Jump to content

Thermostat - Ransomware Demo


Teken

Recommended Posts

Posted

This week at DEFCON two researchers were able to show how they infected a Linux based TSTAT and load malice code to lock out the TSTAT until payment was sent.

 

A quick over view of and video is listed here: http://thenextweb.com/gadgets/2016/08/08/thermostats-can-now-get-infected-with-ransomware-because-2016/#gref

 

http://motherboard.vice.com/read/internet-of-things-ransomware-smart-thermostat

 

http://www.theregister.co.uk/2016/08/08/smart_thermostat_ransomware/

 

It should be noted this custom malware or similar isn't known to be in the wild as of this writing. As indicated in the various links a person would need direct access to the TSTAT to infect the hardware.

 

Other possible methods are social engineering or fooling a person in down loading a image file for a wall paper they like which has the malice code embedded into the file.

 

Many of us have discussed the potential threats and risks of computerizing every facet of ones home. The most famous and relevant example is the epic failure of NEST which pushed out a OTA firmware update which bricked tens of millions of units in the dead of winter of 2015 / 2016.

 

I think its absolutely great these researchers were able to illustrate how this could be done. My hopes are the industry in all spaces of IoT will push security as the primary goal in all hardware they make.

 

The article doesn't specify if this TSTAT has any cloud based connection or even WiFi capabilities. The importance of the two is that these are obvious routes to penetrate the very same. To some this may sound funny or even idiotic in thinking what is the worst thing that could happen?

 

Well, if you live in some of the hottest to coldest climates from AZ to North Pole. Having someone turn off the HVAC system during any of the extremes could result in loss of life and property. Exploding water pipes in the dead of winter to elderly people succumbing to heat stroke because the AC has been locked out.

 

Every year we see news articles about babies and pets left in locked cars and the dire results of such.

 

Imagine the very same in the most expansive investment of your life - your home.

Posted

Good post, and great example.

 

I've tried to explain why security is important to IoT, but frequently folks just look at me like I fell off a wagon and bumped my head really hard.  "Why," they say, "would anyone ever want to break into my home automation and blink my lights or turn off my TV?"  Or, "Heck, it's no big deal if they open my garage door, there's nothing in it for them to steal anyway."

 

Ransomware -- now THAT is something that people need to take seriously... imagine an email while you're in the Bahamas on your dream trip of a lifetime:

 

Dear Mr. Homeowner,

 

  We sure hope you're enjoying the beaches in the Bahamas!  But, if you get a moment, please whip out your iphone, and check your home's thermostat.  Yes, that temperature reading IS correct (it's a bit colder in your house than it is on that beach, huh?!)!  And it's going to drop even more in there, because it's forecast to be -10 at your home tonight -- and your thermostat isn't going to turn on any more.  Yeah, you can punch that button all you want, but it's not gonna respond, no way, no how.

 

  But, hey, we realize that your home is important.  It's your single largest investment.  And we'd really hate for it to get, well, all frozen-like.  You know, with burst water pipes, flooding, your home and it's contents ruined.  That'd be really bad.  Really really bad.  So we have a solution - and when you consider the value of your house, and everything in it, well, you'll agree that it's a bargain!

 

  Just whip off a few thousand dollars (in bitcoins please) to the email account below.  As soon as we get it, well, you'll know -- because suddenly you'll be able to turn your thermostat back on, instead of just using it to watch the temperature of your house (and the value of your biggest life investment) plummet.

 

  We appreciate doing business with you!  And enjoy the rest of your vacation, Mr. Homeowner!

 

Regards,

Haxors-r-us

Posted

Good post, and great example.

 

I've tried to explain why security is important to IoT, but frequently folks just look at me like I fell off a wagon and bumped my head really hard.  "Why," they say, "would anyone ever want to break into my home automation and blink my lights or turn off my TV?"  Or, "Heck, it's no big deal if they open my garage door, there's nothing in it for them to steal anyway."

