Security researchers from the United Kingdom demonstrated the world’s first ransomware attack against smart thermostats, one of the many IoT (Internet of Things) devices that are available for home users. The vendor has been notified of the vulnerabilities.
The IoT security threats are very real
Andrew Tierney and Ken Munro from the UK security company Pen Test Partners showed before the Defcon audience in Las Vegas the world’s first ransomware attack against a smart thermostat. These devices are one of the most popular IoT devices that are used by consumers across the world. They allow remote management and notification of temperature settings and some of them integrate with other software solutions.
The thermostats that the researchers used as examples used the home Wi-Fi network as the connectivity option. The underlying system was a basic Gnu/Linux environment. The owners of the smart devices can upload wallpapers and amend configuration settings through an SD card. This option is utilized by the criminal users by the addition of ransomware to the cards.
The researchers state that this type of attacks are only possible if the attacker has physical access to the premises that would allow them to modify the contents of the SD card. Another point of entry would be social engineering the users into downloading malicious code onto their own devices.
The security vulnerability that was used for the security breach has been disclosed to the manufacturer of the thermostats. This example of IoT issues is yet another example that shows how easily these devices can be hacked by malicious users. As some of them perform monitoring and control functions of various home functions, some of the attacks can be devastating.
Security experts worldwide believe that we are going to see more attacks against consumer IoT smart devices in the coming years. Some of the previous attacks include issues in IoT smart sockets.