyLongNickName]

Untrue. A quick search finds I can go lower than $20 for a simple model. This one is $15, and several other models were under $20.

http://www.homedepot.com/p/Lux... [homedepot.com]

Re:

[pr0fessor]

You have never been to homedepot they start around $10 for a non-digital thermostat and go up...

From consumers to products

[wcrowe]

This is why I don't understand the rush to have all these IOT devices in the house. I have a couple, but they are isolated, and if they were hacked I could still function without them. There seems to be a rush to have everything, from the washing machine, to the microwave, to the toaster hooked to the internet, and there seems to be even a push to build these devices so that they do not function without an internet connection. I used to be baffled as to why consumers would even want such things. But, of course, it is not the consumers who want all this IOT, but the vendors who sell the devices and the services, trying to turn us into the product.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[stabiesoft]

Except in this case, the hack requires you to insert an SD card into the thermostat. So DMZ or no, you could be hacked. Although given you have a DMZ, I seriously doubt you'd be tricked into sticking some unknown SD card into the unit. Basically the article is hype. It is not an exploit if I have to load something into my thermostat. Who would even bother? A phone sure, but a thermostat????

Re:

[naughtynaughty]

I don't think DMZ means what you think it means.

You want it behind a firewall that tightly controls what can talk to it and what can talk to it.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Opportunist]

Because there's not really any other selling angle to household appliances. Those damn things last way too long. It's not like with your TV where you want to get a new one every other year so you can see the wrinkles in your favorite porn star's face or ass in higher resolution or the constant format change in content carrying media that keeps you buying a new player. A fridge pretty much lasts, well, nearly forever. And you don't replace it until it is simply and plainly broken.

We need something to make yo

Re:From consumers to products

[Anonymous Coward]

A lot of people are glossing over that the newer models with IoT thermostats have much more complicated control systems because the compressor and fan have different power settings. Thus, the signal-to-activation connection is no longer a binary controller that can be hot wired.

We live near but not in Washington D.C. When we installed new HVAC units we had the option of taking a wireless or regular thermostat, to which I elected "very strongly" to have the regular one or else I would cut the antennas out. The HVAC guy looked up with any amount of shock and said that the last two installs he did the people said the same thing. One was at the CIA and the other at the FBI (according to the HVAC guy. I'm in the DoD).

Most people just see the functionality, not the risk. No one understands the risk until it becomes a reality. I have tried multiple times to get people to understand this and they refuse. Setting up a computer is no different for the layman---they fiddle with it until it works and stop as soon as it does. Doesn't matter that the firewall is fully open now and sharing is on. It works, and that's all that counts. I'd wager the same goes with IoT. It's about what can be done, not what might happen that you didn't expect.

Re:

[AthanasiusKircher]

I used to be baffled as to why consumers would even want such things. But, of course, it is not the consumers who want all this IOT, but the vendors who sell the devices and the services, trying to turn us into the product.

I agree that I can't understand the desire for many IoT devices, but internet control for a thermostat does make a certain amount of sense, particularly for those who are frequently out of town or take long vacations. In those cases, getting an alert that your thermostat is no longer responding correctly could make the difference between realizing your heat or A/C is busted immediately vs. dealing with potentially tens of thousands of dollars in water damage (from frozen pipes in winter), mold damage, or w

Re:

[sjames]

It is all marketing crap. I can't think of a reason I want any of my appliances talkking to anything outside of my LAN, ever.

In the unlikely event I might want to talk to my appliances when I'm not right there, I would rather talk to a well updated server over the net and let it talk to the appliances. Sadly, that is what they make impossible by insisting on proprietary protocols and certs signed by them. So, that leaves the default of no networked anything.

At least I won't get hacked by the Cylons :-)

I actually prefer it hackable

[omnichad]

Sure, there are malicious cases for this. But most IoT devices like smart thermostats are a bit too dumbed down and don't even operate correctly without an external Internet connection. Their broken security is about the only way to get a proper level of functionality.

Re:

[Megane]

I've got two in different houses. I'm moving out of one of those houses, and the thermostat will come with me, even if I don't have a place for it right away. They also support a JSON local control protocol, so they won't be bricks if/when the cloud service dies.

Re:

[samwichse]

Nest will work just fine with no internet connection.

Hackers chatge Alphaben I.O.T. = FUcking Nightmare

[burni2]

I F
O U
T N

Bullshit, never going to happen

[kheldan]

One day, your thermostat will get hacked by some cybercriminal

No, it won't: I'm not falling for the 'Internet of Things' troll/meme. You won't be hacking my thermostat, lightbulbs, dishwasher, microwave oven, clothes washer, clothes dryer, television, or any other household appliance because there's not a single damned good reason why these NEED to be connected to the Internet.