 

Ransomware -- now THAT is something that people need to take seriously... imagine an email while you're in the Bahamas on your dream trip of a lifetime:

 

Dear Mr. Homeowner,

 

  We sure hope you're enjoying the beaches in the Bahamas!  But, if you get a moment, please whip out your iphone, and check your home's thermostat.  Yes, that temperature reading IS correct (it's a bit colder in your house than it is on that beach, huh?!)!  And it's going to drop even more in there, because it's forecast to be -10 at your home tonight -- and your thermostat isn't going to turn on any more.  Yeah, you can punch that button all you want, but it's not gonna respond, no way, no how.

 

  But, hey, we realize that your home is important.  It's your single largest investment.  And we'd really hate for it to get, well, all frozen-like.  You know, with burst water pipes, flooding, your home and it's contents ruined.  That'd be really bad.  Really really bad.  So we have a solution - and when you consider the value of your house, and everything in it, well, you'll agree that it's a bargain!

 

  Just whip off a few thousand dollars (in bitcoins please) to the email account below.  As soon as we get it, well, you'll know -- because suddenly you'll be able to turn your thermostat back on, instead of just using it to watch the temperature of your house (and the value of your biggest life investment) plummet.

 

  We appreciate doing business with you!  And enjoy the rest of your vacation, Mr. Homeowner!

 

Regards,

Haxors-r-us

 

Mwester,

 

OMG that is exactly how I would expect the ransomware email to come. Even for just a moment we put aside the great threat to life and property.

 

Lots of folks in different regions are on tiered electrical rates - As illustrated by a few members here some of the rates are priced in the $0.30 to 0.86 KWH price point. To come home knowing you are going to receive one hell of a electrical bill just because someone is trying to make a few bucks is incredible.

 

So many of us here are technology and gadget guys - we all can relate to having toys.

 

I believe security in the HA space is severely lacking and there is lots of room for improvement. My hopes are many more demos and none lethal examples will appear over time. Doing so will enforce to all vendors that security at every level is a must and can't simply be a after thought.

 

As an aside I would like to know if anyone recognizes the TSTAT maker here is it a Venstar / Honeywell? 

Posted

It sure looks like a venstar colortouch.

 

Note that they say that the hack has to be done by physically accessing the thermostat and loading a specific payload via an SD card... it was not a network attack in any way.

 

I'm thinking any thief that would get into my house would be taking the tv and computers, not stopping to reboot a thermostat and fiddle with loading a payload off an SD card. It takes 3 to 5 minutes to get to the point of doing the hack (of which they provide zero details). In addition, the venstar allows you to load any graphic you want as a background. It would be easy to simulate the results, such as they are presented, on the commercial model by copying that graphic and loading it via the card... Also, a pin code can be used for any changes, which would prevent access for this hack to happen. 

 

It seems very convenient that they found and created this "just days before defcon". This goes back to an episode posted here last year of scary sounding hacks with no real evidence presented.

 

FWIW Teken, I am a step away of declaring shenanigans on these guys

 

Paul

Posted

It sure looks like a venstar colortouch.

 

Note that they say that the hack has to be done by physically accessing the thermostat and loading a specific payload via an SD card... it was not a network attack in any way.

 

I'm thinking any thief that would get into my house would be taking the tv and computers, not stopping to reboot a thermostat and fiddle with loading a payload off an SD card. It takes 3 to 5 minutes to get to the point of doing the hack (of which they provide zero details). In addition, the venstar allows you to load any graphic you want as a background. It would be easy to simulate the results, such as they are presented, on the commercial model by copying that graphic and loading it via the card... Also, a pin code can be used for any changes, which would prevent access for this hack to happen. 

 

It seems very convenient that they found and created this "just days before defcon". This goes back to an episode posted here last year of scary sounding hacks with no real evidence presented.

 

FWIW Teken, I am a step away of declaring shenanigans on these guys

 

Paul

 

Paul,

 

I have to agree with your observations as stated if someone is going to be in the home there are real items worth of value to take. Having said this lots of the ransomware that has been documented laid in wait for days, weeks, months, before activating their payload.

 

In the big picture there is a higher likely hood of being struck by lightning while walking in the rain. Then, to see a random person select one home out of many *knowing* they had a smart TSTAT?!?

