Proof-of-concept ransomware for smart thermostats demoed at Defcon

Originally published at:

Prosecution of researchers being what it is, I don’t see why they bother with the white hats any more.


I know we’re all supposed to be scared about terrorists hacking our IoT devices and holding our furnaces hostage but honestly, thermostats are one of the easiest DIY projects out there. There’s like 3-4 wires max. All you need is about 10 mins and a screwdriver to neutralize the hack.

Hit the reset button and boom…Bob’s your uncle!


The “You Suck” part was really fuck’n scary.

1 Like

You’re assuming that all thermostats don’t have storage. The fact that the smart device has a download function kind of implies that a firmware update is involved. Unless there’s a specific “reset to production mode” button, I doubt that you’re going to get around the ransomeware that way.

The truly scary part of this hack is that once a destructive sequence is sent to the system, removing the thermostat won’t necessarily do a damn thing. The A/C can be manually deactivated by throwing the great-big switch that should be installed close to the condenser unit, but turning off a furnace requires turning off the gas or fuel line. If it’s running out of control, that’s probably the last place I’d want to be.

1 Like

In the hopes of building support for white hat activities, I’d imagine. Besides, if they go underground, they lose the ability to have a say in how companies and the media portray them. If they wanted to be grey hat or black hat, I’m sure they would. :laughing:

1 Like

While the hijackers might be able to send a “self destruct” signal remember they want you to pay the ransom so they’re not going to destroy your A/C unit without first warning you about it. Worst case scenario you shutoff the gas & power to the furnace and physically disconnect the thermostat. There should be a kill switch right next to the unit. It’s not a bomb that will explode if you accidentally cut the green wire.

You may be out $100 for a new thermostat if you can’t factory reset the firmware it but I can’t see it doing any real damage unless you allow it to.

1 Like

I take your point about the warning, since obviously money won’t be forthcoming otherwise. However, kind of damage I was thinking about would involve the furnace being engaged while the fans are kept off. Not necessarily an explosion, but still hazardous.

I could just throw the networked thermostat away (if I had one) and get a replacement (if I still wanted one). It’s probably usually cheaper than paying a BitCoin. I think the bigger risk is having a compromised device running undetected on your network.

I feel like the value-add for IoT products is skewed much more heavily toward the manufacturers and data-aggregators than it is toward the consumer. At some point this will probably change.

Nearly all of the functionality is provided by a large, monolithic binary running as ‘root’. That’s not good.

Rule #1 of cheap and awful linux-in-a-plastic-box devices. Quoted for truth.


Except for the most advanced models, most home furnace/air conditioner units have only a rudimentary interface of a few on/off signals from the thermostat, and also have their own independent logic for actually activating their fan, burner, or compressor based on these signals. So even if the thermostat tries to command the furnace to do something insane or destructive, its own logic will just ignore it.

Your IoT thermostat is connected to all of your other household IoT devices, as well as the open-internet. What’s to say that the attack isn’t being managed by another of, or maybe all of, your other connected devices? Or perhaps another vulnerable device is reporting to a central server the moment a new vulnerable device is added to your network? Which do you eliminate after you’ve chucked your thermostat? The new thermostat? Your IoT doormat? How can you know?

1 Like

In my day we would just hack thermostats to destroy corporate backup tapes to smash the system of corporate control, not line our pockets with bitcoin.

This topic was automatically closed after 5 days. New replies are no longer allowed.