By David Balaban
IoT ransomware is more dangerous than traditional ransomware
Ransomware has become one of the most serious cyber threats these years. Today, all of us – from home users to corporations and government organizations – are trying to protect ourselves from encryption viruses. However, we still ignore the beginning of the next wave of ransomware attacks aimed at encrypting IoT devices. It can be much more dangerous given the omnipresent and extremely diverse nature of the Internet of Things.
IoT ransomware has already been discussed online and at security conferences, but it was not considered a serious threat at the time. There are some differences that make IoT ransomware more dangerous than the already widespread extortion viruses for desktops and smartphones.
IoT ransomware does not encrypt your data
The well-known and most active crypto viruses like Locky and Cerber lock down important files on infected machines. Their main strength is irreversibility – the victims are forced to either pay for obtaining the decryption key or say goodbye to their files in case there are no backups. It is usually assumed that files and important data have a value expressed in money, and this fact attracts cyber extortionists. IoT devices often do not have any data at all. Some may think that ransomware authors are not interested in attacking IoT devices. It’s not actually so.
Instead of only locking some files, IoT viruses may lock and get complete control over many devices and even networks. IoT malware may stop vehicles, disconnect the electricity, even stop production lines. Such programs can do much more harm, and therefore hackers may demand much larger ransom amounts. This increases the attractiveness of the new underground market. One could argue that IoT hacking can be stopped with a simple reboot. However, the incentive to pay extortionists does not result from irreversibility but rather from the volume and character of potential losses which may occur during the time you lose control over the system.
While the Internet of Things expands the possibilities of life-supporting devices like pacemakers or industrial systems such as pumping stations, the financial benefits of blocking IoT infrastructure and the damage from belated response will grow exponentially. Organizations that use the Internet of Things in industrial control systems are the most vulnerable. These include power plants, big automated production lines, etc.
Consumer IoT devices
Attacks on consumer IoT devices, including smart homes and connected cars, are already real. Researchers have shown how they can gain control of a connected thermostat through the use of malicious code and set the device to increase the temperature to the maximum, causing the owner to pay a ransom.
Let’s imagine you got into a connected car this morning and suddenly there is a message on the screen: “If you pay $500, I’ll let you get to work today.” It was impossible several years ago, but due to technological progress, such a scenario does not look fantastic anymore.
Furthermore, IoT ransomware may steal important data and personal information, for example, from surveillance cameras connected to the network or from fitness gadgets and then blackmail people, threatening to publish their sensitive information.
Despite the fact that IoT devices often have serious security weaknesses, it is still premature to talk about the imminent ransomware threat for smart homes and connected cars. The wide variety of apps and devices created by thousands of manufacturers complicates extensive malware usage.
The IoT industry is highly fragmented these days. It lacks standardized approaches, common platforms and communication systems. It is tough to carry out mass attacks. Every time a compromise occurs, hackers only target a specific type of devices, which reduces the number of potential victims.
We can conclude that hackers’ benefits from attacking consumer IoT devices are currently small. But the situation is likely to change in the future as the Internet of Things is going to deeper penetrate into our homes and offices.
Industrial segment already facing high risks
We see an entirely different picture in the industrial segment of the Internet of Things. Industrial systems are already very attractive to cyber extortionists. This could be any relevant system that may affect the lives of thousands or millions of people and are extremely expensive to operate.
For example, several US hospitals have undergone a series of ransomware attacks recently. Normal workflow of the Hollywood Presbyterian Hospital was disrupted because of ransomware. Some patients had to be moved to other clinics, and doctors started to keep records the old fashioned way on paper.
If a hospital system is compromised, it puts the health of patients at risk. The likelihood is very high that the hospital will pay upon demand. An attack against critical infrastructure can be carried out successfully based on similar factors – if the lives of people might be put in danger and time is pressing, the owners would often agree to pay up. Power grids and power stations can be another important target for IoT malware. Their important role in the modern world was perfectly illustrated by the Northeast blackout of 2003. It caused $6 billion in losses within several hours, affecting 55 million people. It wasn’t a cyber attack but a software failure. Today, hackers constantly scan the Internet for important and vulnerable networks, so energy companies should be prepared.
How to protect IoT systems from ransomware
Although there is no universal solution, many experts believe that the observance of certain guidelines and methodologies can help organizations and manufacturers better protect their IoT systems from ransomware. One of the important points is the ability to remotely upgrade the firmware of smart devices. Safety is a journey, not a destination, and there are no connected devices that can stay safe forever. Therefore, a firmware update should be a very simple, effective and safe process. The latter is particularly important since insecure update channels can become portals for the infection to come in. There are time-tested measures to eliminate this malware entry point, such as blocking the processor and firmware, as well as encrypting communication channels between devices.
A reliable authentication mechanism poses another important protection measure. You may encounter situations these days when devices are connected to the Internet without any authentication at all. This paves the way for spoofing. If lack of authentication becomes a mass phenomenon, it will be possible to disable millions of devices. Spoofing is particularly dangerous when a server with millions of connected machines is infected.
To make intruders’ life much harder it is necessary to introduce reliable security certificate life-cycle management and standardize the code base of security systems. This will help reduce the number of attack vectors.
Of course, securing the Internet of Things remains an arduous task as the industry is only groping its way. Currently, online criminals are only beginning to weigh the risks and assess the opportunities and potential profitability of the new market. Meanwhile, manufacturers and users are not too concerned about the possible threat. Perhaps this will change quickly after the first successful incidents of rogue monetization of IoT vulnerabilities. Hopefully, we will have time to prepare.
About the Author
David Balaban is a computer security researcher with over 15 years of experience in malware analysis and antivirus software evaluation. David runs the Privacy-PC.com project which presents expert opinions on contemporary information security matters, including social engineering, penetration testing, threat intelligence, online privacy, and white hat hacking. As part of his work at Privacy-PC, Mr. Balaban has interviewed such security celebrities as Dave Kennedy, Jay Jacobs and Robert David Steele to get firsthand perspectives on hot InfoSec issues. David has a strong malware troubleshooting background, with the recent focus on ransomware countermeasures.