Internet of Things (IoT) space is always brimming with interesting news as well as controversies. The latest controversy is again around the security issues associated with IoT devices. While on one hand Zurich Insurance like firms are promoting the use of IoT devices at home, by offering discounts on the premium, on the other hand we have security researchers like Andrew Tierney and Ken Munro infecting smart devices with ransomware that could be as scary as hell!
Andrew and Ken, from PenTest partners, made a proof of concept of the world’s first ransomware for IoT thermostats. And they demonstrated it live in action at DEF CON 24 hacking conference held in Las Vegas.
Scary? Hell, yeah!
Just imagine your thermostat temperatures are set to unbearable limits: -100 degree Celsius to 100 degree Celsius and you can’t do anything to change that. Andrew and Ken’s ransomware did something similar: the duo hacked the IoT enabled thermostat that raised the temperature of the room to 99 degrees after which the device got locked. Staying in that room became unbearable with the rising heat and the occupants are clueless what to do. The thermostat and the related app asked for ransom money to set things straight. The user had to key-in a PIN to unlock, which he got only after paying a Bitcoin. The ordeal didn’t end there. The duo used IRC bot to ensure that this PIN keeps changing every 30 seconds to show how much hackers can extract if they manage to infect IoT devices with a similar ransomware.
Why It Matters?
Security threats associated with IoT devices have been in discussion for quite some time, but this is the first time when it has been exposed in full public view like this. Andrew and Ken hacked a Wi-Fi enabled thermostat and once again brought to light the security threats associated with IoT devices.
Their intentions were noble; they just wanted to draw attention to the poor state of security in domestic IoT devices and encourage vendors to fix them. And they did succeed in their plan. This recent revelation makes one wonder if IoT security devices are mature enough to be put to some real use