The hackers found a vulnerability in the thermostat and exploited it to install a piece of software that locks the thermostat and demands money to hand back control to the user. The attack wasn't very advanced, it requires the user to download a file to the thermostat, but it's not unthinkable that more advanced attacks on smart devices will start showing up in the near future.
The thermostat in question has a large LCD display, runs the operating system Linux, and has an SD card that allows users to load custom settings or wallpapers. The researchers found that the thermostat didn’t really check what kind of files it was running and executing. In theory, this would allow a malicious hacker to hide malware into an application or what looks like a picture and trick users to transfer it on the thermostat, making it run automatically. At that point, an evil hacker would have full control of the thermostat, the researchers said.Full details at Vice.