Your NEST Thermostat can be hacked in multiple ways

Your ‘Smart’ Thermostat Is Now Vulnerable To Ransomware

from the the-Jetsons-this-ain’t dept

We’ve noted time and time again how the much ballyhooed “internet of things” is a privacy and security dumpster fire, and the check is about to come due. Countless companies and “IoT” evangelists jumped head first into the profit party, few bothering to cast even a worried look over at the reality that basic security and privacy standards hadn’t come along for the ride. The result has been an endless parade of not-so-smart devices and appliances that are busy either leaking your personal details or potentially putting your life at risk.

Of course, the Internet of Things hype machine began with smart thermostats and the sexy, Apple-esque advertising of Nest. The fun and games didn’t last however, especially after several botched firmware updates resulted in people being unable to heat or cool their homes (relatively essential for a thermostat).

Not quite the future that was advertised. And things are about to get notably more interesting with the news that hackers have figured out a way to load smart thermostats with ransomware. Security researchers Andrew Tierney and Ken Munro demonstrated their thermostat ransomware proof-of-concept at the hacking conference Def Con on Saturday, using the opportunity to highlight how many of these devices aren’t transparent and fail utterly at giving users any real control of what’s happening on their home network:

“We don’t have any control over our devices, and don’t really know what they’re doing and how they’re doing it,” Tierney told Motherboard. “And if they start doing something you don’t understand, you don’t really have a way of dealing with it.”

And again, as we’ve seen with everything from smart refrigerators to Wi-Fi embedded tea kettles, companies get so excited about the IoT marketing and revenue possibilities, they fail to embed even basic security in supposedly intelligent devices:

“The thermostat in question has a large LCD display, runs the operating system Linux, and has an SD card that allows users to load custom settings or wallpapers. The researchers found that the thermostat didn’t really check what kind of files it was running and executing. In theory, this would allow a malicious hacker to hide malware into an application or what looks like a picture and trick users to transfer it on the thermostat, making it run automatically.”

So yeah, imagine waking up one morning to this:

Yes, this is just one thermostat and a proof-of-concept, but worries about the IoT industry’s total failure to include security on “smart” devices should not be confused with scaremongering or hyperbole. As Bruce Schneier recently warned, the IoT explosion has resulted in the introduction of thousands of new attack vectors in homes, businesses and vehicles across the country, with vendors and Luddite consumers often ill-prepared to quickly update these products when vulnerabilities are exposed. If smart technology doesn’t get smarter soon, the future of smart technology…is going to be dumb technology.