Security testing firm Pen Test Partners demonstrated how to hack a smart thermostat, among other IoT devices, at the IoT village during Def Con 24.

They showed how easy it was to create ransomware for IoT devices, and chose a smart thermostat because of its potential, and due to speculations that ransmoware was the outcome of IoT vendor security complacency.

They succeeded in creating a fully functioning ransomware to take control of a smart thermostat and lock the user out pending when they paid up. As if that wasn’t bad enough, they also showed how to crank up the heat during a summer heatwave, or turn it off in the dead of winter, to pressurize users to pay up.

Their work highlights the poor state of security in IoT devices, and also draws attention to the vulnerably of the hardware itself to hacking. This cancels the notion of the software as easier vector.

According to the researchers, simple security controls that could have stopped the hack from succeeding were lacking. Simple encryption and signing would have gone a long way toward preventing such hacks from being possible, and the removal of debug info and root privileges is also important.

Is it Just a Thermostat or Something More?

Well, yes and no. It’s a device on your network that could easily create a pivot point and result in a compromise of personal data. Security professionals understand the risks and know how to mitigate them. Joe Public doesn’t, said the researchers.

They also demonstrated how to hack a Mitsubishi Outlander and an electronic door lock.