White hat hackers have made the first proof of concept for malware that locks a smart thermostat and demands a ransom.
Image: Lorenzo Franceschi-Bicchierai/Motherboard
One day, your thermostat will get hacked by some cybercriminal hundreds of miles away who will lock it with malware and demand a ransom to get it back to normal, leaving you literally in the cold until you pay up a few hundred dollars.
This has been a scenario that security experts have touted as one of the theoretical dangers of the rise of the Internet of Things, internet-connected devices that are often insecure. On Saturday, what sounds like a Mr. Robot plot line came one step closer to being reality, when two white hat hackers showed off the first-ever ransomware that works against a "smart" device, in this case a thermostat.
Luckily, Andrew Tierney and Ken Munro, the two security researchers who created the ransomware, actually have no ill intention. They just wanted to make a point: some Internet of Things devices fail to take simple security precautions, leaving users in danger.
"We don't have any control over our devices, and don't really know what they're doing and how they're doing it," Tierney told Motherboard. "And if they start doing something you don't understand, you don't really have a way of dealing with it."
Tierney and Munro, who both work UK-based security firm Pen Test Partners, demonstrated their thermostat ransomware proof-of-concept at the IoT Village, part of the hacking conference Def Con on Saturday, fulfilling the pessimistic predictions of some people in security world.
The two took advantage of a bug in a particular thermostat, but declined to reveal which one since they haven't had a chance to contact the company and get it fixed yet. The two said they found the vulnerability just a few days before Def Con, adding that they plan to contact the company to get it fixed on Monday. They also said the fix should be easy to deploy.
The thermostat in question has a large LCD display, runs the operating system Linux, and has an SD card that allows users to load custom settings or wallpapers. The researchers found that the thermostat didn't really check what kind of files it was running and executing. In theory, this would allow a malicious hacker to hide malware into an application or what looks like a picture and trick users to transfer it on the thermostat, making it run automatically.
An evil hacker would have full control of the thermostat.
At that point, an evil hacker would have full control of the thermostat, the researchers said.
"It actually works, it locks the thermostat," Munro, who last year found that a Samsung smart fridge leaked Gmail passwords, said sitting next to three thermostats that were displaying the famous quote from the movie Hackers: "Hack The Planet."
Tierney and Munro admit that in practice this is not an easy attack to pull off, as it requires people to actively download and transfer malware on their thermostats. But, for example, plenty of Android users in the past have gotten hacked by willingly installing malicious apps on their phones, as many did recently with a fake Pokemon Go app. So it's not totally far-fetched.
In any case, while this particular ransomware is unlikely to ever hit people, it shows that as many expected, it's possible to create ransomware for the smart devices, such as fridges or thermostats, and moreover, these devices are making not just themselves vulnerable to hackers, but all the devices connected to your WiFi and any other devices connected to it as they are an entry point into your network.
"You're not just buying [Internet of Things] gear," Tierney warned, "you're inviting people on your network and you have no idea what these things do."