IoT Thermostat Hack Ends with Ransomware Infection - How to, Technology and PC Security Forum | SensorsTechForum.com

IoT Thermostat Hack Ends with Ransomware Infection

ransomware-sensorstechforum

We already know that the Internet of things is hackable and that it provides cyber criminals another way to exploit us and our devices. Where the vulnerability of IoT is headed can also be seen in the first two episodes of Mr. Robot’s second season – in the hack fsociety did on the smart home of E Corp’s General Counsel (it, too, involved a thermostat going crazy). Even though the attack seems slightly over the top, it definitely opens the door to a range of possibilities.

Related: ‘Your Windows Licence has Expired’ Ransomware

That being said, I wasn’t too surprised to read that two security researchers have successfully hacked an IoT thermostat and infected it with ransomware. Ransomware has already attacked smart TVs, so why not IoT devices? Researchers proved it possible, too, be it harder than expected.

How Did the Thermostat Hack Happen?

During the DEF CON 24, two security researchers, Ken Munro and Andrew Tierney of Pen Test Partners, demonstrated how an IoT device can be hacked. Not only can it be hacked but it also can be infected with ransomware! For that purpose, the infosec couple took an IoT thermostat with a large screen (where the ransom note was displayed) and hacked its codebase. The latter was running a modified version of Linux.

Pen Test Partners opted for a US thermostat with a digital screen. Tierney said the device had a custom board, was ARM-based with a JTAG port, which he said “makes it so easy to hack”.

Why were the researchers able to hack the IoT device? It permitted them to connect an SD card to it. Furthermore, the thermostat software ran with root privileges. This means that no privilege escalation flaws were needed to hack the device.

The attack, in a nutshell? Tierney’s explanation:

So we put in a huge executable by loading a 7MB Javascript file, but this is not plain Javascript so you can query the SQL database so it can execute Linux commands. We got command injection by the SD card, so it was a local attack. With root, you can set off alarm (and set the frequency very high) and can heat and cool at the same time.

Further down the attack lane, the thermostat heated to 99 degrees, and asked for a PIN to unlock which is set to change every 30 seconds. The researchers put an IRC botnet on it, “and the executable dials into the channel and uses the MAC address as the identifier, and you need to pay one Bitcoin to unlock.”

Related: CCTV IoT Botnet Performing Layer 7 DDoS Attacks

Was the Thermostat Ransomware Hack Attack Easy to Perform?

Not really. Munro and Tierney say that it was quite challenging at the moment. It took them two evenings to accomplish. The hack hasn’t been reported to the vendor yet, as the researchers didn’t have time to send out a bug report. The hack was “built” right before the DEF CON. However, a report will follow in just a few days.

Because an official report hasn’t been filed yet, the researchers haven’t revealed the make and the model of the vulnerable thermostat. What the vendor has to do, however, is stop code from running as root and move processes to less-privileged user accounts.

In addition, the researchers point out that if the firmware was unreadable via obfuscation or encryption, it would have been much harder to modify it.

Milena Dimitrova

An inspired writer, focused on user privacy and malicious software. Enjoys 'Mr. Robot' and fears '1984'.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.