-3

With connected thermostats such as the Nest gaining popularity due to their convenience, I've been wondering for a while about the potential for exploiting its intended function rather than just using it as an entry point into a network. Every summer you hear about people dying due to overheating, and it occurs to me that someone with malicious intent could take control of a connected thermostat and raise the temperature high enough to potentially kill someone in their sleep?

For example, are there any safeguards built into a Nest thermostat at the hardware level to prevent someone from raising the temperature to 100+ degrees or forcing the furnace to remain on constantly?

Are there any known examples of this, and is there any practical way to mitigate the risk aside from not using a connected thermostat or using a strong, unique password to protect the account tied to the device?

rob
  • 249
  • 1
  • 11
  • 2
    I'm pretty sure most people in that situation would wake up from the discomfort, shut off the furnace, and/or go outside. – Ben Jul 07 '17 at 15:48
  • Just speaking from experience, I'm not so sure about that. I've woken up before extremely hot, was too tired to get up, and feel asleep for a couple more hours. There are also news stories every summer about people dying in their homes of overheating because they do not have air conditioners or fans. – rob Jul 07 '17 at 15:51
  • 5
    No. Even without air conditioning in environments that get to 120F (50C) ambient or more, heat related deaths are still quite rare, and usually occur in people with pre-existing contributing conditions. It's simply implausible that you could ever intentionally kill a specifically targeted individual by turning their heat up at night. – Xander Jul 07 '17 at 16:07
  • @rob most of those people made a conscious decision to "tough it out" - either to be frugal or from necessity - and intentionally ignored the danger signs, and always when external (heat/cold) was excessive enough to worsen the situation in the house. Joe Assassination-Victim goes into this scenario expecting normal comfort from his house, and normal HVAC systems simply don't have the speed or extremity to kill him before he does something about the discomfort. – gowenfawr Jul 07 '17 at 16:11
  • Seriously... The human body is wired to respond to heat in many ways. Those who die from overheating are likely dehydrated or old, in which case the internal temperature control is become deficient. This is not an attack vector, just a nuisance. Better if you find out how to destabilize the furnace by surging and lowering fuel consumption. Do this in a controlled environment. I trust you aren't an anon who's found an IoT thermostat on shodan... – user2497 Jul 07 '17 at 17:17

1 Answers1

1

...take control of a connected thermostat and raise the temperature high enough to potentially kill someone in their sleep?

Not really. The scenario you are talking about is highly theoretical if at all possible. Thermostats do not go up as high as to kill someone in their sleep. Attackers might cause minor discomfort for a brief period if they are able to manipulate temperature settings. But that's about it.

....are there any safeguards built into a Nest thermostat ...?

You would have to look at Nest documentation for that. But my guess would be that they do not allow temperatures to be raised above certain, reasonable, thresholds.

Are there any known examples of this, and is there any practical way to mitigate the risk aside from not using a connected thermostat or using a strong, unique password to protect the account tied to the device?

There are plenty of examples of attackers exploiting weaknesses in IoT devices such as thermostats to use them as part of their botarmy in a DDoS attack (Google search should reveal some of these). Similarly, they might hold your IoT device for ransom until money is paid to a certain bitcoin address, but there have been no known cases of "assassination" attempts using thermostats.

To mitigate the risks of someone gaining access to your thermostat, you could put it behind a firewall that filters out connection attempts from unknown IP addresses or put it entirely on an internal network behind a NAT. Also, you should constantly update the firmware since most OEM manufacturers fix known security weaknesses regularly in the latest firmware.

whoami
  • 1,366
  • 10
  • 17
  • Regarding access to the thermostat, my understanding is that most home automation devices are connected to a local network rather than directly to the Internet, and they create outbound connections for management so the attack vector is through the IoT device's service provider or some linked service, rather than from a direct connection from the Internet. But that is a good point if anyone does consider going to the extra work of connecting it directly to the Internet. – rob Jul 10 '17 at 14:41