Your 'Smart' Thermostat Is Now Vulnerable To Ransomware
from the the-Jetsons-this-ain't dept
We’ve noted time and time again how the much ballyhooed “internet of things” is a privacy and security dumpster fire, and the check is about to come due. Countless companies and “IoT” evangelists jumped head first into the profit party, few bothering to cast even a worried look over at the reality that basic security and privacy standards hadn’t come along for the ride. The result has been an endless parade of not-so-smart devices and appliances that are busy either leaking your personal details or potentially putting your life at risk.
Of course, the Internet of Things hype machine began with smart thermostats and the sexy, Apple-esque advertising of Nest. The fun and games didn’t last however, especially after several botched firmware updates resulted in people being unable to heat or cool their homes (relatively essential for a thermostat).
@nest @nestsupport It would be nice if your app would let users know when a device is offline due to server issues.
— Chris Berry (@Chris_Berry) July 26, 2016
Not quite the future that was advertised. And things are about to get notably more interesting with the news that hackers have figured out a way to load smart thermostats with ransomware. Security researchers Andrew Tierney and Ken Munro demonstrated their thermostat ransomware proof-of-concept at the hacking conference Def Con on Saturday, using the opportunity to highlight how many of these devices aren’t transparent and fail utterly at giving users any real control of what’s happening on their home network:
“We don?t have any control over our devices, and don?t really know what they?re doing and how they?re doing it,? Tierney told Motherboard. ?And if they start doing something you don?t understand, you don?t really have a way of dealing with it.”
And again, as we’ve seen with everything from smart refrigerators to Wi-Fi embedded tea kettles, companies get so excited about the IoT marketing and revenue possibilities, they fail to embed even basic security in supposedly intelligent devices:
“The thermostat in question has a large LCD display, runs the operating system Linux, and has an SD card that allows users to load custom settings or wallpapers. The researchers found that the thermostat didn?t really check what kind of files it was running and executing. In theory, this would allow a malicious hacker to hide malware into an application or what looks like a picture and trick users to transfer it on the thermostat, making it run automatically.”
So yeah, imagine waking up one morning to this:
Yes, this is just one thermostat and a proof-of-concept, but worries about the IoT industry’s total failure to include security on “smart” devices should not be confused with scaremongering or hyperbole. As Bruce Schneier recently warned, the IoT explosion has resulted in the introduction of thousands of new attack vectors in homes, businesses and vehicles across the country, with vendors and Luddite consumers often ill-prepared to quickly update these products when vulnerabilities are exposed. If smart technology doesn’t get smarter soon, the future of smart technology…is going to be dumb technology.
Filed Under: iot, ransomware, security, smart thermostat, thermostat
Comments on “Your 'Smart' Thermostat Is Now Vulnerable To Ransomware”
Unlike other device ransomware, though, this one has a workaround:
1) Remove device from wall
2) Too hot? Twist red and green wires together
3) Cooled down nicely? Untwist wires
4) Rinse and repeat
Re: Re:
5) Send POS back demanding a refund
Re: Re:
I have a bulletproof solution: use dumb thermostats. Impervious to remote hacking. And you get the bonus of not having to deal with wires whenever you want to change the temp.
Re: Re: Re:
But those dumb thermostats use mercury. It is sooooo eco-unfriendly and must be banned
Re: Re: Re: Re:
All of them?
Re: Re: Re:2 Re:
No, not all of them. The use of mercury switches has been in the process of being phased out for a while now. There are lots of mercury-free dumb thermostats available.
Re: Re: Re:
Keeping that mercury under glass and doing something useful
is about as eco-friendly as it gets. Discarding and recycling
that thermostat returns the mercury to the environment.
Even if it’s “safely stored” or re-used in some way,
some fraction of that mercury will inevitably escape.
“Smart” thermostats should all have at least one mercury
switch inside so that no external failure causes a complete
loss of control. That’s the eco-responsible thing to do.
If “smart” IOT companies did that, failures would frequently
pass with no-one noticing and virtually no energy wasted.
Re: Re: Re:
” Impervious to remote hacking.”
But this story is not even about remote hacking.
Re: Re:
While your house would be cool, you would no longer be cool.
That’s just not acceptable.
Re: Re:
Hey, friends, look at this cool app that I have… It says that it’ll control my thermostat but it actually just lets me press these buttons to make what looks like a setting on my thermostat go up and down.
