Image from Iconfinder
Over the weekend, two security researchers showed how one could “infiltrate” ransomware into a “connected” thermostat.
Tierney and Munro, who work at the UK-based security firm Pen Test Partners, demonstrated their thermostat ransomware proof-of-concept at the hacking conference ‘Def Con’ last Saturday. A report in MotherBoard said the two white hat hackers showed off the first-ever ransomware that worked against a “smart” device, in this case, the thermostat.
According to the report, the two took advantage of a bug in a particular thermostat, though they did not name the brand. The hackers said they found the vulnerability just a few days before Def Con, adding that they plan to contact the company to get it fixed on Monday. The fix, however, was easy to deploy, the duo claimed.
Motherboard reported that the thermostat in question had a large LCD display and ran on the operating system Linux. The researchers had found that the thermostat didn’t really check what kind of files it was running and executing. In theory, this would allow a malicious hacker to hide malware into an application or what looks like a picture and trick users to transfer it on the thermostat, making it run automatically.
The hackers admitted this was not an easy attack to pull off in practise as it required people to actively download and transfer malware on their thermostats. But, for example, plenty of Android users in the past had been hacked by willingly installing malicious apps on their phones, as many did recently with a fake Pokemon Go app.