 

1. So if we break this down logically the hacker would have to know some how you have this specific unit.

2. Locate your home via what ever method.

3. Wait for you to leave because they honestly don't know your lifestyle patterns so this could be a long term project.

4. Break in, load the malware, leave with out being detected at all.

5. Then wait for the software to execute so you could wait for their reply for payment?

 

As you stated anyone could have loaded a image of anything to say the hack was legit. But, given DEFCON participants are normally vetted and known *real white / black hats* I have to give them the benefit of the doubt.

 

Most of these nerds aren't willing to lose face or street cred to pull a farce over other tech nerds. Keeping in mind at some point the same hack needs to provided to the DEFCON leadership for validation.

 

On a tangent I know lots of us also muse about how Insteon could be hacked when compared to the most recent and very secure Z-Wave 128 bit encrypted cipher. But the reality is the same where a person would have to know *some how* you have such technology in your home and lie in wait to perform some kind of random action?

 

Keeping mind I am simply speaking about local access where there is no HUB / Internet connection to the Insteon network. If the entire system is public facing with Internet connectivity then the risks are much higher.

 

Even though once again it would require someone to pick a random house out of tens of millions just for the pleasure of doing harm?

 

I truly believe security needs to be at the for front in all that we do just because of the world we all live in. But must affirm people can't go around living a paranoid life wearing a tin foil hat thinking the sky is going to fall any moment.

 

Speaking for myself only the Internet was one of the best things that ever happen to the free world. Its quite sad that a few have decided to take what should have been free knowledge, access, and capability and turned it into a tool of destruction and profit.

 

Seeing live feeds of babies in their cribs or small children wondering their homes thinking they are safe & secure - knowing the millions of pedophiles watching freely just because *Parents / Companies* haven't taken the time to secure the network.

 

Lastly, as I stated in another forum posts the American Government is planning to implement specific criteria where each IoT device will have basic to advanced  markings, identification, access, and global access. I am all for standards but in this specific case given the massive amounts of invasion of privacy on their own citizens and people around the world.

 

No freaking way . . .

Posted

 

1. So if we break this down logically the hacker would have to know some how you have this specific unit.

2. Locate your home via what ever method.

3. Wait for you to leave because they honestly don't know your lifestyle patterns so this could be a long term project.

4. Break in, load the malware, leave with out being detected at all.

5. Then wait for the software to execute so you could wait for their reply for payment?

 

6. And, know my pin code, out of 10.000 possible values

7. Then break back into the house and undo the hack after payment is received!!!  :mrgreen:

 

Seriously, though, Teken.. I do get your point and we do need to be careful. Your posts on this topic do provide a perspective on understanding iot risks, and I always support that. To your points, there are risks, we have to determine how to mitigate them, or recognize that we're accepting them

 

It does stagger me when some of the security crowd running to these conferences inappropriately plays on people for the sake of attention, rather than providing real information and education that actually helps. 

 

Paul

Posted

Agreed, some of the things I see and read in the Interwebs has to be taken with a grain of salt. While I am a strong proponent about security in many aspects in life one must find balance.

 

Almost everyone knows I have a very dim view about cloud hosted services which make a physical product you own - locked and solely dependent on a constant Internet connection just to operate.  

 

That I will never have buy in even if it was given to me for free . . .

 

On the other side of the coin is the pervasive nature where companies are pushing IoT into all aspects of our lives with out even taking the time to limit breaches in the system(s). This in part is the fault of the consumer while the other part falls squarely on the companies that make them.

 

Nothing sounds louder than a persons wallet!

 

If people didn't support companies that offered such hardware they would think twice and consider investing in more security and measures to ensure a secure device.

 

As others mentioned in other related threads my hope of seeing the local first vs cloud first come back into style is simply a pipe dream. 

 

On Topic: On the Venstar if you enter a incorrect password does the unit lock you out? If so how many attempts and is there a lock out period available? These are very common features in phones, alarms, etc so would be curious to know if these basic security features exist here.

 

Also what is the maximum length of the code and can a Alpha-Numeric value be entered?

