This Hacker Broke Into His School’s HVAC Before Thermostats Became ‘Smart’

In the latest episode of the My First Hack series, Andrew Tierney—better known as Cybergibbons—tells the story of the time he discovered he could use his telephone to control his school’s heating system.
Image: Hauke-Christian Dittrich/picture alliance via Getty Images
Screen Shot 2021-02-24 at 3
Hacking. Disinformation. Surveillance. CYBER is Motherboard's podcast and reporting on the dark underbelly of the internet.

Andrew Tierney was in high school when people were just starting to get internet at their homes. But he was already "online"—as much as anyone could be at the time. In his spare time, he used to connect to BBSs, short for Bulletin Board System, the precursors to online forums.

So when he saw that his high school's heating system had a label with a phone number on it, he figured that, maybe, he could connect to it. As it turns out, he could. 

After hours of trial and error, he figured out that the heating system's makers did not put any authentication or security protocols in place. So just with that number, and some fiddling, anyone could control the system remotely. Essentially, he hacked it.

Years later, Tierney and his colleagues created the first-ever proof-of-concept for a smart thermostat ransomware, proving that Tierney has a special relationship to internet-connected gizmos.