We all know that ransomware has become a huge problem,
hitting businesses and consumers alike as it encrypts valuable data and
attempting to extort sometimes
large sums of money for safe recovery.
But at least we can console ourselves with one
thought: the threat has been confined to encrypting data on computers and web
servers, or locking users out of their systems until a ransom has been paid.
But the rise of the Internet of Things (IoT) means
that the nature of what we consider to be a computer is constantly widening,
and these other devices could be target for ransomware in the future warns a
report from the Institute for Critical Infrastructure Technology (ICIT).
The report, rather alarmingly entitled “Combatting the
ransomware blitzkreig”, discusses various families of
crypto-ransomware and underlines the importance of computer users to be
prepared for such attacks with a layered defense.
But the particular part of the report that caught
my eye was the section where it described potential future threats:
IoT devices offer a
potential growth bed to any ransomware operation because the devices are
interconnected by design and many pointedly lack any form of security. A
selection of traditional malware will be too large to ever run on a number of
IoT devices, but ransomware, predominantly consisting of a few commands and an
encryption algorithm, is much lighter.
How much do you predict someone would pay to remove
ransomware from a pacemaker? The scenario is not too far-fetched; in fact, it
is much more deadly. Many medical devices, such as pacemakers, insulin pumps,
and other medication dispersion systems are internet or Bluetooth enabled.
Ransomware could utilize that open connection to infect the IoT device.
I feel that the issue the ICIT is raising in this
report is not too far fetched.
We know from past experience that many
cybercriminals have no qualms about putting lives in danger, and that many IoT
devices suffer from weak
security compared to regular computers, suffer from hard-coded
passwords, may have no simple updating infrastructure, and can be
riddled with a wide variety of vulnerabilities.
We have even seen devices such as CCTV cameras and routers,
that you wouldn’t naturally consider the typical botnet recruits, being
exploited to launch DDoS attacks.
So, what’s so different about such internet-enabled
devices being meddled with in ransomware-style attacks, where the hackers
demand a Bitcoin payment be made for the device’s return to normal operation?
Why couldn’t ransomware target medical devices, for instance?
In 2010, a hacker remotely disabled over 100 cars
in Austin Texas by hacking into an online vehicle immobilization service. How
easy would it have been to have combined
If criminals believe there is easy money to be
made, surely some will be tempted to explore ransomware attacks against IoT
devices in future. The report goes on to quote Jon Miller from
Cylance, that another form of attack against IoT devices could see attempts to
reduce their battery life:
“…even light encryption on a pacemaker could
decrease its battery life from about a decade to as little as a few years or
even a few months because the device is not designed to sustain those
operations. The more resource intensive the encryption, the more dire the
situation.” Of course, anyone launching an IoT ransomware
attack will need to consider just *how* they will inform the device’s owner of
their financial demands. That’s obvious on a laptop, but presents more of a
challenge on a pacemaker unless the attacker has also managed to determine,
say, their victim’s email address.
Whether ransomware attacks against IoT devices are
going to be as regular a part of our future as attacks on traditional computer
systems are today, remains to be seen.
But it surely is another reason for us to be even
more concerned that security is treated as a priority by all companies
manufacturing internet-enabled devices.