The two took advantage of a bug in a particular thermostat, but declined to reveal which one since they haven’t had a chance to contact the company and get it fixed yet. The two said they found the vulnerability just a few days before Def Con, adding that they plan to contact the company to get it fixed on Monday. They also said the fix should be easy to deploy.
The thermostat in question has a large LCD display, runs the operating system Linux, and has an SD card that allows users to load custom settings or wallpapers. The researchers found that the thermostat didn’t really check what kind of files it was running and executing. In theory, this would allow a malicious hacker to hide malware into an application or what looks like a picture and trick users to transfer it on the thermostat, making it run automatically.
An evil hacker would have full control of the thermostat.
At that point, an evil hacker would have full control of the thermostat, the researchers said.
“It actually works, it locks the thermostat,” Munro, who last year found that a Samsung smart fridge leaked Gmail passwords, said sitting next to three thermostats that were displaying the famous quote from the movie Hackers: “Hack The Planet.”
Tierney and Munro admit that in practice this is not an easy attack to pull off, as it requires people to actively download and transfer malware on their thermostats. But, for example, plenty of Android users in the past have gotten hacked by willingly installing malicious apps on their phones, as many did recently with a fake Pokemon Go app. So it’s not totally far-fetched.
In any case, while this particular ransomware is unlikely to ever hit people, it shows that as many expected, it’s possible to create ransomware for the smart devices, such as fridges or thermostats, and moreover, these devices are making not just themselves vulnerable to hackers, but all the devices connected to your WiFi and any other devices connected to it as they are an entry point into your network.
“You’re not just buying [Internet of Things] gear,” Tierney warned, “you’re inviting people on your network and you have no idea what these things do.”