You’ve spent the cash, dealt with the firmware updates, fiddled with your home network, and now, you finally have it: a smart-home thermostat. You can control it with your phone; you can teach it your daily routine; you can set it to heat and cool your home before you arrive; you can even download a pic of a mountain vista as the wallpaper — your thermostat doesn’t have to be just an ugly box on the wall anymore. It’s just, well, smarter than your average thermostat.
Then a message pops up.
Mr. Robot’s season-opening smart-home hack just got one step closer to reality. At Defcon, an annual conference where hackers show off the various exploits that could allow someone to access pretty much every internet-connected device you have, two security researchers, Andrew Tierney and Ken Munro, released information about a security hole that would allow outside users to install ransomware on a thermostat.
As reported by Motherboard’s Lorenzo Franceschi-Bicchierai, the hack works like this: This thermostat in particular allows users to download and install custom wallpapers through an SD card. But because the thermostat doesn’t do a thorough scan of what kind of files and executables are on the card, someone could download a nice, malware-infected picture (in this case, a moonscape), install it via SD card, and hand over full control to the hacker.
The hacker could then control the temperature in your house until you fork over on Bitcoin. It’s easy to imagine homeowners in the middle of summer or winter just forking over the Bitcoin rather than suffer. (Though with the current price of Bitcoin constantly shifting, enterprising hackers would probably want to use another form of cryptocurrency — Dogecoin is trading nicely.) Tierney and Munro declined to say which thermostat they found the vulnerability in, as they just discovered the exploit and the manufacturer hasn’t had a chance patch up the security hole.
While the sequence of events needed to actually gain access would be tough to replicate — you’d need a user to download the picture to an SD card and then install it themselves on their home thermostat — the fact is that a shocking number of smart home or “Internet of Things” devices are extremely hackable.
A wireless home-security system SimpliSafe was shown to be ludicrously easy to hack in February, with the company unable to even patch the hole because the microprocessors in the device were all “one-time programmable,” meaning whatever code was there was baked in and unchangeable. Samsung’s SmartThings home system, one of the better-selling smart-home platforms out there, was shown to have a vulnerability that allowed someone to remotely detect a homeowner setting a PIN code for their home’s locks, even texting the PIN code to the hacker shortly after. And researchers found that nine of the most popular wireless baby monitors were easily hacked — indeed, news stories about people hacking baby monitors are so common that BuzzFeed even made a listicle of the creepiest examples.
Smart homes show tremendous promise, both for convenience and the ability to save energy by not heating or cooling empty spaces. But as companies scramble to get their products to market in an industry estimated to grow to $100 billion by 2020, they’re leaving consumers vulnerable. It doesn’t even have to be hackers that can wreck a smart home. During a well-publicized Nest system outage in January of this year, which left millions without the ability to control the temperatures in their homes, one man found himself on hold with the Google-owned company for hours. During that time, he walked to the local hardware store and bought a simple mechanical thermostat. Total cost: $25.