The Internet of Things (IoT) promises communication between devices, higher efficiency, more productivity, but security experts and hackers have also warned that it means malicious attacks will move from the internet and into your home.
This week, Andrew Tierney and Ken Munro, two researchers from U.K. security firm Pen Test Partners, showed the new home vulnerabilities by hacking into a thermostat.
The proof-of-concept attack was demonstrated at Def Con, a hacking conference in Las Vegas, Nevada, this week. The pair showed how to infiltrate the thermostat, using a fake application, and use that to lock the thermostat and add ransomware.
“We don’t have any control over our devices, and don’t really know what they’re doing and how they’re doing it,” Tierney said to Motherboard. “And if they start doing something you don’t understand, you don’t really have a way of dealing with it.”
Ransomware has risen in popularity over the years, as hackers see more financial opportunity holding information for ransom than selling information (or services) to others. Once people pay the hackers, they usually go away, though there have been cases of return visits.
Hackers could turn up the cold to turn up the heat
Malicious hackers could lower the temperature or raise it to unbearable levels, if they are able to exploit a connected device, like a smartphone. Some experts even predict hackers could freeze pipes, causing huge amounts of damage to a household.
In that situation, we suspect a lot of people would be willing to give a few dollars to have the hackers go away. Businesses, including hospitals, have met the demands in the past.
Tierney and Munro would not give the name of the hacked thermostat, due to the company not fixing the vulnerability, but noted that the hack would be quite hard to pull off.
That said, this is just the start of what could become a major crisis for the tech industry. Thermostats are only one part of the “smart home,” hackers could also target the fridge, washer, TV, front door, or even your car once it becomes connected to the internet.
Update: Andrew Tierney wrote to ReadWrite on Aug. 12, 2016, clarifying that they had since notified the thermostat’s manufacturer. “We didn’t give the name because we hadn’t informed them of the issue,” he said. “We now have, and they are dealing with it.”