If you’ve encountered ransomware before, you’re familiar with how incredibly destructive it can be. It literally holds your computer and files hostage unless you cough up a steep ransom, usually paid in Bitcoin.
Now, it looks like ransomware is about to make the leap from computers and smartphones to Internet of Things devices.
Andrew Tierney and Ken Munro – two UK-based researchers for IT security firm Pen Test Partners – demonstrated the world’s first ransomware for a smart thermostat earlier this week at the DefCon security conference in Las Vegas.
The Wi-Fi enabled thermostat that the researchers targeted is basically a Linux computer. It allows the user to upload wallpapers and configuration settings through an SD card; that’s what they use as a vehicle to install a malicious program onto the device. At this point, an attacker would have full control over the thermostat.
It’s worth noting that for a device to be infected, an attacker would need physical access, or the owner would have to be tricked into infecting their own thermostat.
So far, the name and manufacturer of the device affected hasn’t been publicly announced. That’s because the researchers only identified the vulnerability two days before the conference was scheduled to start, and have not been able to contact the manufacturer in order to arrange a fix.
Thankfully, Tierney and Munro both believe that it will be an easy problem to patch.
This episode illustrates the troubling fragility of Internet of Things devices. There are far too many of them that have shipped with vulnerabilities that leave their users at risk, from Wi-Fi enabled kettles that leak network passwords, to “smart fridges” that broadcast the user’s Gmail credentials in plaintext.
As the number of IoT manufacturers and users proliferate, and as the devices become mainstream household appliances, it seems probable we’ll see even more high-profile security issues.