Hackers Make the First-Ever Ransomware for Smart Thermostats
-
@mott555 said in Hackers Make the First-Ever Ransomware for Smart Thermostats:
I could also just not buy automatic transmissions but all the truck manufacturers took that choice away already.
Because modern automatics are better in almost every way?
-
@blakeyrat said in Hackers Make the First-Ever Ransomware for Smart Thermostats:
(You could have used the TPMS in your analogy-- since the government does require that and it's useless for a lot of responsible vehicle owners and some are very unreliable. But that would have required actual thought instead of just being an angry truck luddite.)
The only time my car's TPMS malfunctioned was when I had a second set of rear wheels with R compound tires put on and had the stock wheels in the trunk and backseat. That was easily fixed with a trip back to the tire shop to reprogram once there was only one pair of sensors in the car.
At the same time, the TPMS has alerted me to slow leaks at least twice in the lifetime of the car, so I say it's a net benefit.
-
@anotherusername said in Hackers Make the First-Ever Ransomware for Smart Thermostats:
"Secure" is abstract
Well we know for a fact that an old-fashioned thermometer can't be hacked by a malicious jpg, so "abstract" depends.
-
@FrostCat I'm reasonably certain that a malicious jpg printed out on sturdy enough paper could hack through an old-fashioned thermostat if the paper is swung fast enough and the thermostat is weak enough.
-
@Fox You have fun with that.
-
-
@anotherusername Brb, hacking the shit out of all the thermostats!
@FrostCat said in Hackers Make the First-Ever Ransomware for Smart Thermostats:
@Fox You have fun with that.
You bet I will!
-
@Fox Yeah, but a random 17yo script kiddie in Saint Petersburg probably isn't going fly over to the US and try that.
-
@blek No, but a random 17yo little bastard in your neighborhood might.
-
@Fox said in Hackers Make the First-Ever Ransomware for Smart Thermostats:
No, but a random 17yo little bastard in your neighborhood might.
I guarandamntee you he won't get very far.
-
@FrostCat said in Hackers Make the First-Ever Ransomware for Smart Thermostats:
I guarandamntee you he won't get very far.
Well, no, not in Texas, he probably won't. But elsewhere in the country, he might.
-
@Fox And of course, the other practical difference is that even if he does, I could just go buy another one, and it can't be locked to 99° until I pay a ransom.
A cheap programmable one is $20.
-
@FrostCat said in Hackers Make the First-Ever Ransomware for Smart Thermostats:
And of course, the other practical difference is that even if he does, I could just go buy another one, and it can't be locked to 99° until I pay a ransom.
And neither can a smart one, unless there's a literal lock on it, since, as you said,
A cheap programmable one is $20.
-
@Fox Damn, hang on... I actually opened the article and it says you need physical access and the ransomware is uploaded through a SD card? Why is there so much hype around this then? I've heard about this at least three times today, I just never got around to reading about the details. The story from a few days ago about someone stealing a few (dozen) Jeeps with a laptop was way more interesting.
I mean, if I have access to someone's thermostat, I'm presumably in their home anyway (you Yanks don't keep your thermostats outside, do you?) so what's stopping me from just taking your stuff? I suppose I could imagine some people going door to door, then distracting homeowners who let them inside and cracking their thermostats, but... come on, faux Jehova's Witness haxx0rz?
-
@blek said in Hackers Make the First-Ever Ransomware for Smart Thermostats:
Damn, hang on... I actually opened the article and it says you need physical access and the ransomware is uploaded through a SD card? Why is there so much hype around this then?
Because people think that every vulnerability means "A KID IN SAINT PETERSBURG CAN HACK IT WITH A SINGLE KEYSTROKE"
-
@Fox said in Hackers Make the First-Ever Ransomware for Smart Thermostats:
And neither can a smart one, unless there's a literal lock on it
Did you not read the article? It said they could lock the smart 'stat.
Obviously you could get around that by buying a cheap dumb replacement, but the kind of person who'd spend $250 on a Nest or whatever probably wouldn't want to do that. Replacing the model is a workaround, not a fix.
-
@FrostCat said in Hackers Make the First-Ever Ransomware for Smart Thermostats:
It said they could lock the smart 'stat.
Did you not read my post?
@Fox said in Hackers Make the First-Ever Ransomware for Smart Thermostats:
literal
-
@FrostCat I dunno, getting rid of an overpriced piece of shit and never having the same problem again sounds a lot like a fix to me.
-
@blek said in Hackers Make the First-Ever Ransomware for Smart Thermostats:
I actually opened the article and it says you need physical access and the ransomware is uploaded through a SD card?
It said in theory you could trick someone into doing it for you...perhaps via a "download cool wallpaper for your thermostat" website.
