Home > Ransomware > IoT Thermostat Hack Ends with Ransomware Infection

IoT Thermostat Hack Ends with Ransomware Infection


We already know that the Internet of things is hackable and that it provides cyber criminals another way to exploit us and our devices. Where the vulnerability of IoT is headed can also be seen in the first two episodes of Mr. Robot’s second season – in the hack fsociety did on the smart home of E Corp’s General Counsel (it, too, involved a thermostat going crazy). Even though the attack seems slightly over the top, it definitely opens the door to a range of possibilities.

Related: ‘Your Windows Licence has Expired’ Ransomware

That being said, I wasn’t too surprised to read that two security researchers have successfully hacked an IoT thermostat and infected it with ransomware. Ransomware has already attacked smart TVs, so why not IoT devices? Researchers proved it possible, too, be it harder than expected.

How Did the Thermostat Hack Happen?

During the DEF CON 24, two security researchers, Ken Munro and Andrew Tierney of Pen Test Partners, demonstrated how an IoT device can be hacked. Not only can it be hacked but it also can be infected with ransomware! For that purpose, the infosec couple took an IoT thermostat with a large screen (where the ransom note was displayed) and hacked its codebase. The latter was running a modified version of Linux.

Pen Test Partners opted for a US thermostat with a digital screen. Tierney said the device had a custom board, was ARM-based with a JTAG port, which he said “makes it so easy to hack”.

Why were the researchers able to hack the IoT device? It permitted them to connect an SD card to it. Furthermore, the thermostat software ran with root privileges. This means that no privilege escalation flaws were needed to hack the device.

The attack, in a nutshell? Tierney’s explanation:

So we put in a huge executable by loading a 7MB Javascript file, but this is not plain Javascript so you can query the SQL database so it can execute Linux commands. We got command injection by the SD card, so it was a local attack. With root, you can set off alarm (and set the frequency very high) and can heat and cool at the same time.

Further down the attack lane, the thermostat heated to 99 degrees, and asked for a PIN to unlock which is set to change every 30 seconds. The researchers put an IRC botnet on it, “and the executable dials into the channel and uses the MAC address as the identifier, and you need to pay one Bitcoin to unlock.”

Related: CCTV IoT Botnet Performing Layer 7 DDoS Attacks

Was the Thermostat Ransomware Hack Attack Easy to Perform?

Not really. Munro and Tierney say that it was quite challenging at the moment. It took them two evenings to accomplish. The hack hasn’t been reported to the vendor yet, as the researchers didn’t have time to send out a bug report. The hack was “built” right before the DEF CON. However, a report will follow in just a few days.

Because an official report hasn’t been filed yet, the researchers haven’t revealed the make and the model of the vulnerable thermostat. What the vendor has to do, however, is stop code from running as root and move processes to less-privileged user accounts.

In addition, the researchers point out that if the firmware was unreadable via obfuscation or encryption, it would have been much harder to modify it.

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim

More Posts

Follow Me:

Leave a Comment

Your email address will not be published.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share