Security firm Pen Test Partners demonstrated an easy hack of a smart thermostat at Def Con 2016.
IoT security, or the lack thereof, is making headlines again. Security testing firm Pen Test Partners demonstrated a new hack on IoT thermostats at their Aug. 8 Def Con presentation. They were able to hack into one of the devices and take over the firmware, replacing it with an infected version that included ransomware. The hack locked down the device, displaying a message asking the owner for a bitcoin payment in order to get control back.
Pen Tests Partners spokesperson Andrew Tierney told Infosecurity Magazine, “It heats to 99 degrees, and asks for a PIN to unlock which changes every 30 seconds. We put an IRC botnet on it, and the executable dials into the channel and uses the MAC address as the identifier, and you need to pay one Bitcoin to unlock.”
Cisco, in its 2016 cybersecurity report, has predicted that organizations are not prepared for more sophisticated forms of ransomware, which has become one of the most profitable hacks in history. “Clubs and organizations, charities and non-governmental organization (NGOs), and electronics businesses have all experienced an increase in attacks in the first half of 2016,” Cisco reports.
In the case of the thermostat hacked by Pen Test Partners, the firmware could be exploited in a number of ways. For instance, it could be programmed to take control of the device’s piezoelectric buzzer and set it to set the frequency to 16-18 KHz. Humans would not hear a thing but it would wreck havoc on any pets in the house. The hackers could also turn on both heating and cooling at the same time, driving the victim’s energy bills sky high, or worse, turn the heating or cooling system on and off many times per second, which carries a high risk of serious physical damage to the system.
The hack was successful because the device’s firmware was completely unencrypted, unsigned, and set to run everything with root privileges. The company said simple encryption and signing would have gone a long way toward preventing such hacks from being possible, and the removal of debug info and root privileges is also important.
Pen Test Partners declined to identify the thermostat they used in their demonstration or the company that made it, saying they want to give the company a chance to fix the security flaws first. If you should happen to find your smart thermostat taken over by ransomware, the fix is simple: Remove it and replace it with a non-smart one.
