By Megan Bozman

Ransomware is an extremely creepy concept. It involves a hacker taking control of your digital assets, as opposed to your loved one, and demanding a ransom payment, or the assets will be destroyed.

Perhaps the ‘creepiness’ comes from the remote aspect of it. Hackers could be located anywhere geographically and target victims in any locale. They’re unseen, unknown.

The IoT ransomware message that Tierney and Munro were able to display on the vulnerable thermostat. (Image: Ken Munro)
The IoT ransomware message that Tierney and Munro were able to display on the vulnerable thermostat. (Image: Ken Munro)

At a recent DEF CON event, the first ransomware attack of a consumer-grade IoT product was demonstrated. Andrew Tierney and Ken Munro of PenTest Partners, providers of penetration testing and security services, demonstrated the smart thermostat ransomware.

To be fair, internet connected thermostats aren’t a commonly adopted technology. They’ve been mocked as an IoT use case of connecting a thing to the internet merely because we can, not because we actually should.

But unfortunately the ubiquity of IoT thermostats is irrelevant.

How Feasible is IoT Ransomware?

As with many hacks, this was a local attack, meaning the hackers needed physical access to the device, as opposed to merely hacking remotely. In my opinion, this greatly decreases the creepiness. However a remote attack is theoretically possible.

And if it can be done to a thermostat, it can be done to a fridge, a pet feeder, a garage door opener, or a car. (And yes, cars have been hacked, although despite appearances, it is not actually a reason to panic.) Mr. Tierney stated, “You’re not just buying [Internet of Things] gear, you’re inviting people on your network and you have no idea what these things do.”

Fulfilling Pessimistic Predictions

Ken Munro of PenTest Partners, Twitter
Ken Munro of PenTest Partners, Twitter

Mr. Munro wrote, “Simple security controls would have stopped this hack working, yet they weren’t present.”

I can’t decide if that is comforting or disconcerting. The fact that simple controls can be implemented to rectify the vulnerabilities is comforting. The fact that simple controls could have been implemented – and weren’t—is disconcerting.

Lorenzo Franceschi-Bicchierai wrote on Motherboard that this demonstration, “fulfilled the pessimistic predictions of some people in security world.” Indeed. I would count myself among those not surprised by this occurrence.

IoT Security – An Afterthought?

Trustwave SpiderLabs, a firm which helps businesses fight cybercrime and reduce security risk, also hacked an IoT thermostat. “Trane ComfortLink XL850 thermostats running firmware version 3.1 or lower are vulnerable to information disclosure and remote access due to a weak authentication mechanism and hardcoded credentials… When you combine hardcoded credentials with a network accessible port, you have a device ripe for attack from the network or even an attack from the Internet if the thermostat is exposed through the router.”

Consumer demand for network connected devices continues to explode. Author Jeff Kitson states, “Unfortunately this rush to market often leaves security concerns unanswered and IoT devices are quickly earning a reputation as security hazards.”

In many cases, security is an afterthought. Something patched on at the end – and then only reluctantly, since vendors want to avoid delays in product launches.

What Can You Do About It?

Mr. Kitson of Trustwave SpiderLabs suggests, “If you are concerned about the security of your IoT device you might consider hosting a dedicated WiFi network for IoT devices that limits internet access or removes it entirely. In a worst case scenario you might want to disable network access entirely. Organizations concerned about being exposed to greater risk due to IoT devices should be performing regular network scans and vulnerability assessments. Proper network inventory should uncover strange or new IP addresses which may be IoT devices.”

Finally, Mr. Kitson concludes with advice to IoT product vendors, including, “Embracing vulnerability disclosure and independent research is guaranteed to help secure both your products and their customers.”

Share on Facebook1Tweet about this on TwitterShare on Google+0Share on LinkedIn7