Thursday, August 11, 2016

"Smart" Thermostats hacked

More news from the Internet of (Insecure) Things:
Last week, Andrew Tierney and Ken Munro from Pen Test Partners demoed their proof-of-concept ransomware for smart thermostats, which relies on users being tricked into downloading malware that then roots the device and locks the user out while displaying a demand for one bitcoin. 
The researchers have not released sourcecode or the name of the manufacturer. They say that they gained vital intelligence by examining the manufacturer's regulatory filings with the FCC, and that they could design an attack that turned heating or cooling to arbitrary setpoints, ran both at once, or rapidly power-cycled them, possibly causing damage.
This seems to be not just bad coding and a grotesque inattention to security, but architectural decisions that seem to guarantee failure:
* First, the device has no interlocks to prevent unsafe or unwise settings -- nothing to limit the heating or cooling, or simultaneous air-conditioner/furnace operation, or repeated high-speed power-cycling -- which means that software defects, as well as malicious software, can do significant damage that might be prevented with more thoughtful systems design 
* Second, the business-model for smart thermostats overwhelmingly assumes that users are hostile parties, and protects against them with DRM of some kind. Some thermostats are designed to be sold to power companies who'll subsidize their installation in customers' homes so that the power authority can tweak power consumption to reduce load at peak times -- these sales are much easier to make if the vendor can assure the power company that there are no apps that allow users to override these tweaks, and no apps that enable this will be approved for the device (and the device will not run unapproved apps).
Interestingly, the vendor is not named, so it's not possible for consumers to make informed decisions on what product not to purchase:
This matters because a device with DRM poses significant legal risks to security researchers. Anti-circumvention laws like the section 1201 of the DMCA and European laws implementing Article 6 of the EUCD have been invoked to make civil and criminal threats against security researchers, on the theory that information about defects in a device will assist people who want to bypass the DRM, which is banned under these laws.
Government is what we choose to do together.  Like forcing you to only have insecure products to purchase.  Behold your Philosopher Kings.


SiGraybeard said...

I decided long ago I have no need for a smart thermostat, and this is more argument against one. However I've never heard, "the business-model for smart thermostats overwhelmingly assumes that users are hostile parties" and that they lock out homeowners ability to set their own thermostat is simply intolerable.

I came home from work one day to find a smart meter on the side of my house. That's outside, and on the utility's side of the connection, so there's really not much argument against it. To replace my thermostat, the utility would have to come inside and I won't have that.

TheUnpaidBill said...

My first thought was "If they can tweak the settings to lower power consumption, why couldn't they tweak them to increase consumption and therefore revenues."

Sure it's unethical, but that doesn't seem to be a real deterrent.