Smart Thermostats Can Now be Injected with Ransomware

Thermostat Ransomware
Credit: the hacker news

Imagine waking up in the morning, only to find it extremely hot, you go check your thermostat, and it’s locked to 99°. And to unlock it, you need to pay in bitcoins. If you know what ransomware is, you probably know how dangerous it can be. Ransomware is a type of malware that hacks a certain device, locking up all your files and asking for a payment, which is known for usually being in bitcoins.

Ken Munro, and Andrew Tierney have actually demonstrated this a DefCon security conference, in Las Vegas.

So ransomware can affect computers, smartphones, smart TVs, and even smart thermostats? Yes, and you’re probably wondering how this works. The hackers choose a smart thermostat with a large LCD display, running a modified version of Linux. However the hackers say that the SD card slot is what makes these smart thermostats so easy to get in.

The “smart” thermostat wouldn’t even check the files running on it, making it so easy to load malware on the device. Resulting in that locked screen with the ransom message.

The two hackers would load a 7 Mb JavaScript file, but not plain JavaScript, you can query the SQL database to make it execute Linux commands.

“The thermostat heats up to 99°, then asks for a PIN to unlock it, which changes every 30 seconds. We put an IRC botnet on it, then the executable dials the channel and uses the MAC address as the identifier, and you must pay in bitcoins to unlock it.” Says the hackers.

There is one small problem though, in order to hack into the smart thermostats, you need physical access or you need to convince the person being attacked to download the file and load it on their own.

They took advantage of the vulnerability of the thermostat’s system, however they refuse to disclose it as they have not had a chance to file a bug report for the manufacturer, in which they will do on Monday, they claimed that it should be easy for the manufacturer to fix.