Ransomware is about to make the leap from computers and smartphones to Internet of Things (IoT) devices. Andrew Tierney and Ken Munro, two UK-based researchers for IT security firm Pen Test Partners demonstrated the world’s first ransomware for a smart thermostat at the DefCon security conference in Las Vegas.
The thermostat in question has a large LCD display, runs the operating system Linux, and has an SD card that allows users to load custom settings or wallpapers. The researchers found that the thermostat didn’t really check what kind of files it was running and executing. In theory, this would allow a malicious hacker to hide malware into an application or what looks like a picture and trick users to transfer it on the thermostat, making it run automatically.
For a device to be infected, an attacker would need physical access, or the owner would have to be tricked into infecting their own thermostat. The name and manufacturer of the device affected hasn’t been publicly announced. That’s because the researchers only identified the vulnerability two days before the conference was scheduled to start, and have not been able to contact the manufacturer in order to arrange a fix. Tierney and Munro both believe that it will be an easy problem to patch, Motherboard reported.
This episode illustrates the troubling fragility of Internet of Things devices. There are far too many of them that have shipped with vulnerabilities that leave their users at risk, from Wi-Fi enabled kettles that leak network passwords, to “smart fridges” that broadcast the user’s Gmail credentials in plaintext.
As the number of IoT manufacturers and users proliferate, and as the devices become mainstream household appliances, it seems probable we’ll see even more high-profile security issues. As Tierney pointed out, if people were so inclined, they could purchase previously owned IoT thermostats. “You can buy one of these on eBay and there is no way of checking it. It is not difficult [to hack] and I did it in two evenings. “You’re not just buying [Internet of Things] gear, you’re inviting people on your network and you have no idea what these things do.”