Ransomware has already managed to carve itself a niche as one of the main cybersecurity threats of 2016. As individuals, organizations and government agencies, we’re taking precautionary steps to protect ourselves against malware that can encrypt files beyond our reach.
What we’re ignoring though, is the next wave of ransomware attacks, which will not target our files, but rather our IoT devices, which can be more dangerous and damaging, given the different nature of IoT security.
IoT ransomware has been mentioned and discussed on a few occasions, including at recent conferences, but has not been given serious consideration because it is being examined in the same light as the more traditional breed of malware.
Here’s what makes IoT ransomware a different and possibly more dangerous threat.
IoT ransomware is not about holding your data hostage
Famous brands of ransomware such as Cryptowall and CTB-Locker are aimed at finding and locking valuable files on targeted machines. Aside from their anonymity, their main strength is their irreversibility — victims have no other choice than forking over the ransom money if they want to regain access to their files (unless they’ve taken precautionary measures, of course). Therefore, the general opinion is that files and sensitive data have financial value, and where they go, ransomware will follow.
For the most part, IoT devices store little or no data, which would logically make them financially irrelevant to ransomware attacks, right?
“While traditional ransomware affects your computer and locks your files, IoT ransomware has the opportunity to control systems in the real world, beyond just the computer,” says Neil Cawse, CEO at Geotab, a manufacturer of IoT and telematics for vehicles. “In fact, due to the many practical applications of IoT technology, its ransomware can shut down vehicles, turn off power, or even stop production lines. This potential to cause far more damage means that the potential for hackers can charge much more, ultimately making it an appealing market for them to explore.”
Some argue that in most cases, IoT hacks can be reversed with a simple device reset. However, the incentive to pay for IoT ransomware will not stem from irreversibility but rather from the timeliness of the attack and the criticality and potential losses of losing access to critical devices for any amount of time.
In fact, with IoT increasingly powering critical devices (such as drug infusion pumps and pacemakers) and industrial systems (such as power grids and water pumping stations), the financial value of locking down IoT ecosystems — and the damage resulting from not unlocking them in time — will rise exponentially.
Industrial IoT ecosystems already have every characteristic of an attractive ransomware target.
“Holding data for ransom is one thing,” says Rob Conant, CEO at IoT and cloud platform provider Cirrent, “but shutting down the electricity grid, cars, or traffic lights is quite another. Entire cities or regions could be impacted.”
“Most concerning is the threat against organizations who rely on IoT devices for Industrial Control Systems (ICS),” says Dave Larson, Chief Operating Officer at Corero Network Security. “This can include electric grid, hospitals and large scale automated manufacturing operations among others.”
The consumer IoT industry can still wait
Proof of concept ransomware attacks have already been presented at the consumer IoT level, which includes smart homes and offices, connected (and soon autonomous) cars and wearables.
This August, two researchers from U.K.-based security firm Pen Test Partners showed how they could lock down a connected thermostat with ransomware and force the owner to pay the ransom or have the device locked at 99 degrees.
Also, in a recent interview with Bloomberg, SVP at Intel Security Chris Young speculated on how ransomware can affect transportation. “Let’s say you get in your connected car in the morning — or your autonomous vehicle — and you get a pop-up that says, ‘If you pay me $300 I’ll let you drive to work today,’” he said. While he did mention that it isn’t a scenario that is likely to happen today, he emphasized that “it’s certainly not going to be outside the realm of possibility from what we might face.”
There’s also the possibility of malicious actors stealing critical data and private information that is being sent to the cloud, such as video feeds from connected cameras in homes and data generated by health devices, and blackmailing the owner into paying a ransom to avoid the publication of the embarrassing or harmful content.
It’s still too early to say the threat of ransomware in smart homes and connected cars is imminent, even though consumer-level IoT devices are often attributed with very poor security. The hodgepodge of software and hardware that constitute the consumer IoT industry actually make it hard to stage widespread ransomware attacks.
