HVAC industry in trouble: hackers attack WiFi thermostats

By /

Got a smart thermostat? That may not be a good thing. At DEF CON earlier this month, hackers demonstrated how incredibly easy it is to hack a WiFi thermostat, taking advantage of heating, ventilation, and cooling systems in return for ransom. No longer a hypothetical “what if,” someone with the knowledge could quite literally break into these systems and melt or freeze the occupants until a ransom is paid to obtain a PIN to unlock it. If your thermostat runs a modified version of Linux, has a large LCD screen, and also an SD card, you’re up.

The various hacks are pretty brutal — consider this: your heater set to 99 degrees until you pay up. Or — even worse, blasting heat and cold air at the same time so that you “bleed money for the utility bill” until you give them what they want so that they give up (but will they?).

The example was shown on a thermostat that had local SD storage, indicating that hackers needed physical access to the device. But there could be other ways to break in, especially becasue the software is not sophisticated enough for the device’s OS to discern between legitimate pictures (or similar supported files) and malware disguised as one.

We’re in for trouble. With IoT gaining steam, we’re also giving the determined hacker the opportunity to break into far more systems than ever thought possible. From TVs to energy grids to fictional (for now) smart cars, our growing Internet landscape is rife for hackers to get their hands dirty (and make some cash in the process).

Your IoT devices may seem cool and you may look to be one of the coolest people on the block, but it’s just another hole for hackers to access–a playground for your remote friends. Hackers will eventually get in.

It’s up to the manufacturers to be mindful of the potential breaches these new devices create–and patch them as soon as possible. Zero day exploits need zero day resolution. Our lives depend on it.

About The Author

Former CIO of an international SMB company. Spent many years (and millions of dollars) in the enterprise working with some of the top technologies on Wall St. Been through the ups and downs, through the investments, growth, and eventual retrench--all to have it cycle again. X-CIO has a passion for business, a keen view on technology, and in the end, sometimes a different view on the every changing business of IT. If you remember floppies, saving to tape, token rings, and one-way pagers with month long battery life or if you’re new to the game (being happy if your battery makes it through the day), he would love to hear from you.

Read Next

1 thought on “HVAC industry in trouble: hackers attack WiFi thermostats”

  1. charles D

    ” blasting heat and cold air at the same time so that you “bleed money for the utility bill”” that is physically impossible. I know of ZERO HVAC units that can do this. 1. Heat pumps have a physical valve that only allows one process at a time. 2. GAS/OIL furnace HVAC is also only capable of one thing. 3. Not every house on earth has heat and cooling…. so they can not do that either. I have a thermostat that is dual that is connected to heat only unit. Feel free to run it at 58°

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top