Way cool, bro.
Functionality = null;
Doesn't seem quite the same....
It might take some help from the company, but wiping one of those out/restoring the base software shouldn’t be too big of a problem and there’s no worry about data loss like a regular PC.
Re: Doesn't seem quite the same....
Nice try Nest spokesperson.
Re: Doesn't seem quite the same....
Sounds like that “time saving” device just brought a bunch of effort to the party. Oh, and in the wings, you have a husband/wife/significant other/children/pets that are hassling you as to when the temperature will be comfortable again.
Re: Re: Doesn't seem quite the same....
I mean it obviously sucks, but it’s not the same level of hassle as “your data is all gone unless you pay up.” That can’t be fixed with a software reinstall/rollback.
Your very personal thermostat can also be hacked...
but I’m not sure that “You Suck!” is entirely appropriate…
“the makers of the We collect exactly when the device is used, which of the ten vibration modes they are using, and even ***the temperature of the device.*** All this data is stored on corporate servers and in the terms and conditions of the device the manufacturer reserves the right to pass it on to the authorities.”
http://www.theregister.co.uk/2016/08/07/your_sec_toy_is_spying_on_you_hackers_crack_our_plastic_pals/
Thought of the day.
Capt ICE Enforcer thought of the day.
Sometimes the dumbest option is the smartest option to go.
Business option for ransomware
Hello internet ransomware companies. Might I recommend that you change your business model. Instead of a one time fee to unlock the device. You should change your EULA to an annual license which charges every year to keep it unlocked. That ways you get more profit.
Re: Business option for ransomware
The actual thermostat companies already have a patent on that business model.
Click Bait
The original article was nothing but click bait.
1. Physical access to the thermostat is required as the software must be installed with an SD card. Is this even a security hole. Some could argue it is a (dubious) feature. And if an attacker has physical access to your thermostat they could just steal and ransom the actual device. Or something more valuable.
2. Hacking of things on the “internet of things” is often not as serious of an issue because the many of the “things” are relatively inexpensive and contain no data of value. For example, a *thermostat*. Even if someone *remotely* hacked the thermostat they couldn’t ask for much of a ransom because the victim could just go buy a new (hopefully more secure) thermostat. It takes 10 minutes to install a new one.
Re: Click Bait
Except when it comes to things like Baby Monitor’s that have piss poor to no security and others can easily gain access and watch your kid(s) or whatever. IoT really has weak security if used. it was never designed for all the crap it’s being used for. I hear they’re working on a better version of it. The only thing is it’s not compatible with what you may currently have. So just replace everything!!!
Quite frankly, the secret to saving energy costs for heating and cooling. Set the heat temp down some more and the Cool up some more. Then wear less or wear more. You don’t need to cool your house down to 72 or 68, 78 is low enough. Don’t need to heat your house to 72 or so either, keep it down to 66. Dress warmer. Do you need a HUGE HOUSE for the 2 of you? Or 4 of you? Bigger the house, the more energy needed. I don’t think a Smart thermostat is going to safe you much unless you don’t do the most basic things. A dumb, cheap Digital programmable thermostat is good enough.
Re: Re: Click Bait
How very dare you inject common sense into this article! Really though, good & practical advice. 🙂
Re: Click Bait
The thermostat might be quite cheap, but all the burst pipes and radiators that came from the resulting freeze up can be quite expensive.
Re: Click Bait
Nice try apologist from Nest
Re: Click Bait
Jason’s first point is right. Is IoT even relevant if physical access is required?
I could “hack” your conventional thermostat with a hammer if I had physical access. So this isn’t even an IoT story.
OTOH, I’m not on board with point 2. Lots of private data about my presence and patterns can be gleaned from my thermostat. It’s not about the risk of the $200 thermostat. There is much more at stake.
Re: Re: Click Bait
Jason’s first point is right. Is IoT even relevant if physical access is required?
I could “hack” your conventional thermostat with a hammer if I had physical access. So this isn’t even an IoT story.
I agree with you on this point. A maxim of computer security is that you don’t have security if you don’t have physical security.
Re: Re: Click Bait
But what is physical access in this case? They were saying there is a security vector involving getting the user to download something onto a drive and then plug it into the thermostat and then run the file. No one is stupid enough to randomly download shit off the internet and run it on an unsecured machine… right? Wait, isn’t that how a ton of malware is done on regular computers all the time?
