Smart home technology is increasingly commonplace. As tech-conscious consumers, we have embraced Internet-connected fridges, kettles, and thermostats feet-first. Although shiny, these often ship with significant security flaws, which can prove disastrous for users.
The Heatmiser smart thermostat is one such example. Like the Nest, it allows you to regulate your home intelligently and remotely. A quick glance on Shodan shows the thermostat deployed worldwide in homes, workplaces, and schools.
The thermostat offers a web portal. Unfortunately, it’s not particularly well-secured, with the login credentials available in plaintext within the source code of one page. Once you’ve obtained these, an attacker can easily tweak the settings.
This means someone could easily turn off your heating in the midst of winter, or crank it up during a long summer day.
One researcher from NewSkySecurity as identified an individual bragging about doing just this:
In at least one hacking forum, we observed a case where a hacker implemented such an attack to take control of one thermostat and increase its temperature from 23C (73.4 F) to 35C (95 F). The attacker is proud of this work and flaunted it in the forum.
The hacker provided the following photos as proof.
Internet of Things devices have long been targeted by hackers. Usually, this involves recruiting them into massive botnets of zombified gadgets, that are then used to take down websites and online services.
It’s exceeding rare that an IoT device will be targeted, simply to inconvenience or harm the end-user. Examples of this are mostly theoretical — like a smart thermostat ransomware we wrote about a few months ago. But here we are, with hackers fidding with knobs only we should be able to control. This is exceedingly troubling.
We’ve reached out to Heatmiser for a comment. If we hear back, we’ll update this post.
Update: They got in touch. Director Martyn Kay said “The product you are featuring was featured back in 2014 by Cybergibbons that you can see here.” He added, “The product in question was the Heatmiser PRT-TS WIFI that was discontinued in 2014.”
CyberGibbons, the original researcher, also notes that the majority of devices are now running secure firmware.
— the cybergibbons (@cybergibbons) July 21, 2017