Last weekend, at the DEF CON security conference, Pen Test Partners decided to reveal the truth about what is really happening with IoT devices` security. By purchasing a smart thermostat and then hacking it to install ransomware on it, they showed everybody how badly secured are the IoT devices we are all using every day.
Once they bought the smart thermostat they tried to find any information, like chipset details or internal photos, which may have been publicly disclosed by the manufacturer when they registered for FCC ID. Using the FCC ID Search, Pen Test Partners managed to discover that the smart thermostat runs Linux as well as its chipset manufacturer.
Moreover, they also found out that the thermostat has a SD card slot which could be easily configured. With the help of an application on the PC or Mac the owner could set the thermostat to display any wallpaper they want on the screen. Pen Test Partners, while analyzing the SD card, were able to come up with a way to get administrative privileges by altering the operating system. Once they had those privileges it was a piece of cake to install their malicious ransomware code on the thermostat. They further stated they could modify this ransomware so that it raised the heat or make it colder until the victim paid the ransom.
The even more concerning fact is that it is not only thermostats that are at risk. According to Pen Test Partners` other blogs, more and more connected household devices are becoming ransomware targets. This includes coffee machines, home security cameras and even kids` toys.
Moreover, what is even worse it that the medical devices, such as insulin pumps or pacemakers, are also becoming more and more connected. Thus way, users are not only at risk of paying a ransom but they are also at risk of being physically hurt. It seems like that manufacturers have to do much better in securing their products not only for keeping their reputation intact but also for the physical safety of their clients.