
Hackers Make the First-Ever Ransomware for Smart Thermostats - ProZsolt
https://motherboard.vice.com/read/internet-of-things-ransomware-smart-thermostat
======
balabaster
Pfft... disconnect the thermostat and take it back to the store and get a new
one. If their security is so asinine that it can be hacked with ransomware,
they should damn well cover it under warranty. 1 bitcoin indeed. Put your old
mercury switch back in place until you have the time to go and replace it. At
least with your thermostat, you're not losing all your work...

...and it's simple to disconnect and reconnect yourself with 2 or 3 wires. In
fact, I'd wager with a single wire and a little (and I do mean only a little)
know how and a copy of the factory firmware you can recover it using the exact
same process as you unbrick a router in just a few minutes.

Though, you should probably close the other holes in your network first.
Chances are, if your thermostat has been hacked, they're in your network and
it's only a matter of time before your computers suffer the same treatment.

~~~
nbadg
> ...and it's simple to disconnect and reconnect yourself with 2 or 3 wires.

This "sort of" works for now, depending on where you live, what season,
whether or not you keep junked tech, etc. But it strikes me, not only as
dismissive and condescending, but also particularly short-sighted.

I can imagine, 20 or 30 years ago, someone saying something similar about a
car: "a bug in your ECU is keeping your car from starting? That's your problem
for having bought a car running off of a computer!" Fast-forward to today. It
simply isn't possible to buy a car without an ECU.

The thing is, the changes that brought ECUs to cars are exactly the kinds of
changes that are bringing computers into thermostats. In a surprisingly short
amount of time, we're going to be living in a world where it simply isn't
possible for most people to find a thermostat without a computer.

When people feel their agency and autonomy is being compromised with new
technology, a common sentiment to echo in the tech world is "if you don't like
it, don't use it". But the plain fact of the matter is that in many cases, IoT
being an emergent but prototypical example, non-participation simply isn't an
option.

~~~
dsfyu404ed
Consumers don't choose a thermostat the same way they choose a vehicle. If you
design a thermostat with bad code that becomes non functional your brand isn't
irrevocably tarnished for decades. GM still doesn't sell many passenger cars
with diesel engines and the consensus on its cylinder deactivation tech is
that it's better than 4-6-8 but hard on rings.

------
csydas
I don't think there is much to say here that hasn't already been said about
IoT security - like many commentors mentioned before, we're going to be going
through a very rough period for some time where IoT devices just aren't up to
par with expected security procedures, and consumer awareness campaigns will
be necessary to educate less savvy consumers about the potential dangers of
IoT devices at the moment.

In particular, start ups trying to capitalized on IoT in niche products will
need excess scrutiny in order to ensure they're not trying to run fly-by-night
operations just to make a quick buck. Chinese IoT knock-offs will also need to
be monitored carefully as well.

What's most frightening to me on something like this is even tech-savvy users
are fairly screwed as your ability to interact with the device and try to
remove or clear the ransomware manually will be restricted by the same methods
meant to prevent you from tampering with the device in the first place. This
likely can leave people without any recourse to ranson scenarios like the
thermostat being hijacked, and the end-user will have no option except to
remove the device.

Hopefully either a consumer or business alliance crops up with suggested
practices for IoT devices, including remediation methods for these very
scenarios. I think it's preposterous for companies to assume that their
devices will never be compromised, and if they're going to lock down the
devices, they need to provide a guaranteed way to reset the device; a bit of
set up work certainly beats paying to make sure your fridge still works
tomorrow. With IoT creeping out as the next "must include" feature for
manufacturers, this sort of consumer protection is going to be essential.

~~~
ssharp
_I don 't think there is much to say here that hasn't already been said about
IoT security - like many commentors mentioned before, we're going to be going
through a very rough period for some time where IoT devices just aren't up to
par with expected security procedures, and consumer awareness campaigns will
be necessary to educate less savvy consumers about the potential dangers of
IoT devices at the moment._

I _suppose_ I can see some potential future value to devices like thermostats,
that directly control "large" resources like natural gas (by "large", I mean
relative to what other resources a household consumes). Smarter controls at
the household level could provide substantial energy savings in the aggregate.

However, the pessimist in me says "why does anyone really need appliances
connected to the internet?". So you're trading off some potential future value
to reduce overall energy use by better optimizing your own consumption in the
present. You're also exposing yourself to faulty equipment that might also
pose security risks. Do these thermostats have some sort of hardware kill
switch that prevents software from doing clearly stupid things, like shutting
off entirely or setting the heat to a maximum setting?

Finally, there was this gem in the article that I did not remember hearing
about:

 _Munro, who last year found that a Samsung smart fridge leaked Gmail
passwords_

What exactly is the purpose of a "smart fridge", why does it need Gmail
passwords, etc.