@blek said in Hackers Make the First-Ever Ransomware for Smart Thermostats:
I mean, if I have access to someone's thermostat, I'm presumably in their home anyway (you Yanks don't keep your thermostats outside, do you?) so what's stopping me from just taking your stuff?
Barring the situation I mention above, tricking the owner into doing it himself, that's true. Raymond Chen's got a whole category on his blog, the "it sort of involved being on the other side of this airtight hatch" one, about it.
-
I'm not sure how a Masterlock or whatever would stop a touchscreen, although I guess if the lock was holding a metal cage shut, then that's true, although it's not going to stop the thermostat's owner from pwning herself by trying to put that cute cat picture wallpaper on her 'stat.
-
@FrostCat said in Hackers Make the First-Ever Ransomware for Smart Thermostats:
Barring the situation I mention above, tricking the owner into doing it himself, that's true. Raymond Chen's got a whole category on his blog, the "it sort of involved being on the other side of this airtight hatch" one, about it.
My favorite case of this was the big scare about "SECURITY FIRM PROVES YOU CAN GET CONFIDENTIAL INFORMATION OFF AIRGAPPED GOVERNMENT COMPUTERS BY RECORDING THE FREQUENCY OF THE CPU"
Turns out they can't actually read what the CPU's doing and they have to have installed a program that sends messages via CPU frequency while the airgapped computer was still at the manufacturer.
-
@blek Wasn't what I meant, but touche.
-
@Fox Yeah, that was bullshit. I try to avoid reading articles with obvious-clickbait titles, unless I'm on a browser with an adblocker so I can cheat them out of sleazily-obtained revenue.
-
@FrostCat said in Hackers Make the First-Ever Ransomware for Smart Thermostats:
@Fox Yeah, that was bullshit. I try to avoid reading articles with obvious-clickbait titles, unless I'm on a browser with an adblocker so I can cheat them out of sleazily-obtained revenue.
Come to think of it, it's been a while since we've had one of those flamewars.
-
@blakeyrat said in Hackers Make the First-Ever Ransomware for Smart Thermostats:
An automatic transmission's functionality is a superset of a manual's.
In what way?
-
@Groaner Gah, we're having too many flame wars! We need to bring focus back to the one that matters.
-
@groo Mr Robot season 2 is coming to town.
-
@mott555 said in Hackers Make the First-Ever Ransomware for Smart Thermostats:
it autotweets pictures of your excrement to RateMyPoo.com,
That's a real website :(
-
@anonymous234 said in Hackers Make the First-Ever Ransomware for Smart Thermostats:
But all that costs money, and who wants to buy a secure thing for $300 when there's one for $100 right next to it?
wait till Apple starts making one. It'll cost $500, it'll be as reliable as the $200 one and as secure as a $150 one and you'll only be able to install apps whose manufacturers were able to pay $10,000 a year to keep it in the AppStore, so it'll be secure enough and everybody will be buying them and they'll be quite enough happy.
Just saying.
-
@kt_ For what it's worth, I don't think I've ever seen anyone wear an Apple watch.
-
@blek Ugh, I just saw someone wearing one this weekend.
-
@blek said in Hackers Make the First-Ever Ransomware for Smart Thermostats:
@kt_ For what it's worth, I don't think I've ever seen anyone wear an Apple watch.
I'm literally the only person in a city of a million people who doesn't wear an Apple watch.
-
-
@blek Nope, not even close to California.
Not even close to much of anything, TBH.
-
@blek I've only ever seen one person ever using a smartwatch, and it was of the Android variety.
IMHO "Apple Watch" is yet another sign that the company is, once again, badly adrift and has no clue what to do with itself when it's not operating as Steve Jobs's personal cult of personality.
First they go and bring the smartphone--the device that makes watches obsolete--to the masses, and then they produce... a watch?
-
@masonwheeler said in Hackers Make the First-Ever Ransomware for Smart Thermostats:
@blek I've only ever seen one person ever using a smartwatch, and it was of the Android variety.
I've never seen someone actually use a smartwatch before. I'm convinced people wear them because they think it makes them cool.
Now I wonder how well a nonfunctional iWatch clone would sell...
-
@masonwheeler Yeah, I get the same feeling about Apple...
Although on the other hand, I'm finding myself seriously considering buying an iPhone for the first time ever. The SE version, to be precise. The problem is that it's pretty much the only smartphone on the market that isn't hopelessly outdated hardware-wise, doesn't look like it's going to fall apart at any time, and doesn't have the dimensions of an oar. It makes me really sad.
Smartwatches, on the other hand... those are just amazingly dumb. Although I suppose they have a purpose - I've seen a few people around me buy Android watches, and being the contrarian I am I bought an automatic watch myself after not wearing anything on my wrist for at least a decade. Maybe the whole thing is a gigantic marketing campaign for Seiko. I want to believe.
