#DefCon: Smart Thermostat hacked to host a ransomware

Recently we have heard many scary stories of hacking IoT devices, but how realistic is the threat?


This is not just a hypothetical scenario: at the DEFCON24 security conference in Las Vegas, Ken Munro and Andrew Tierney of PenTestPartners have showed off the first proof-of-concept ransomware that infects a smart thermostat.


The researchers chose a thermostat with a large LCD display that runs a modified version of Linux, and has an SD card slot to allow its users to load custom settings or wallpapers, which they said, “makes it so easy to hack.”:

Our thermostat was ARM and Linux based with plenty of processing power and storage, so looked like there was potential for us to get root. It had a Murata Wi-Fi module and most interestingly an SD card slot. No obvious JTAG port though.


The thermostat has a pin head, an Ash shell and no open ports as it connects to its own cloud service, which could not be tested.

The software is 120MB and there is an Air application so it needs Flash installed, and if you pull firmware out you can see how it operates : there is one big executable that does display the user interface.

“So we put in a huge executable by loading a 7MB Javascript file, but this is not plain Javascript so you can query the SQL database so it can execute Linux commands.”

Read the full technical paper on PenTestPartners site:

https://www.pentestpartners.com/blog/thermostat-ransomware-a-lesson-in-iot-security/

I think it’s important to pay attention to the final considerations:

But it’s only a thermostat, right?

Well, yes and no. It’s a device on your network that could easily create a pivot point and result in a compromise of personal data. Security professionals understand the risks and know how to mitigate them. Joe Public doesn’t.

Also, this is a local attack, not remote code execution. That said, it’s plausible — social engineering, second hand thermostats and compromised supply chains all lend themselves to this.

This exercise was about demonstrating an issue and encouraging the industry to fix it. Will malicious actors do this in future? Perhaps, though we hope that the IoT industry has resolved these issues way before attacks become a reality.

In the unlikely event that you do get held hostage by thermostat ransomware, disconnect the stat and replace it with a non-smart version. Security pros could also potentially reflash the firmware and remove the bug.

Comments