Smart Thermostat Ransomware


(Nate) #1

Thought this was an interesting read. Security is always a concern, but this makes it more real.


(Marc) #2

Interesting and thanks for the share. As a cyber security professional myself, this is especially of interest to me. I wonder how much liability the manufacturers would take in these scenerios? Since these thermostats are mostly cloud based, there is a smaller risk of data loss and a replacement device fixes your issue. Would nest replace a bricked software device? My guess is they will fall on the warranty if it’s still covered and your out of luck if it’s not.


( I hate Mondays) #3

Honeywell? The tweet suggests Nest?


(Jody) #4

The arbitrary code execution involves getting someone to load the malware via the SD Card

The thermostat in question has a large LCD display, runs the operating system Linux, and has an SD card that allows users to load custom settings or wallpapers. The researchers found that the thermostat didn’t really check what kind of files it was running and executing


(Bobby) #5

I don’t see how it makes it real. Is like you open the door to a stranger, let him take away your stuff and then you call the police and say you’ve been robbed. Someone has to manually insert the SD card into your thermostat to load the virus.

At least the article says:

“this is not an easy attack to pull off, as it requires people to actively download and transfer malware on their thermostats.”


( I hate Mondays) #6

Yeah, but it could be in the disguise of a wallpaper, so the victim would unknowingly help the attacker. Which is a plausible way in. Hard to pull of, but plausible.


#7

because your thermostat needs a SD card slot right? :stuck_out_tongue:


(Bobby) #8

Well, then my example with the big bad burglar, just turned into a Victoria Secret model, but you still need to open the door and welcome her in your house to take your stuff…


(Fast, Good, Cheap...pick two.) #9

Sounds strangely like a few of my realtionships


(Bobby) #10

Well, that would teach you to marry them. You should have just give them an SD card instead …


(Realy Living Dream) #11

There’s a sucker born every minute. Seems almost daily there is another news report that some ( idiot) got a phone call from [ insert government agency here] and had to pay them $5000,$10000 , whatever in ITunes gift cards or they would be arrested. So they ran out emptied their bank account and over to BestBuy, Staples, etc bought the gift cards and gave the caller the redemption code.

So there are plenty of people that would get an email " from Honeywell" with a firmware update, download it and install it in their thermostat.


(Dan P Parker) #12

I’m doomed. :disappointed:


(Christopher Masiello) #13

Ransom for thousands of dollars? For control of a $250 gadget? Couldn’t you just pull it off the wall and replace it for $250?
Your furnace and AC have OFF buttons on them.


(Ben W) #14

Because its a #complaintsfromthefuture

It would get almost zero attention if the headline was

“Honeywell Smart thermostat vulnerable if attacker has access to SD slot on the thermostat”


( I hate Mondays) #15

Just like in that Looney Toons (?) cartoon where Elmer (?) gets out of his jail cell, slipping between the bars, only to go pick up the cell door key and returns back in and tries to open the cell door? That kind of a hack? :smiley:


(Geko) #16

Tierney and Munro admit that in practice this is not an easy attack to pull off, as it requires people to actively download and transfer malware on their thermostats.

Total bull. Why would anyone want to hack a $200 gadget and ask for a ransom far exceeding its value? Makes no sense. Typical scaremongering and self-promotion for the so-called “researchers”.


(Andrew Tierney) #17

I’m Andrew Tierney, one of the people who did work on this.

Firstly, this is not a Honeywell product.

Secondly, although the attack requires an SD card placing into the thermostat, that doesn’t mean that an attacker needs access to your property.

The attack requires that the user loads a wallpaper onto the device with a certain filename:
https://www.pentestpartners.com/blog/thermostat-ransomware-a-lesson-in-iot-security/

Some plausible attack vectors:

  1. You upload a malicious copy of the genuine software used to create SD cards to filehosting sites. It gets indexed and downloaded, and used. The SD cards are used as normal, and infect the device.
  2. The app is over 120MB in size. Offer a 500k app that does the same job, but infects the cards.
  3. Hidden functionality can be enabled using crafted settings. Offer an app to do this via enthusiast forums, and again, it infects the cards.
  4. These thermostats are used commercially and in public spaces. In under a minute, someone can get root control of the device and leave no evidence.
  5. Use a phishing email to offer a firmware update, as mentioned above.

A proportion of people would fall for these.

Thirdly, It’s really not scaremongering when you call it a proof-of-concept and explicitly say it is unlikely to happen. The ransomware was used because it easy for many to relate to, and to spur discussion.

Fourthly, it should not be possible to get root on a thermostat in under a minute without opening the case and without leaving external trace. Imagine if your phone or PC could be attacked this quickly and easily. Would you be happy?

Use your imagination a bit. Most of the home automation kit out there is horrifically vulnerable to attack, and users have no real control over what their devices are doing and how they do it. I have actively used a vulnerable DVR during a pen test to get onto a shop’s local network, and from their access to all of their internal machines including payment systems.


(Brian) #18

So let me get this straight: I buy one of these for $250 and I get a Victoria’s Secret model and an SD card?

Take my money!


(Realy Living Dream) #19

I think if you put the right hack onto SD card, insert it into thermostat it turns into a holograph projector and VS model appears every time you walk by the unit. Just make sure thermostat recognizes it is you and not the wife walking by.