-
@blek said in Hackers Make the First-Ever Ransomware for Smart Thermostats:
The problem is that it's pretty much the only smartphone on the market that isn't hopelessly outdated hardware-wise, doesn't look like it's going to fall apart at any time, and doesn't have the dimensions of an oar
I (mostly) like my S7 so far. And it fits in the front pocket of my jeans still. (It's only a little bigger than my old S4mini.) Only drawback is all the crapware. (No, I'm not going to root it.)
-
@blek said in Hackers Make the First-Ever Ransomware for Smart Thermostats:
@Fox Damn, hang on... I actually opened the article and it says you need physical access and the ransomware is uploaded through a SD card? Why is there so much hype around this then? I've heard about this at least three times today, I just never got around to reading about the details. The story from a few days ago about someone stealing a few (dozen) Jeeps with a laptop was way more interesting.
Because it doesn't require the hacker to get physical access. It just requires the hacker to upload an infected file to their thermostat. Last month we had three computers infected by a cryptovirus that was delivered by a phony, "{Person} wants to share a Dropbox file with you," email. None of the people were expecting an email like that, none of them knew the person named in the email they received, and none of the emails were even from Dropbox. But they all clicked the link. If people are that trusting with unexpected emails from unknown people, how hard would it be to get them to download an infected wallpaper?
-
@abarker said in Hackers Make the First-Ever Ransomware for Smart Thermostats:
It just requires the hacker to upload an infected file to their thermostat.
via SD card.
Most people uneducated enough to download an infected wallpaper probably need their tech-savvy kid/friend/neighbor's help getting that onto an SD card.
-
@abarker OK yeah, sure @frostcat already said users could be tricked to infect their devices themselves. But I still think there's a big difference between a user clicking a link in an e-mail and a user deliberately inserting a SD card into their thermostat. Sure, it can happen, but the latter requires way more effort.
It requires way more effort on both sides - the attacker has to send out some physical hardware, which costs money as well as time, and the victim has to actually get off his or her ass, figure out where the port is, and plug the card in. I'd say that's seriously different from a bored-to-death office worker clicking a malicious link in a spam e-mail in an attempt to see something, anything that isn't yet another TPS report.
-
@Groaner said in Hackers Make the First-Ever Ransomware for Smart Thermostats:
@mott555 said in Hackers Make the First-Ever Ransomware for Smart Thermostats:
I could also just not buy automatic transmissions but all the truck manufacturers took that choice away already.
Because modern automatics are better in almost every way?
Except fun factor.
-
@Fox But there's the problem: they often get help from someone who knows just enough to be dangerous.
-
@Polygeekery Hey, don't underestimate the fun factor of modern automatics. I drove an AT car for the first time ever recently - my friend's Toyota Aygo, and I had a lot of fun trying to figure out if I can pass the slow bastard in front of me or if it's going to take me the next 2 kilometers to gain some speed. That thing shifts gears at a glacial pace.
(Other than it was actually pretty fun, the thing steers like a go-kart.)
-
@blek said in Hackers Make the First-Ever Ransomware for Smart Thermostats:
(Other than it was actually pretty fun, the thing steers like a go-kart.)
*looks at photo*
Are you sure it's not a golf cart?
-
@blakeyrat I prefer to call them self-propelled shopping carts.
-
@mott555 said in Hackers Make the First-Ever Ransomware for Smart Thermostats:
I'm literally the only person in a city of a million people who doesn't wear an Apple watch.
-
@mott555 said in Hackers Make the First-Ever Ransomware for Smart Thermostats:
I've never seen someone actually use a smartwatch before.
I have a coworker who has one, although I think she only uses it to read texts the lazy way.
-
@blek said in Hackers Make the First-Ever Ransomware for Smart Thermostats:
That thing shifts gears at a glacial pace.
Weak motor? My '95 Ford Escort didn't accelerate all that well, but with a bit of practice I could control the shift points fairly precisely with the accelerator. Most of the "slushbox" complaints, as far as I can tell, are from fairly snooty people who probably haven't soiled themselves by setting foot behind the wheel of an automatic since the 70s. In city traffic, it's pretty easy, for example, to blast right on by someone whose got a manual and doesn't know how to use it. it's kind of fun smoking people with sports cars in my minivan because they can't upshift without losing all forward momentum.
-
@FrostCat said in Hackers Make the First-Ever Ransomware for Smart Thermostats:
In city traffic, it's pretty easy, for example, to blast right on by someone whose got a manual and doesn't know how to use it. it's kind of fun smoking people with sports cars in my minivan because they can't upshift without losing all forward momentum.
I get a kick out of being first off the line at almost any intersection because I can immediately accelerate (because I don't have to lift my foot off the brake and then put it on the accelerator) as soon as it's safe. That extra second of response time means that my dinky little 4-cyl truck seems faster than these honking gas guzzlers next to me.
I know it's only perception, and most could easily surpass me if anyone really wanted to try, but it's still fun. :D