Knowing this vector, someone nefarious just needs to give the users a reason to download something from the internet and plug it into the thermostat… like a corrupted thermostat upgrade package… or some background ‘jpegs’. Since there is no security or code signing, the thermostat will merrily run this code and voila, hacked, and on the internet ready for exploitation.
My Bluetooth belt has been hacked --
I have to pay Bitcoin before I can take my pants off.
Basically the definition of IoT: “So smart, it can – and WILL – get hacked.”
Proud Luddite
… with vendors and Luddite consumers often ill-prepared to quickly update these products when vulnerabilities are exposed.
I am a proud Luddite where these things are concerned. I won’t upgrade to an IoT thermostat, refrigerator, etc. There’s too little utility to such a device to justify either the price or the compromise in security, or even the new vulnerabilities.
I don’t think most people understand just how vulnerable you are to a misconfigured IoT thermostat, for example. That hacker who took control of your thermostat could actually destroy the AC unit by turning it on an off without letting the compressor cool down sufficiently, for example, and that would cost you much more the 1 bitcoin to replace. There’s a reason there are cycle limits built into thermostats.
Re: Proud Luddite
Refusing to use silly “new” products because they are stupid does not mean you are a luddite.
Re: Proud Luddite
There are a lot of problems you can cause if you get control of a thermostat beyond locking the users out and/or destroying their A/C unit.
Waste tons of money – depending on how they are heating/cooling, you can run up their bills quite quickly
Heat/fire hazard – continuously on heaters in a closed house given enough time… and do you have any children, pets, old people that could succumb to heat stroke before someone realizes and pulls the plug on the thermostat
Freezing temps – If they can tell that the outside temp is below freezing (I’m betting most of these systems have an outside temp gauge), turning on the AC to the max combined with the outside temp can lead to a frozen house with frozen pipes
But most of these things are just nuisance. The big security issue would be with having an inside man that could tell you what people’s routines are and when nobody is home so you could rob the place.
Let’s re-write this article a bit differently, to show why it’s funny:
“Consumer, who replaced a perfectly working thermostat for the sake of an app, now wonders why this new thermostat can’t heat or cool their own home. Turns out, it’s been hacked.”
Translation: consumer lacks common sense, and expects us to feel sympathy for their plight.
Tell me a story about how a 7 year old girl was killed because some asshole was trying to catch cartoon animals while driving their 2000 pound automobile, then I’ll show compassion.
Common sense is disappearing from this country at an alarming rate.
Yes, I do blame technology. It’s literally keeping people from thinking on their own.
Re: Re:
Blame the idiot get rich quick schemers, not the tools they use.
Re: Re:
So, the ability to save money and pollution by gaining remote access to your thermostat is a lack of common sense?
It’s not. It’s a feature that has varying degrees of value to different people. To those with a second home, or those away from home for extended periods, it’s very sensible.
Opinion
me encanta conocer cosas nuevas, tambien amo el ingles, por eso leo estos articulos durante mi tiempo libre. gracias
Re: Opinion
Why was the comment in Spanish flagged as abuse?
It just say that she likes learning, and reading English articles like this in her spare time.
Re: Re: Opinion
It was spam for a car sales site.
Mercury?
Thermostats haven’t used mercury in decades. The inexpensive ones are bi-metal springs, the more expensive ones use thermistors or other semiconductor devices.
Not On Board 100%
I agree that security is not being implemented enough in IOT, but Karl, you seem to have a chip on your shoulder against IoT for some other reason, and are using the security weakness as a hammer.
“companies get so excited about the IoT marketing and revenue possibilities, they fail to embed even basic security in supposedly intelligent devices:”
That may be true of some, or even most IoT. But it does not justify painting the entire category as stupid.
Just about every innovative technology starts with security as an afterthought. It’s not “right”. But it is standard practice. Why would the first innovators worry about security when they have hundreds of other issues to work through, AND when ‘obscurity’ is pretty good security given the devices are a new category. As I said, it’s not right, but it’s normal.
Orville and Wilbur Wright did not worry about hijacking defenses. Should they have?
Carmakers computerized the CANBUS network and the OBDII in cars long ago. Should they have made it hack-proof?
The first smartphones (PalmOS, Windows Mobile) had few deliberate defenses against virus and attacks. But almost no attacks occurred.
