In theory the internet of things is a sci-fi miracle; with a tap of your phone you can change the temperature of your home, unlock your door, or turn off your lights from a hundred miles away. A pair of white hat hackers would like us to remember that miracles can have a dark side. To make that point they decided to hack a smart thermostat and see if the temperature of your home could be held for ransom. The answer is yes.
Now before you run screaming for the hills, be aware that Andrew Tierney and Ken Munro’s hack required physical access to the thermostat in question to work. These hackers placed an SD card inside the device, which allowed them lock users out of the thermostat.
Rather than showing temperature controls the device’s display was set to say “You Suck! Pay 1 Bitcon to get control back. Due to a lack of security features the thermostat simply ran the files that were on the SD card. It’s a silly oversight, but one that belies the risk of not safeguarding these systems. How long will it be until a wireless device like this proves remotely hackable?
If you’ve ever faced a ransomware attack on your computer you know how helpless it makes you feel to not be able to check your email or use your files. Now imagine an attack that made your house 110 degrees until you paid an anonymous hacker one Bitcoin, or $599.98 USD.
In an interview with Motherboard the hackers explained that their motivation for this test was to show smart device developers they need to be aware of the risks of their products and take precautions to ensure they’re safe. “We don’t have any control over our devices, and don’t really know what they’re doing and how they’re doing it,” Tierney told Motherboard. “And if they start doing something you don’t understand, you don’t really have a way of dealing with it.”
This isn’t a new issue. Munro discovered last year that a Samsung smart fridge was capable of leaking your Gmail password. The trade off of convenience shouldn’t be security, but often in the rush to be first to the market, security does take a backseat. Munro and Tierney aren’t trying to break the system, they just want the people developing it to take precautions to ensure more unscrupulous hackers won’t use convenience to hurt users.
As of now, your smart thermostat is safe. But as our lives become more and more connected to the internet, it’s time we started to wonder if the same risks our computers face could find their way to our smart devices. If our computers are at risk of ransomware, how long before your smart thermostat is?