With Internet connected gadgets becoming more common, it is important to remember that they are still relatively new and thus are not as secure as they should be. Flaws will be discovered and patched many times before you do not need to worry about someone taking advantage of them to harm you in some way.
A fine example of this happened last year, during a DEF CON security conference. Two white hat hackers showed how a smart thermostat could turn into a nightmare. In two days, they managed to infect the device with ransomware. And a ransom needed to be paid in order to restore the device’s functionality. It is not necessarily something you should worry about, but the possibility of someone being able to hijack your Internet-connected device is still rather scary. The two security researchers who hacked the thermostat did not actually want to harm anyone, they just wanted to show how some Internet of Things devices do not have simple security measures implemented.
“Our intention was to draw attention to the poor state of security in many domestic IoT devices. Also to raise awareness in the security research community that it’s not all about software hacking. Hardware hacking is often an easier vector,” the researchers explain in their blog post.
How did it work
The two researchers, Andrew Tierney and Ken Munro, took advantage of a vulnerability in a thermostat and infected it with ransomware. They did not want to reveal which company’s thermostat they managed to hack because at that time, they still had not contacted the company with their findings.
So what the ransomware would do is it would lock out the users so they cannot alter anything, then change the heat to 99 degrees and finally, ask for a PIN. The PIN would change every 30 seconds so that the user would have a difficult time guessing it. That particular ransomware was created to ask for 1 Bitcoin to unlock the device.
“We got command injection by the SD card, so it was a local attack. With root, you can set off alarm (and set the frequency very high) and can heat and cool at the same time,” Tierney explained to Info Security Magazine. That does not mean it is impossible to make it work without physical access to the device. The thermostat that was used was running a version of Linux, had a LCD display, and an SD card. The SD card was there so that the users could create their own heating schedules, upload custom images and screensavers. If the users downloaded a malicious app or a picture onto the SD card, the malware would run on the device.
“The researchers found that the thermostat didn’t really check what kind of files it was running and executing. In theory, this would allow a malicious hacker to hide malware into an application or what looks like a picture and trick users to transfer it on the thermostat, making it run automatically”, Motherboard reports.
Not easy to pull of an attack
The researchers do not say that it would be an easy attack to pull off but users downloading something malicious onto their thermostats is not beyond the realms of possibility.
“This exercise was about demonstrating an issue and encouraging the industry to fix it. Will malicious actors do this in future? Perhaps, though we hope that the IoT industry has resolved these issues way before attacks become a reality,” the researchers say.