Re:

[geekmux]

One day, your thermostat will get hacked by some cybercriminal

No, it won't: I'm not falling for the 'Internet of Things' troll/meme. You won't be hacking my thermostat, lightbulbs, dishwasher, microwave oven, clothes washer, clothes dryer, television, or any other household appliance because there's not a single damned good reason why these NEED to be connected to the Internet.

Vendor Marketeers: "There's not a single good reason our products should be offline!"

Good luck fighting it.

Re:

[kheldan]

There will ALWAYS be a market for simple, functional, inexpensive products. If not, I'll fucking build it myself. A thermostat is not complicated. Now quit with the retarded trolling.

Re:

[naughtynaughty]

A simple thermostat certainly isn't complicated. But is it very expensive to have a simple thermostat in many areas of the country.

Add a tiny bit of smarts like changing the setpoints based on the time of day and day of the week and you can save thousands of dollars a year in areas of the country where time of day electric rates make off peak electricity 1/4th the cost of on peak electricity.

Even smarter thermostats let me tells my thermostat remotely at a vacation home that I'm coming for the weekend and

Re:

[b0bby]

there's not a single damned good reason why these NEED to be connected to the Internet.

Need is a stretch, but there are some compelling uses for an internet connected thermostat. I'm thinking second home, where you want to be able to adjust the thermostat remotely, after your short term renters leave. Sure, it's not imperative, but the positives outweigh the (so far) theoretical negatives. I have an ecobee, and being able to set it to vacation when I'm already an hour away is pretty nice. If it gets hacked, I'll unplug it. Meantime, it has a remote temp sensor so my upstairs temperature is mu

Re:

[Megane]

It can also let you know when a house in another city is having HVAC trouble. But there's still no need for it to be exposed to the live internet, when it can simply poll a cloud service every few minutes for updates.

Re:

[naughtynaughty]

One day, your thermostat will get hacked by some cybercriminal

No, it won't: I'm not falling for the 'Internet of Things' troll/meme. You won't be hacking my thermostat, lightbulbs, dishwasher, microwave oven, clothes washer, clothes dryer, television, or any other household appliance because there's not a single damned good reason why these NEED to be connected to the Internet.

Unless the only things you have hooked to your TV are an antenna and a DVD player the chances are it already is connected to the Internet or whatever you are using to view videos is connected. There are great reasons to connect a TV to the internet, watching all the content you can get from the internet.

A smart dishwasher might be sending sensor information to the manufacturer where early signs of failure can be identified and you alerted prior to the dishwasher failing.

A microwave oven might have a voice

Lol, oh my

[JustAnotherOldGuy]

Oh, Internet-of-Endlessly-Exploitable-Things, ah love yew! (heart emoji x 1000)

Every day a new exploit, it's like an all-you-can-eat buffet of terrible shit, served fresh and piping hot.

embedded need to have os updates that are on there

[Joe_Dragon]

embedded stuff needed to have os updates that are on there own that come out faster then the app update.

At least some embedded stuff is ARM with cut down linux based os's. But others are full pc's running a big linux install or even windows with a custom app on top of it. And if them alot for the time you need to wait from the app part to be updated before the under lining os get's fixed even for just os security fixes. As the updates just come as full install images.

Some embedded systems have sd cards that can have there os hacked and the hack can stay on the system even after power off. Unlike others where it's flashed with a small nvram area that just holds settings / logs.

Consequences

[DidgetMaster]

Until we start treating hackers who maliciously destroy people's lives like we do kidnappers or people who throw rocks through your window, this kind of thing is going to keep getting worse. People treat hacking like a hobby where you can cause thousands or millions of dollars in damage with almost no chance of getting caught and with lackluster penalties if you do.

Little benefit to IoT

[Shadow IT Ninja]

I've said this before but it needs to be said again. The benefits of a thermostat being an Internet of things device as opposed to a LAN-only device is minimal. The main benefit to these smarter thermostats is just that you can configure them from a web page. This is easier than the older ones with a tiny LCD screen and a small number of buttons. The thing is that many devices such as printers and broadband routers have embedded web pages that demonstrate how you can handle configuration web pages inter

Just because we can, doesn't mean we should

[whitroth]

My power company called, last year, to offer me one. I told them not under any circumstances.

            mark, who remembers when the 'Net was civilized

Sounds short-sighted to me

[damn_registrars]

If they hold your thermostat ransom for $300, why not just use the $300 to buy a new thermostat and tell the hackers to get lost? I can pick up the Nest Thermostat at my local big box home improvement store today for $249.99; why would I pay more to the hackers?