~~~
59nadir
> However, the pessimist in me says "why does anyone really need appliances
> connected to the internet?".

I think it's important to answer this without any of the qualifications you
write after it. No one needs it. It's not even necessarily about how secure it
is; if you're paying extra for these features you're just throwing your money
away in the name of gadgetism.

You really don't need to fill in that they're unsafe or made with crap
components. The truth is that no one would have a need of a perfectly made
one.

~~~
Klathmon
Well nobody has a need for 99% of the crap in our lives. You don't need a car,
you don't need a TV, you don't need a computer.

But it sure as hell is nice to have all of those things.

I find it funny that in an article about how manufacturers are locking down
their devices to only the features that the consumer needs (effectively having
the manufacturer tell you what you need), you are going around telling others
what they need.

------
imglorp
An observation on the example threat model the researcher presented. I don't
think ransomware to unlock your thermostat is too lucrative.

I think the real home threat model is foothold: sitting quietly on your
network and chipping away at the rest of your network, sipping from your
fileserver, opening more ports on your router, etc.

~~~
csydas
Could you elaborate why you think it wouldn't be lucrative? With normal
computer/phone/tablet ransomware, the thought process is largely "do I mind
losing my files/pictures?" \- reinstalls and HDD replacements are usually an
option, and victims have time to mull over it, unless given a time limit by
the ransomware.

With an IoT ransomware, vital appliances or controllers can be overtaken and
potentially disrupt the victim's day to day activities. (Fridge is put into
vacation mode if not paid in 24 hours, thermostat cranks the heat or AC until
paid). These have very immediate and often costly real world consequences that
cannot be mitigated short of removing the IoT device, and the immediacy can
force a payment decision much faster than other ransomware.

I guess I don't see how you reason that it's less lucrative when the immediacy
seems like it would prompt more payments.

~~~
imglorp
In the case of a $100 thermostat, knowing it's infected, I'd throw it away and
buy another brand, unless I knew how to wipe and secure it. It's two screws
and few wires. Why would I pay even a $1 to someone who might or might not get
off my network?

In the case of a $2000 fridge, it's more persuasive. I might respond by
revoking its network privs and paying for a service call to wipe and reset to
factory. Again, I'm not going to trust the bad guy to get off my network.

In both cases, the bad guy has shown bad intent, means, and opportunity. I'm
not trusting him after a payoff.

~~~
csydas
I understand your position here but you are familiar with ransomware scams it
seems and also at least tech savvy enough to know you can restrict network
access. However I do not feel you are representative of most homeowners who
would be in the same situation, and my evidence by example is that ransomware
is exceptionally profitable despite how well known the malware is and many
reports and instructions on your options to respond are.

Basically while I agree with your assessment on how to respond I think the
fact that ransomware is stilk so profitable means that you are the exception
in this case. I posit that the same persons who reluctantly pay ransoms for
their phones/tablets/desktops/laptops would be all the more quick to pay if
not paying meant an additional heating or electric bill on top of it. I don't
know if utilities would be sympathetic to victims but I am not confident they
would be.

No, rationally there is no guarantee that payment unlocks the device or
removes the attacker, but part of the attack is intending to induce an
irrational state- it's likely why early ransomware pretended to be DMCA claims
or FBI warnings.

(Please forgive spelling errors as I am on a tablet)

------
Cshelton
We really just need education and prevention on the hardware side.

Just like sex... if you don't absolutely know where something has come from or
has been before, DON'T STICK IT INSIDE OF YOU (...without protection).

Consumers: If it's an sd card, a usb-stick/flash drive...whatever, don't put
it inside of your hardware. Especially critical hardware such as a thermostat.

Hardware creators: Don't build slots, or at least exposed slots, for sd
cards/usb drives, etc. on hardware such as thermostats, cameras, etc. I know
the sales team told you the customer wants to put an image of their cat as the
background of their thermostat, "it's the killer feature". Just say NO. There
is absolutely no reason to do that using hardware. Build an online portal
where users can upload images and then check them yourself before offering
them as background choices.

~~~
pavel_lishin
> _There is absolutely no reason to do that using hardware. Build an online
> portal where users can upload images and then check them yourself before
> offering them as background choices._

Doesn't that just move the threat surface? Now instead of having to convince
end users to put something on a USB stick, you have to try a password dump
against your interface.

~~~
Practicality
Right. In practical terms the online portal tacked on at the last minute is
likely much less secure than the hardware tacked on.

Although both ideas are nightmares for security.

