What happens if your thermostat is hacked? Researchers name the top 7 security threats

Researchers from the SANS Institute outline the top seven threats that security researchers face this year.

What happens if a bad actor turns off your heat in the middle of winter, then demands $1,000 to turn it back on? Or even holds a small city’s power for ransom? Those kinds of attacks were among the top threats that security experts worried about at the RSA security conference this week.

While consumers don’t necessarily have to be concerned about all seven of the most dangerous types of attacks identified by the SANS Institute, several target consumers directly. The remainder could eventually “filter down” to consumers, though the effects might not be felt for some time.

Why this matters: Knowing what might affect your home network of devices is important knowledge, even if it’s up to someone else to build in the sort of protection that security experts are worried about. If you’re going to buy a connected gizmo for your growing smarthome collection, be sure it contains built-in security—or face the consequences.

The seven deadly attacks

Here are the seven most dangerous attack vectors, according to SANS, and what, if anything, you can do about them:

Ransomware. Ransomware surfaced more than 20 years ago, but it has since evolved into a seriously scary form of malware: crypto-ransomware, which encrypts your files and demands payment to unlock them. It’s an ideal way for bad guys to attack: Ransomware spreads like a virus, locks up your data independently, and forces you to contact the criminals for payment and recovery, according to Ed Skoudis, an instructor at the SANS Institute.

What you can do: Practice “network hygiene,” patching your system, using antimalware, and using permissions and network-access controls to limit exposure—once a PC is infected, you don’t want the infection spreading to other PCs on the network. Remember that ransomware is being monitored by actual people, with whom you can negotiate: “Your best bet is to appear small and poor,” Skoudis said, to try to reduce the amount you’ll pay.

The Internet of Things. The next stage of the evolution in consumer products is connectedness: Everything from baby cameras to toothbrushes are using wireless protocols to connect to each other and the internet. That, in turn, has left them vulnerable to hacks. Worse still, IoT devices are now attack platforms, as the Mirai worm demonstrated.

What you can do: Change the default passwords. If your smart-home gadget doesn’t allow it, either return it or wait (or petition the manufacturer) for firmware that allows a custom password. You can also take further steps to insulate connected devices by disabling remote access, using a separate dedicated home LAN for IoT devices, as well as a dedicated cloud account for controlling them, Skoudis said.

The intersection of ransomware and IoT. Last year, an Austrian hotel was hacked, disrupting its keycard system. Such attacks could eventually migrate to your home, holding your smart thermostat hostage (and set at 40 degrees, say) until you pay up.

What you can do: Right now, this sort of attack is more theoretical than anything else. But it’s something to think about as you start building out your home: How much automation is too much? “You have to ask yourself, what is the right balance between man and machine?” said Michael Assante, director of industrials and infrastructure for SANS.

ukraine attack Mark Hachman

A summary of the 2015 attack on then Ukraine power stations, as provided by the SANS Institute.

Attacks against the industrial Internet of Things. In 2015 and again in 2016, unknown hackers took down power stations in the Ukraine, leveraging the growing trend of automated, distributed systems against the power company. Fortunately, first responders were quickly able to manually flip the breakers and restore power. But there’s no guarantee that will always be the case—and what happens if Pacific Gas & Electric or Con Edison’s infrastructure is hacked?

What you can do: As consumers, not much. Infrastructure organizations are going to have to decide whether to operate with intelligent systems, or shut them down. Scaling up with increased automation can help lower your power costs—but the penalty may be increased vulnerability to outside attacks, Assante warned.

ukraine attack Mark Hachman

A summary of the 2015 attack on Ukraine power stations, as provided by the SANS Institute.

Weak random number generators. Truly random numbers are the basis of good encryption, securing Wi-Fi and a broad range of security algorithms, according to Johannes Ulrich, the director of the SANS Internet Storm Center. But  “random” number generators aren’t truly random, which makes the encryption they’re based upon easier to crack. This gives an edge to criminals, who may exploit this and unlock “secure” encrypted connections.

What you can do: This is a problem for device manufacturers to solve. Just keep in mind that your “secure” network may in fact be weaker than you think.

An over-reliance on web services. More and more, apps and software are talking to and incorporating third-party services, such as Docker or Azure. But there’s no real certainty that those apps are connecting to the expected entity, or whether an attacker is stepping in, stealing data, and returning false information.

What you can do: Again, this is a problem for developers. But Ulrich warned that mobile apps are becoming increasingly vulnerable—so even if an app isn’t trying to steal your data, the “service” that it thinks it’s connecting to may be.

Attacks against NoSQL databases. For years, SQL injections, where executable code was forced inside of a SQL database entry field, were one of the scourges of the internet. Now, as developers move away from SQL to NoSQL databases like MongoDB, they’re finding that those databases aren’t as secure as they should be.

What you can do: Absolutely nothing. But it’s just one more headache that the security industry has to deal with.

Show Comments