Posted

On Topic: On the Venstar if you enter a incorrect password does the unit lock you out? If so how many attempts and is there a lock out period available? These are very common features in phones, alarms, etc so would be curious to know if these basic security features exist here.

 

Also what is the maximum length of the code and can a Alpha-Numeric value be entered?

 

Teken

Its not that smart. You can set a 4 digit, numeric code. There's no master code on top of it.  It works as a screen-lock, after a certain amount of time, the code is needed. It will keep prompting you for the right code until you get it right.

 

There are settings to allow certain features to work without the code, like local temp, fan control or home/away. 

 

Paul

Posted

They would also have to know your house is in a cold enough climate with insufficient insulation and plumbing in an outside wall.

 

When  leave and turn my heat down to 10C it takes about two and a half weeks to achieve that low temperature in the coldest temperatures we get here.

 

A call to the neighbour to buy and plug in a simple heater in the basement is all it would take for me, if my existing backup failed. But then not everybody lived a career of playing Devil's advocate with electrical protection scenarios, like I did.

 

Interesting stuff though.

If we want "open doors" into our smart things, since we are never happy with just what is smart, right now, critters can walk into that "open door" too..

 

 

I guess this can be blamed on technology that is never bug proof enough, before released to the market. The "open door" always has to be there because sooner or later some bug will be found, and they would have to factory recall every unit ever $old.

Posted

<humor type="deep and intense sarcasm">

 

Thanks! 

 

Y'all convinced me.

 

I'm DID fall off something and bump my head.  What the HECK have I been worried about?!  For goodness sakes, we don't need no stinkin' security on thermostats!

 

And about that demo - thanks for clarifying that point about the physical access required.  Silly me, I didn't realize that because THIS particular 'stat needed physical access, that means that ALL thermostats can only ever be hacked by physical access.  Whew! I was worried that someone might hack my network-connected one, that's connected to my HVAC supplier's portal service.

 

You're right of course, I can just call my neighbor -- I'm sure he's at home.  In in off chance that he's not, well I'll just call a contractor (any one will do, they're all honest and responsible, aren't they?).  They'll carefully enter my home -- I'm sure I can unlock the doors from my cell phone.  And if not, no problems - I have my Amazon Echo programmed to my zwave door locks, they can just shout loudly and Alexa will unlock the doors for them.  That's not a security problem, is it?  Nah.

 

And if none of that works, hey I got my MAC-address "geofencing" thingy going for me, courtesy of the good folk at this board.  I know there's a computer fixit shop in the next town over, I bet those guys know the trick to assign my MAC address to their wifi card, and they can just drive up my driveway and the doors will open for the neighbor and contractor (who are still patiently waiting, 'cause of course they really want nothing more in life than to help me with my IoT hacker problems!)

 

Thermostats are cheap.  I won't have to pay any ransom, and throwing $150 at a new 'stat to "buy & pop in" is not a problem.  I blow that kinda money on my coffee at Starbucks.  Don't you all?  Having to replace a 'stat because it got hacked - that's not the same as "ransomware", even though I'm out $150, right?

 

So, y'all have really helped me see the light!  Viruses Shmiruses!  Hackers Shmackers!  Security is just a scam to keep the silly people all worked up!

 

</humor>

 

 

Ok, folks.  Now don't anyone get all upset and cranky.  I'm merely pointing out how some of the counter-arguments presented by folks above are missing the bigger picture.  Sure, THIS thermostat required physical access.  And sure, most of us probably ARE responsible and prepared enough to have backups and have neighbors watching and all that.  And certainly if you can afford an ISY and all that goes with it, throwing away $150 to replace a hacked 'stat is not going to kill any of us.

 

But none of that changes the key fact: these devices ARE HACKABLE!  and there are MANY ways for the hackers to monetize their hacks - perhaps ransomware may not be the ideal way for a thermostat -- it takes a special sort of brain to figure out how the scam and cheat and I confess mine isn't wired that way.  Nevertheless, there WILL BE if there are NOT ALREADY reasons for someone to want to hack YOUR IoT.  Count on it.

