Friday, August 12, 2016

It's COOL! — The First-Ever Ransomware For Smart Thermostat


Internet of Things (IoT) is the latest buzz in the world of technology, but they are much easier to hack than you think.


Until now we have heard many scary stories of hacking IoT devices, but how realistic is the threat?


Just think of a scenario where you enter in your house, and it's sweltering, but when you head on to check the temperature of your thermostat, you find out that it has been locked to 99 degrees.

And guess what?

Your room thermostat is demanding 1 Bitcoin to regain its control.


Congratulations, Your Thermostat has been Hacked!


This is not just a hypothetical scenario; this is exactly what Ken Munro and Andrew Tierney of UK-based security firm Pen Test Partners have demonstrated at the DEFCON 24 security conference in Las Vegas last Saturday.


Two white hat hackers recently showed off the first proof-of-concept (PoC) ransomware that infects a smart thermostat.


Ransomware is an infamous piece of malware that has been known for locking up computer files and then demanding a ransom, usually in Bitcoins, in order to unlock them.

But, over time the threat has changed its way to the mobile world, infecting smartphones, and even smart TVs.


The hackers chose a US thermostat with a large LCD display that runs a modified version of Linux, and has an SD card slot to allow its users to load custom settings or wallpapers, which they said, "makes it so easy to hack."


The duo found that the thermostat did not really check the files running and executing on it, which allowed them to load malware into the thermostat, locking the screen and showing a classic ransom note.

"So we put in a huge executable by loading a 7MB Javascript file, but this is not plain Javascript so you can query the SQL database so it can execute Linux commands," Tierney told Infosecurity Magazine. 
"It heats to 99 degrees, and asks for a PIN to unlock which changes every 30 seconds. We put an IRC botnet on it, and the executable dials into the channel and uses the MAC address as the identifier, and you need to pay one Bitcoin to unlock."
Since every process inside the thermostat application runs with root privileges, a malicious hacker does not require any special privilege escalation vulnerabilities to compromise the device.


The researchers took advantage of a vulnerability in the particular thermostat's system, but they declined to publicly disclose it, since they have not got a chance to file a bug report with the thermostat manufacturer and get it fixed yet.


However, the two plan to report the bug today, on Monday. They also said the patch should be easy to deploy.


The downside, though, is that installing the ransomware, currently, requires the hackers to either have physical access to the thermostat or trick the victim into loading malicious files on the device on his own.


Since Internet of Things is currently being deployed in a large variety of uses throughout your home, businesses, hospitals, and even entire cities that are called Smart Cities, it gives attackers a large number of entry points to affect you some or the other way.


But, if deployed securely, it could do miracles… even save your life.


Tesla Autopilot Saved a Life


Just take a recent example of Tesla smart car.


Tesla Model X owner, 37-year-old attorney Joshua Neally, claimed the car's Autopilot feature (self-driving mode) got him to the hospital during a medical emergency.


However, the downside of such self-driven technology is that it can be hacked by crooks and we can not ignore them because we have seen a number of smart car hacking incidents in the past.


Previous research demonstrated hackers capabilities to hijack smart cars remotely and control its steering, brakes, and transmission, and even disable car's crucial functions like airbags by exploiting security flaws affecting significant automobiles.


The bottom line:


Being cyber savvy could let you enjoy the new world of connected devices while helping you stay safe online.
Previous Post
Next Post

0 comments: