Thermostat Ransomware: A Glimpse into the Future of Crime in Cities

At this year’s annual DEF CON conference held Aug. 4-7 in Las Vegas, two security researchers demonstrated that it’s possible to infect a smart thermostat with ransomware — a form of malicious software that encrypts or blocks access to a device until a ransom is paid, usually in the form of bitcoins.

Image Source: Flickr/Christiaan Colen

Ransomware has most commonly infected desktop and laptop computers, but the DEF CON demonstration provides a glimpse into ransomware’s impact on the Internet of Things (IoT) and the future of crime in cities. As consumers continue to buy Internet-enabled TVs, locks, thermostats and cars ,  the threat landscape will continue to compound. Today, the promise of our connected future is riddled with security vulnerabilities that can easily be taken advantage of. Unfortunately, the worst is yet to come; even an article in the Wall Street Journal speculated that ransomware would soon make its way to your connected vehicle.

What Are the Underlying Issues?

1. Lack of Standards
Because there’s no unified industry standard for the Internet of Things, this has led to massive fragmentation in the market. Although there are security overlays that will work on multiple standards, most consumers work with what comes right out of the box.

Massive fragmentation poses a challenge because each IoT standard must be updated separately to fix security vulnerabilities and add new functionalities. A close example of this challenge can be seen with the Android operating system, which is also heavily fragmented due to carrier controls and a massive hardware ecosystem with varying specifications. Eventually with Android, consumers will update their physical phone to get access to the latest software and features, but a smart thermostat is more complex to physically replace each year.

The added challenge for consumers is that they may bring three or four different standards into their house that don’t all talk to each other — and most importantly, they don’t learn from each other.  In addition, not all software updates are automatic, so consumers may use the software that came with their original device for years. Most connected home appliances also use a shared Wi-Fi connection, which means they are still susceptible for threats if the network or another device is compromised.

2.    Consumer Behavior 
Poor security practices also contribute to increased risk. A good portion of consumers do not change default administration passwords when purchasing Internet-enabled devices, which makes the device even more susceptible to attack.

3.    Pace of Change
Our research shows that the pace of change and technology diffusion is increasing exponentially. This increase creates an opportunity for rapid innovation and quicker consumer product development — but it comes at the expense of additional market fragmentation and security vulnerabilities.

How Will This Impact Government?

When an exploit or hack occurs on one of these smart devices, the first place most people will turn is to their local police department. We saw this firsthand with the rise of online identity theft and even the first nanny camera hacks. The challenge that’s quickly emerging, however, is that not every agency will have access to the technical capacity for investigating and prosecuting these new forms of crime.

What’s a Government Agency to Do?

There is no silver bullet that will solve this emerging challenge, but there are some simple steps agencies can take to stay ahead of the curve:

  1. Prepare :  Ensure your public safety and information technology teams have access to the tools and knowledge necessary to research these new types of crime. There are a lot of certifications and courses that can help you bridge any knowledge gaps.
  2. Read :  Keep up with the latest security vulnerabilities online and offline. You can follow alerts directly from Community Emergency Response Teams (CERT), but don’t stop there.
  3. Educate : Educate your constituents on how to mitigate cyber-risks and serve as an outlet to proactively inform them about new risks. There are many great resources online you can point constituents to, such as
  4. Partner :  Find agencies to partner and collaborate with on threat intelligence and other cybersecurity practices.