“Currently, the IoT industry is fragmented, lacking a standardized approach, operating system, and communication system,” Geotab’s Cawse says. “This has made it more difficult for ransomware criminals to conduct a generalized attack. Each attack would need to target a specific type of IoT device, which reduces the number of devices that can be targeted at the same time.”
We can thus conclude that for the moment, the cost-benefit balance of staging ransomware attacks against consumer IoT devices might not be motivating enough for malicious actors. But this is a situation that is likely to change in the future, as IoT becomes more pervasive in homes and offices.
But the threat to industrial IoT is imminent
However, industrial IoT ecosystems already have every characteristic of an attractive ransomware target. This can include any of the critical infrastructure that affect the lives of thousands and millions of people and have huge operational costs.
For instance, this year, U.S. hospitals were hit by a wave of ransomware attacks that disrupted their operations by denying them access to pertinent file systems. IoT ransomware attacks can be even worse, especially as IoT technology finds its way into the more critical sectors of medicine and healthcare.
“If a dark-actor compromises a hospital’s IoT systems, patient health could be at risk — and the value of a life pales in comparison to a ransom demand — so the potential of initial pay out by the hospital might be high because they need to buy time to remediate the infiltration,” says Corero’s Larson.
The IoT security landscape will continue to remain complicated and thorny while the industry is still going through its development phase.
This scenario can also play out in facilities such as manufacturing plants, Corero says, “where the ability to suspend operations of high value could prompt a payment if the loss of productivity is too substantial.”
Another big target of IoT ransomware can be power plants and electricity grids. Cirrent’s Conant refers to the 2003 Northeast U.S. blackout as an example, which, although not a cyber attack, was partly due to a software failure. The disaster cut off electricity for more than 55 million people, caused 11 deaths and resulted in an estimate $6 billion damage.
“Most don’t attribute this sequence of events to a bad actor, just a series of bugs and bad coincidences,” Conant says. “But a similar series of events could be caused by bad actors, and these bad actors could create these events for their own economic gain. Would electric utilities pay to prevent this kind of damage? Would politicians? Would businesses?”
Ransomware for the IoT could easily create impacts that are even bigger, Conant says, “and ransomware developers may want to find out.”
How to make IoT ecosystems and devices more robust against ransomware
While there’s no silver bullet or one-size-fits-all solution to protecting IoT devices and ecosystems against ransomware attacks, experts do believe that some general guidelines and practices can help organizations and manufacturers improve their defenses against IoT ransomware.
Cawse from Geotab emphasizes remote firmware updates as a decisive factor to creating devices that are more resilient to IoT ransomware, because “security is a journey not a destination, meaning that a device is not built secure forever.” According to Cawse, every IoT product should be updated “very easily and effectively, but also securely.”
This is especially true because, if not secured, update channels can themselves become mediums to infect devices with ransomware. As Cawse explains, secure updating means “using well-known industry best practices, i.e. locking the processor and firmware and encrypting the communication with our devices.” A robust OTA update mechanism can also serve as a means to recover devices that have fallen victim to IoT ransomware malware.
Conant underlines the need for a firm authentication mechanism to protect against IoT ransomware attacks. “In some cases, IoT devices are not even authenticated, which makes it trivial to spoof a product,” he says. “Doing this at large scale could disable millions of products — a problem not just for the companies, but for their customers.” Device spoofing can become especially problematic in a ransomware scenario when a server that connects millions of devices becomes infected with the malware.
Conant proposes to mitigate security risks through authentication and certificate life-cycle management, and standardized code base for network security, which “prevents a number of the attack vectors that ransomware hackers may otherwise use to bring a system down.”
The IoT security landscape will continue to remain complicated and thorny while the industry is still going through its development phase. For the time being, malicious actors are still weighing and exploring the possibilities and financial value that this hot new phenomenon might offer. Meanwhile, the efforts made by manufacturers and adopters of IoT devices leave a lot to be desired. This will probably change when hackers learn to monetize IoT vulnerabilities and decide to take full advantage. Let’s hope we’ll be ready when they do.