IoT Ransomware Attack

The popularity of Amazon’s Alexa, Google’s Home, and other home personal assistants has brought IoT devices to households around the world. The introduction of things like smart light bulbs and smart refrigerators have made life easier for users by connecting traditional home appliances to smartphones and other internet-connected devices. You can now simply ask Alexa to turn on the lights as you walk into the door or have your Google Home turn up the heat in a room, making many feel like we are living in a future world.

The benefits of these interconnected devices, however, have made many wary of a world where we, as humans, will be at the will of these devices, unable to gain control of our own property.

This theory may seem like science fiction to some, but at DEF CON, the world’s largest hacking conference, two hackers showcased just how real the threat can be. They were able to hack into an IoT thermostat and install ransomware into the device, giving them the ability to raise or lower the heat and AC, either individually or at the same time, as well as set off alarms at varying frequency. They were even able to display a ransom note onto the wallpaper of the device, informing the user that their device was now hacked and they must pay 1 Bitcoin to stop the attack.

IoT Ransomware 2
Credit: @TheKenMunroShow

These types of ransomware attacks are especially scary as the hacker could essentially “force” the user into paying the ransom by raising or lowering the temperature of the house to unliveable conditions, they could also turn both the AC and heating on at the same time raising the user’s utility bill to unthinkable amounts. Both situations would give the user no choice but to pay the hackers, encouraging and funding more attacks of this kind.

Andrew Tierney and Ken Munro, the two hackers who demonstrated the ransomware, revealed that it only took them two days to hack into the thermostat and infect it with the ransomware. Their ransomware was then able to raise the heat to 99F degrees (37.22 Celsius), and require the user to input a pin that would change every 30 seconds, to unlock the device.

Luckily for those with smart homes, this attack was launched locally through the device’s SD card, meaning any hackers would need access to the actual device to launch a similar attack. However, Tierney and Munro made sure to emphasize that ransomware like this could also be achieved without any physical access to the device.

IoT Ransomware
Credit: @TheKenMunroShow

With the aid of a phishing email that appears to contain just a normal photo, when in reality is embedded with malicious malware, hackers can gain access without ever even seeing the device. If the user saves this photo to their SD card then puts it in their IOT device to set the background, their device will become infected. Highlighting the importance of proper phishing awareness training and email security protocols.

While a future full of smart houses and devices may seem exciting and an improvement over the world we live in now, it will also bring with it a tidal wave of potential new threats and attacks that we as a society can’t even imagine in today’s day and age. We need to ensure we are keeping up with the security and awareness needs that come along with these new technologies, or we may become victims of our own advancement.

Read more about this hack on the PentestPartners Blog: Thermostat Ransomware: a lesson in IoT security
For more information on how to detect and defend against phishing and ransomware attacks, visit our full stack email security page or our sister site at
Comments are closed.