Diggaman.net recently reported on a hack for Osram light bulbs and monitors, but as we move ever closer to the web of interconnected stuff dubbed “The internet of things” and in the wake of recent high profile server hacks we ought to be more aware of the lack of security surrounding, well, just about everything….
This past weekend at the IoT Village in the DEF CON security conference, Pen Test Partners set to out to demonstrate the sad state of security when it comes to IoT devices. They did this buy showing how they could easily hack a smart thermostat so that ransomware could be installed on it.
First they purchased a smart thermostat and used the FCC ID Search to look up public information such as internal photos, chipset details, and other information disclosed by the manufacturer when they registered for a FCC ID.
Using this information they were able to determine information such as the chipset manufacturer and the fact that it runs Linux.Pen Test Partners also discovered that the thermostat came with a SD card slot that could be configured using an application on the PC or Mac so that the owner could display their own custom wallpapers on the display.
When analyzing this SD card they discovered a way to modify the operating system so that they could gain administrative privileges. This allowed them to modify the operating system and install their own ransomware code on it.