Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.

Cybercriminals Could be Coming After Your Coffee

Researchers show no IoT device is too small to fall victim to ransomware techniques.

(Image: <a href=""target="new">Leo Lintang</a> via Adobe Stock)

There's no question that ransomware has become one of the most feared (and loathed) cybersecurity attack types. The idea of your critical data sitting on your hard drives yet inaccessible is, frankly, terrifying. And a new study shows it could get much, much worse.

You know that cup of coffee that's pretty much the only thing that can get you out of bed most mornings? Well, some eye-opening ransomware research came out with the announcement of a proof-of-concept ransomware attack on a coffee maker. Losing access to critical data is one thing. Losing access to coffee is, as Vizzini said in "Princess Bride," "Inconceivable!"

But coffee makers may only be the tip of the inconceivable ransomware iceberg.

"I think the important thing to remember is that these issues are not new, but there are new tools to access these issues and to leverage them and to exploit them," says Kiersten Todt, managing director of the Cyber Readiness Institute.

She points out that giving yourself the ability to control Internet of Things (IoT) systems from 3,000 miles away gives others the same ability. And those IoT systems can extend far beyond caffeine delivery. While the infamous Target attack of 2013 took criminals from an HVAC contractor to Target's customer database, modern converged IT/OT systems can easily see lateral movement in the other direction.

And, as Terence Jackson, CISO at Thycotic, says, "I would say you wouldn't want to see your connected refrigerator or HVAC system 'ransomwared.' That would be a disaster."

While the idea of lateral movement between IT and OT systems in the enterprise could be disastrous, the current work-from-home environment means that attacks against residential IoT systems could have a significant impact on productivity -- or even become entry points for attacks against enterprise assets.

Some employees may not be a good understanding of precisely how great the risk might be.

"Going through our daily lives where we buy connected devices and don't even know [it], it can certainly create some risk and more than some inconvenience in a scenarios like ransomware hitting them," explains Brandon Hoffman, CISO at Netenrich.

Those connected systems can extend from coffee makers and refrigerators to physical security systems and environmental controls. And as the weather changes with the seasons, "I can't really work around my home thermostat as there is no way to manually run the heat or air conditioner," says Oliver Tavakoli, CTO at Vectra.

As connected technology moves into more aspects of employees' lives, the possibility grows for ransomware attacks that no consumer wants to experience and (to be honest) no enterprise security team wants to hear about. The recent proof-of-concept attack on the servers for an Internet-enabled "male chastity device" provides all the evidence most will find necessary that this is true.

There are multiple issues around these potential ransomware attacks against consumer systems, including nontech people "negotiating with malicious actors," Todt says.

Those negotiations are more likely because consumer devices aren't protected by the sort of sophisticated security systems that are routine in the enterprise.

"It's no longer about protecting the critical infrastructure. You have to protect the entire infrastructure because of IoT," she adds.

And that protection will not simply be for the sake of employees' morning cup of happiness, but for the security of the entire enterprise for which they work.

About the Author(s)

Curtis Franklin, Principal Analyst, Omdia

Curtis Franklin Jr. is Principal Analyst at Omdia, focusing on enterprise security management. Previously, he was senior editor of Dark Reading, editor of Light Reading's Security Now, and executive editor, technology, at InformationWeek, where he was also executive producer of InformationWeek's online radio and podcast episodes

Curtis has been writing about technologies and products in computing and networking since the early 1980s. He has been on staff and contributed to technology-industry publications including BYTE, ComputerWorld, CEO, Enterprise Efficiency, ChannelWeb, Network Computing, InfoWorld, PCWorld, Dark Reading, and on subjects ranging from mobile enterprise computing to enterprise security and wireless networking.

Curtis is the author of thousands of articles, the co-author of five books, and has been a frequent speaker at computer and networking industry conferences across North America and Europe. His most recent books, Cloud Computing: Technologies and Strategies of the Ubiquitous Data Center, and Securing the Cloud: Security Strategies for the Ubiquitous Data Center, with co-author Brian Chee, are published by Taylor and Francis.

When he's not writing, Curtis is a painter, photographer, cook, and multi-instrumentalist musician. He is active in running, amateur radio (KG4GWA), the MakerFX maker space in Orlando, FL, and is a certified Florida Master Naturalist.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights