Proof-of-concept ransomware for smart thermostats demoed at Defcon

Last week, Andrew Tierney and Ken Munro from Pen Test Partners demoed their proof-of-concept ransomware for smart thermostats, which relies on users being tricked into downloading malware that then roots the device and locks the user out while displaying a demand for one bitcoin.

The researchers have not released sourcecode or the name of the manufacturer. They say that they gained vital intelligence by examining the manufacturer's regulatory filings with the FCC, and that they could design an attack that turned heating or cooling to arbitrary setpoints, ran both at once, or rapidly power-cycled them, possibly causing damage.

Of course, it's axiomatic that if you can get users to install bad software, the bad software will do bad things. But there are a couple wrinkles here worth noting:

* First, the device has no interlocks to prevent unsafe or unwise settings — nothing to limit the heating or cooling, or simultaneous air-conditioner/furnace operation, or repeated high-speed power-cycling — which means that software defects, as well as malicious software, can do significant damage that might be prevented with more thoughtful systems design

* Second, the business-model for smart thermostats overwhelmingly assumes that users are hostile parties, and protects against them with DRM of some kind. Some thermostats are designed to be sold to power companies who'll subsidize their installation in customers' homes so that the power authority can tweak power consumption to reduce load at peak times — these sales are much easier to make if the vendor can assure the power company that there are no apps that allow users to override these tweaks, and no apps that enable this will be approved for the device (and the device will not run unapproved apps).

Additionally, many smart thermostats' business model depends on extracting rents from independent software vendors who create apps for the device. To maximize revenues in this model, vendors typically rely on DRM that prevents installation of apps from third-party stores or apps that are directly supplied by the vendor.

This matters because a device with DRM poses significant legal risks to security researchers. Anti-circumvention laws like the section 1201 of the DMCA and European laws implementing Article 6 of the EUCD have been invoked to make civil and criminal threats against security researchers, on the theory that information about defects in a device will assist people who want to bypass the DRM, which is banned under these laws.

Which means that Tierney and Munro's silence on the vendor implicated in their hack isn't just a matter of giving the vendor time to patch its systems: it's also protecting them from legal threats. As the US Copyright Office heard last summer, many security researchers never publish their findings, leaving owners of devices like this thermostat in the dark about defects in products they're relying upon.

The two took advantage of a bug in a particular thermostat, but declined to reveal which one since they haven't had a chance to contact the company and get it fixed yet. The two said they found the vulnerability just a few days before Def Con, adding that they plan to contact the company to get it fixed on Monday. They also said the fix should be easy to deploy.

The thermostat in question has a large LCD display, runs the operating system Linux, and has an SD card that allows users to load custom settings or wallpapers. The researchers found that the thermostat didn't really check what kind of files it was running and executing. In theory, this would allow a malicious hacker to hide malware into an application or what looks like a picture and trick users to transfer it on the thermostat, making it run automatically.

Thermostat Ransomware: a lesson in IoT security
[Pen Test Partners]

Hackers Make the First-Ever Ransomware for Smart Thermostats
[Lorenzo Franceschi-Bicchierai/Motherboard]

(Thanks, David Wolfberg!)