Once again, I agree with you that this is not the best. It’s better if security is built in from the start. But it almost never is. So why all the specific hate for IoT?
Re: Not On Board 100%
I’m not Karl, but my opposition to IoT is pretty straightforward: the way everyone is developing them requires that they interact with a third party server. This is unacceptable data leakage to entities that make it clear they will be selling or otherwise monetizing it.
Re: Re: Not On Board 100%
Fair enough, John. Your argument is cautious and sensible.
FYI, though it’s not fully true. I use a number of IoT devices which are not cloud services, but rather things that I manage and access myself. It’s technically much harder to do, so not mass market, but it’s also available.
And of course, it’s still vulnerable, as any connected device is.
Re: Re: Re: Not On Board 100%
“I use a number of IoT devices which are not cloud services, but rather things that I manage and access myself.”
As do I, but almost none of the commercially available devices are like this. The “IoT” == “cloud” (or at least phone-home) equivalency holds very well in the commercial space.
Re: "They're doing it too" is not an acceptable defense
Just about every innovative technology starts with security as an afterthought. It’s not “right”. But it is standard practice.
…
Once again, I agree with you that this is not the best. It’s better if security is built in from the start. But it almost never is. So why all the specific hate for IoT?
Just because it may be ‘standard practice’ or ‘normal’ doesn’t mean it should be given a pass. If you’re going to be making a product and selling it to the public and you don’t put at least some effort into making sure that the product is safe and secure then you absolutely deserve to get called out on your lousy practices.
It doesn’t matter in the slightest that others may have shoddy practices too, all that means is that they deserve their share of blame for their actions(or more often inaction) as well.
Re: Re: "They're doing it too" is not an acceptable defense
Well, that’s exactly what I meant when I said “It’s not right.”
But what I’m calling out is the inordinate, out of proportion distaste Karl has for IoT. Has he been similarly sour about every other innovation that had security as an afterthought? Because most of them did.
MOST startups here in Silicon Valley struggle to build an MVP (a Minimum Viable Product), and then to shove that product out to market as fast as possible. There are massive pressures from first-to-market, to cash flow, to investor pressure. Most of these startups tend to look at security as a distraction from their race to grab market share fast. They figure they’ll worry about security when security becomes a problem. If anyone here would like to debate this assertion, I’d be interested. But I think most would agree.
I have absolutely never asserted that this is right. Simply that this is true.
So to act like IoT is unique is misleading.
To act like IoT is a stupid idea because lots of it is insecure is short-sighted and untrue.
Re: Not On Board 100%
Just about every innovative technology starts with security as an afterthought.
IoT isn’t all that innovative and to compare it to the invention of the airplane is ridiculous. IoT is basically taking a few well established technologies and throwing them together to make a fast buck with little to no regard to the consequences for the buying public.
Orville and Wilbur Wright did not worry about hijacking defenses. Should they have?
Orville and Wilbur did not invent passenger airliners. And even when airliners were first developed hijacking was not a known threat. The types of security vulnerabilities present in IoT devices are generally of types well known on the day the devices are introduced but ignored by the manufacturers for cost savings reasons. I don’t see much excuse for that.
Re: Re: Not On Board 100%
The point is that startups and inventors start with a vision, and then work through each problem and barrier as it presents itself. They have dozens of such problems, thus are rather focused on what is stopping them from the goal. They are not focused on the problems that WILL present themselves AFTER they reach the goal of building the working invention.
Once again. Not the right decision, but very common, and not limited to IoT.
Once security is a problem with IoT (around the current time frame), then security will be the problem that people work to solve. Then it will be adequately addressed (because security cannot be fully solved).
You can't spell IDIOT...
without IOT.
But:
Iot sounded interesting, when it first came out, use an app to turn on whatever, but then, they added stuff to the devices. Sensors for sound levels, brightness of the light, location monitoring, impedance sensors, burgler aids, everything to sense if you are here or there. Why? It would not save energy, being on 24/7. And the way our power grid is on the verge of brownouts, good luck.
I have to wonder how “smart” these devices are when the designers of them are so stupid. If the device absolutely has to have updateable firmware (what am I saying, the whole world would grind to a halt if electronic devices couldn’t be updated!!!) just install a button that the user has to hold down to physically enable write access. No button, the firmware can’t be changed.
While they’re at it, how about a reset switch? Press it and all user settings and files are wiped while the firmware is restored to the factory default from a copy stored in ROM.