Hackers demonstrated first ransomware for IoT thermostats at DEF CON

Ransomware-infected smart thermostats, it's no longer hypothetical. An attacker could crank up the heat and lock the IoT device until sweltering occupants paid a ransom to unlock it.

IoT thermostat ransomware
Credit: Ken Munro

Oh goody, a hacker could crank up the temperature of a smart thermostat to a sweltering 99 degrees and leave the IoT device like that until its owner pays a ransom to regain control.

This is no longer a hypothetical attack; two hackers showed off the first proof-of-concept ransomware for smart thermostats; an attacker could set any temperature to try to melt or freeze the occupants until the ransom is paid. This first ransomware locked the temperate at 99 degrees until the owner paid a ransom to obtain a PIN which would unlock it.

First ransomware for IoT thermostats Ken Munro

Andrew Tierney and Ken Munro of PenTest Partners demonstrated the smart thermostat ransomware at DEF CON. It only took them a few days to hack the thermostat, and this was right before the security conference, so they would not reveal the manufacturer until they could report the vulnerability to the company. This particular IoT thermostat runs a modified version of Linux, has a large LCD screen – the better to show the ransom demand – and has an SD card.

As for what the ransomware does, Tierney told Infosecurity Magazine, “It heats to 99 degrees, and asks for a PIN to unlock which changes every 30 seconds. We put an IRC botnet on it, and the executable dials into the channel and uses the MAC address as the identifier, and you need to pay one Bitcoin to unlock.”

In another attack scenario, an attacker might blast the heat and AC at the same time, wanting the owner to practically bleed money for the utility bill until the ransom is paid. Everything in the thermostat runs with root privileges. “We got command injection by the SD card, so it was a local attack,” Tierney explained. “With root, you can set off alarm (and set the frequency very high) and can heat and cool at the same time.”

While this was a local attack, it also isn’t impossible to pull this off without gaining physical access to the device. The thermostat owner can use the SD card to load custom settings or wallpaper. Motherboard reported:

The researchers found that the thermostat didn’t really check what kind of files it was running and executing. In theory, this would allow a malicious hacker to hide malware into an application or what looks like a picture and trick users to transfer it on the thermostat, making it run automatically.

The researchers are by no means saying this particular ransomware would be an easy attack to pull off. Yet, it's not unrealistic to believe people would download a malware-tainted app. A month ago, Proofpoint warned that people were downloading a malicious version of Pokemon Go; it included a backdoor.

As Tierney pointed out, if people were so inclined, they could purchase previously owned IoT thermostats. “You can buy one of these on eBay and there is no way of checking it. It is not difficult [to hack] and I did it in two evenings.”

He added, “You’re not just buying [Internet of Things] gear, you’re inviting people on your network and you have no idea what these things do.”

Munro promised to blog about the ransomware proof-of-concept and reveal more details.

The march toward exascale computers
View Comments
Join the discussion
Be the first to comment on this article. Our Commenting Policies