September 12, 2016

Will Your Thermostat Be The Next Device Held For Ransom?

Will Your Thermostat Be The Next Device Held For Ransom?

WillXYourXThermostatXBeXTheXNextXDeviceXToXBeXHeldXForXRansomAn interesting and disturbing new form of Ransomware was on display at this year’s Def Con convention, in Las Vegas. So far as anyone knows, this is the first, proof of concept ransomware that targets smart thermostats. Yes, you read that correctly. The new ransomware is specifically designed to target smart thermostats.

Various security experts have been warning for years that not nearly enough attention was being paid to security where the Internet of Things is concerned, and this latest demonstration puts the exclamation point at the end of that sentence. The hackers were amazed at how easy it was to set up and execute the hack, comparing it to breaking into a security riddled Linux box from the 1990s.

This demonstration was performed as a local hack, meaning the hackers had to physically have access to the thermostat in question, but once performed, it gave them root level control over the device, allowing them to run both the heat and the AC simultaneously, turn the heat up to 99 degrees and leave it running constantly, while displaying a message that the unit had been compromised, and instructing the owner to pay one BitCoin to regain control of their system.

In order to prevent the user from regaining control via some other means, the software was designed to generate a PIN that changed every thirty seconds.

Given that this is a local attack, it’s somewhat more difficult to pull off than a remote attack would be, but bear in mind that this is merely the first generation of the software. You can bet that work has already begun on a variant that will allow the attack to be conducted remotely, and given the proliferation of internet enabled devices, this type of attack is certain to spread. Internet Objects are notoriously lacking in security features that come standard on all PCs and Smartphones, making them easy targets for any would-be hacker.

If you’re concerned about the state of your company’s digital security, contact us today, and we’ll have one of our knowledgeable staff members contact you to see how we can help.