Vulnerabilities / Threats
3/6/2017
08:00 AM
Javvad Malik
Javvad Malik
Commentary
Connect Directly
LinkedIn
Twitter
RSS
E-Mail vvv
50%
50%

Threats Converge: IoT Meets Ransomware

Ransomware is already a problem. The Internet of Things has had a number of security issues. What happens when the two combine?

Ransomware had a breakout year in 2016, making headlines as it affected everything from hospitals to police stations. At the same time, attacks against Internet of things (IoT) devices — home appliances, toys, cars, and more, all brimming with newly exploitable connectivity — have continued to proliferate.

Most information security professionals agree that ransomware and IoT hacks will continue to increase in frequency, but one less obvious development that could be on the horizon is a convergence of both of these attack methods. So, what could the implications of an IoT ransomware attack be?

To answer this question, we first need to consider the potential target of an IoT ransomware attack. Ransomware usually goes after computers and networks that house the mission-critical data necessary to maintain the day-to-day operations of a business. Such targeting ensures that once this data has been encrypted and rendered useless, the organization has adequate incentive to purchase the cryptocurrency (typically Bitcoin) being demanded by the hacker to release its data.

Luckily for us, many IoT devices don't qualify as mission critical, as I doubt any parent is going to fork over a ransom to unlock their child's Hello Barbie. But there are certain devices that perform critical functions and therefore could meet this criterion. As IoT becomes more widespread and increases in sophistication, the number of potentially lucrative targets will only increase. Unlike with traditional ransomware, attackers that hijack IoT devices can not only compromise the data collected through a device's sensors, but could also render a critical device's physical functions inaccessible — greatly increasing the chances that a victim will pay up.

One device that is currently ripe for exploitation is the connected thermostat. Products like Nest and Ecobee remotely monitor and regulate the temperatures of homes. If compromised by hackers, they could be used to blast the air conditioning during a blizzard or crank up the heat in the middle of a July heatwave. Although this may seem like an inconvenience rather than a catastrophe for a typical homeowner, when applied to business environments, the stakes are raised. For example, an attacker who gains control of the HVAC systems of a large building could theoretically increase an organization's electricity bill to the point where paying a ransom becomes a practical and cost-effective alternative.  

The same reasoning behind the thermostat example can be applied to a wide range of other IoT devices. It wouldn't be difficult to imagine a hijacked smart lock taking on a mind of its own or a connected lightbulb refusing to illuminate. However, one can also imagine more disturbing scenarios arising from advanced IoT use cases, such as connected cars and smart cities. In such cases, a successful ransomware attack could extend well beyond a minor inconvenience, exposing affected victims to potentially dangerous or even life-threatening consequences.

However, IoT isn't a lost cause altogether. As with any emerging technology, IoT device vendors need to work out the security bugs in their products, and they're already beginning to do so. For every snooping Barbie discovered and connected car hacked, the industry moves one step closer to achieving the level of security that enterprise customers need. Similar to how the Target breach was a wake-up call for retailers, the IoT industry will inevitably be hit with an attack of a similar scope, whose repercussions will in turn serve as a major catalyst for industry-wide change.

Until we see this change, though, IT teams tasked with deploying connected devices must become more aware of the issues around IoT security and keep these in mind when deciding which devices to buy and deploy in their organizations. If your business can survive the next couple of years without going all in on IoT, it might be worth postponing purchases until the technology, especially the security, of these devices has evolved.

But if you absolutely can't wait, there are several considerations that are critical when purchasing a new device. These include:

  • Assess how easy it is to change default credentials. Many IoT-enabled devices, such as the Internet-enabled cameras that made up the Mirai botnet, are insecure because their owners never think to change the password. You wouldn't do that with your new laptop, would you?
  • Disable any insecure protocols. Not all devices are created equally, and device makers that fail to invest in secure protocols must be avoided. Right now, there is a lack of standards for what makes an IoT device secure, so it's up to buyers to assess what makes the device tick. For example, many vulnerable webcams were reported in 2016, due to a Real Time Streaming Protocol that enabled video sharing but didn't require a password for authentication.
  • Evaluate the recovery process. Many devices can have factory settings reset with one click, while others may require manufacturer involvement. Worse yet, in some cases, recovery may be impossible, forcing users to pay the ransom as a last resort. It's up to buyers to understand the recovery process for the devices they own, and to create a contingency plan should one of them be compromised. 

Whether you end up making the plunge into IoT or waiting until the kinks are worked out, the threats posed by Internet-connected devices are real. That being said, IoT is here to stay, so it's up to us to ensure it isn't allowed to compromise the security of our future. 

Related Content:

Javvad Malik is a London-based IT Security professional. Better known as an active blogger, event speaker and industry commentator who is possibly best known as one of the industry's most prolific video bloggers with his signature fresh and light-hearted perspective on ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Security's #1 Problem: Economic Incentives
Dimitri Stiliadis, CEO of Aporeto,  9/25/2017
SMBs Paid $301 Million to Ransomware Attackers
Dark Reading Staff 9/21/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.