Posted

LOL. We do appreciate the concern and not all of us are that hackable. Some have more gold at the end of the hack, than others.

 

I will never have door that you unlock remotely. Why would I when I don't carry any keys in my pocket now. I have a near field dongle for my vehicle, a really intelligent button on my visor that magically opens my garage door, with one press, and doors that unlock with a few digit combination. I have absolutely no need to spend money on gadgets that don't function any better than what I have now.

 

Stats? Yes I have endeavoured down that road for one of the five zones so that is a concern but the backup stat is a mechanical one placed where my neighbour can find it easily...LOL

 

The next hack will be somebody's wristwatch. I wonder what the ransom will be in exchange for there?  Embarrassment exposure online for being hacked? :)

 

Vehicle control systems have already been demonstrated, and they can run you right off the road when you can't see, for washer fluid, your radio is up to the top volume, and you brakes are disabled. The driver heads for a ditch for a safer than the road crash environment.

Posted

I agree, the problem today is society has made life much easier for those wanting to commit random acts of crimes. Back in the day many if not all those using Linux / Unix systems really had no worries from computer viruses. 

 

Today, with the pervasive use and population of Linux in Android phones and Apple computers virus's are rampant.

 

The primary focus for hackers were based on shear numbers and population of use. Why would any skilled hacker spend any amount of time crafting some kind of virsus, malware, trojan, on something that had less than 2% penetration and adoption?!?

 

Fast forward to 2016 the Windows OS is not the only dominant operating system being used by tens of billions of people around the world.

 

This is why hackers have moved on to easier prey like the billions of hobbled Android based devices covering phones, tablets, watches, music players, etc. The Android platform was great in concept but poorly executed in almost every way a person could ever think of.

 

As of this writing anyone can do a quick search and see how many viruses, trojans, and malware that have not been resolved in the Android platform due to the fact the hardware does not have the capacity to support it. Worse yet the industry doesn't care enough to release patches on a timely fashion because it requires support from the ISP, Telco, Cellular provider who has bundled so much crap into the lease / contract device that they see no reason to spend extra time and effort to do so.

 

As I have said many times once HA became the pervasive and the norm you will start to see the hackers focus on the very same.

 

The sad reality is some of the people do this for fun - while others do it strictly for the pay back.

 

Probably the worst thing that has come out of all of this technology is the Governments willingness to keep unknown exploits to themselves and use them when ever they can on the general public.

 

I know back in the day it made me laugh at all the OG's (Old Guys) who were so old school in all that they did or had. As of this writing I've come to the realization I have become one of those OG's who covet the old school ways and technology. Not only because they offered incredible craftsmanship, value, build quality, and less we forget.

 

Absolutely no way for someone to compromise or hack the device . . .

 

On a related tangent many people have engaged me directly over the years asking why someone who is so involved with technology in almost every aspect of his life. Yet spends so much time rebuffing it and slamming it?!?!

 

My reply to them is always the same and that is - because I am around it, use it, and see the pitfalls of technology each day . . .

 

I know its easy for many to say the problems we all see is due to the Millennial folks of today. Perhaps some of this is true - but that wouldn't explain all of the OG's doing the very same would it?

 

I liken the problem as this era has been pushed to a level of stupid where people simply just drink the kool aid without second thought.

 

The use of propaganda / brain washing has been used for decades in news print, radio, movies, TV, commercials, music, etc . . .

 

Now its all over the Interwebs . . .

 

I truly believe the smart TSTAT has a place in home automation - but temper that reply with it still has a long way to go before I ever consider hooking one up to the most expansive investment of my life which is my home.

 

 

 

 

Posted

My learning from this is maintaining my healthy skepticism about amazing product security flaw discoveries, made just days before a security conference.

 

As pointed out in post 6,  practical, actionable risk management of iot appliances is required by anyone who uses them, and I appreciate efforts of Teken to keep it in the forefront on this forum.  

 

However, security conference presenters who dream up improbable security scenarios, with no evidence, information or insight for the sake of attention.... don't help me in any practical way. 

 

Paul

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...