We already know that the Internet of things is hackable and that it provides cyber criminals another way to exploit us and our devices. Where the vulnerability of IoT is headed can also be seen in the first two episodes of Mr. Robot’s second season – in the hack fsociety did on the smart home of E Corp’s General Counsel (it, too, involved a thermostat going crazy). Even though the attack seems slightly over the top, it definitely opens the door to a range of possibilities.
That being said, I wasn’t too surprised to read that two security researchers have successfully hacked an IoT thermostat and infected it with ransomware. Ransomware has already attacked smart TVs, so why not IoT devices? Researchers proved it possible, too, be it harder than expected.
How Did the Thermostat Hack Happen?
During the DEF CON 24, two security researchers, Ken Munro and Andrew Tierney of Pen Test Partners, demonstrated how an IoT device can be hacked. Not only can it be hacked but it also can be infected with ransomware! For that purpose, the infosec couple took an IoT thermostat with a large screen (where the ransom note was displayed) and hacked its codebase. The latter was running a modified version of Linux.
Pen Test Partners opted for a US thermostat with a digital screen. Tierney said the device had a custom board, was ARM-based with a JTAG port, which he said “makes it so easy to hack”.
Why were the researchers able to hack the IoT device? It permitted them to connect an SD card to it. Furthermore, the thermostat software ran with root privileges. This means that no privilege escalation flaws were needed to hack the device.
The attack, in a nutshell? Tierney’s explanation:
Further down the attack lane, the thermostat heated to 99 degrees, and asked for a PIN to unlock which is set to change every 30 seconds. The researchers put an IRC botnet on it, “and the executable dials into the channel and uses the MAC address as the identifier, and you need to pay one Bitcoin to unlock.”
Was the Thermostat Ransomware Hack Attack Easy to Perform?
Not really. Munro and Tierney say that it was quite challenging at the moment. It took them two evenings to accomplish. The hack hasn’t been reported to the vendor yet, as the researchers didn’t have time to send out a bug report. The hack was “built” right before the DEF CON. However, a report will follow in just a few days.
Because an official report hasn’t been filed yet, the researchers haven’t revealed the make and the model of the vulnerable thermostat. What the vendor has to do, however, is stop code from running as root and move processes to less-privileged user accounts.
In addition, the researchers point out that if the firmware was unreadable via obfuscation or encryption, it would have been much harder to modify it.