Granted, my thermostat cost a lot less than that - and doesn't have the fancy features of the nest - but if I was someone inclined to purchase a thermostat for $300 I don't see why I would pay the same amount to get it back from hackers if I cou

Re:

[DidgetMaster]

Not only that, when you pay ransom you have no guarantee at all that they will fulfill their promises. They might just take your money and leave you hanging with a dead thermostat. Since they are already the scum of the Earth, why think they would ever give you control back?

Re:

[samwichse]

What makes more sense is:

1) Write an automated hack for some company's thermostats (I'm sure most of these companies have some report home feature that means you could get them all in one once you scoop up their list)
2) Wait till terrible weather time (January in the US)
3) Pwn all 500k of the units in people's houses
4) Set the ransom somewhere low like $5-10
5) Profit

IOT *only* makes some sense....

[mark-t]

... when you are in control of the device's internet connectivity, and can put it behind a firewall and a private-only IP that will permit outgoing access only, similar to a NAT. If that causes the device to behave badly, then the device is already broken and useless. If you want to control the device from outside of your firewall, you can still do so via a secured system that is behind the firewall that *can* accept incoming connections, where any incoming connection to the other system can go through

A few hundred dollars?

[naughtynaughty]

Anyone who responds would go on a hacker sucker list.

What's next, someone is going to hack a lightbulb and demand $100 or threaten to leave it on 24/7?

Re:Bitcoin

[sirber]

You can send me 1 bitcoin to get a +1 score

Re: Bitcoin

[fyngyrz]

You forgot "cloud."

Re:

[slashrio]

No he didn't. Bitcoin and tor work against vested interests and therefore 'need' to be outlawed. The Cloud doesn't.

Re:

[gtall]

Errr....Tor was (and still is) supported by the U.S. Naval Research Laboratory which, last we checked, was under the Office of Naval Research of the U.S. Navy. So Tor is being developed to work against which vested interest exactly? Maybe if you took a fixed point in the right space, you'd get the answer you want to believe, but I doubt it.

Re:

[fyngyrz]

Yeah, he did. The cloud is the perfect petri dish for fraud, and that's exactly how it's used most of the time, to suck money and/or information out of bewildered users.

"We'll just keep "your" music and "your" video in the cloud for you"

uh-huh...

Re: IoT strikes again

[fyngyrz]

Most light switches are digital. On or off. The correct term is "mechanical."

Re:

[Bob the Super Hamste]

Hey not all light switches are digital [ncsu.edu].

Re:

[drinkypoo]

Something is mechanical if it uses potential and kinetic energy of the mechanical system.

It's not electrical, because electricity doesn't power the switch. You do. Hence, it's mechanical. It's not electromechanical, because that's the opposite; a switch is a mechanical device which controls electricity, whereas electromechanical means using electricity to control mechanics.

Re:Governments will love this

[tripleevenfall]

It's not difficult to imagine California deciding they need the ability to throttle your AC to combat brownouts/global warming/whatever

Re:

[pr0fessor]

It's an opt in and it supposed to help costs and availability during peak hours... They even have those programs in the mid-west.

Re:

[Cro Magnon]

Yup! I live in the Midwest. On one of the blazing hot days we had, I had to take off early to deal with something, and came home to a hot house and a thermostat blinking "Saving".

Re:

[pr0fessor]

My retired neighbor opted in and opted out as soon as he realized it was supposed to save by turning it off when they thought most people would be at work.

Re:

[Opportunist]

Governments will love this for a completely different reason. When "hackers" start to bother normal people, normal people will ask for laws that stop this. And they'll get the laws. Not that they stop anything, but you know how it is, once a law is passed, it stays.

Re:

[JustAnotherOldGuy]

Why can't these vendors and a $1 switch

Because it would cost a dollar, a whole fucking dollar, that's why.

(Actually a switch to enable/disable firmware updates would only cost a few cents, but even that's too much to spend on security.)

Re:

[naughtynaughty]

8 smoke alarms, 1 smart thermostat, 4 smart locks, 48 smart lightbulbs and someone needs to go flip a switch on each of them every time a firmware update is needed? No thanks.

Re:

[Megane]

It's the "smart" TVs that worry me more. There are a lot more of those out there.