Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

3/6/2017
08:00 AM
Javvad Malik
Javvad Malik
Commentary
Connect Directly
LinkedIn
Twitter
RSS
E-Mail vvv
50%
50%

Threats Converge: IoT Meets Ransomware

Ransomware is already a problem. The Internet of Things has had a number of security issues. What happens when the two combine?

Ransomware had a breakout year in 2016, making headlines as it affected everything from hospitals to police stations. At the same time, attacks against Internet of things (IoT) devices — home appliances, toys, cars, and more, all brimming with newly exploitable connectivity — have continued to proliferate.

Most information security professionals agree that ransomware and IoT hacks will continue to increase in frequency, but one less obvious development that could be on the horizon is a convergence of both of these attack methods. So, what could the implications of an IoT ransomware attack be?

To answer this question, we first need to consider the potential target of an IoT ransomware attack. Ransomware usually goes after computers and networks that house the mission-critical data necessary to maintain the day-to-day operations of a business. Such targeting ensures that once this data has been encrypted and rendered useless, the organization has adequate incentive to purchase the cryptocurrency (typically Bitcoin) being demanded by the hacker to release its data.

Luckily for us, many IoT devices don't qualify as mission critical, as I doubt any parent is going to fork over a ransom to unlock their child's Hello Barbie. But there are certain devices that perform critical functions and therefore could meet this criterion. As IoT becomes more widespread and increases in sophistication, the number of potentially lucrative targets will only increase. Unlike with traditional ransomware, attackers that hijack IoT devices can not only compromise the data collected through a device's sensors, but could also render a critical device's physical functions inaccessible — greatly increasing the chances that a victim will pay up.

One device that is currently ripe for exploitation is the connected thermostat. Products like Nest and Ecobee remotely monitor and regulate the temperatures of homes. If compromised by hackers, they could be used to blast the air conditioning during a blizzard or crank up the heat in the middle of a July heatwave. Although this may seem like an inconvenience rather than a catastrophe for a typical homeowner, when applied to business environments, the stakes are raised. For example, an attacker who gains control of the HVAC systems of a large building could theoretically increase an organization's electricity bill to the point where paying a ransom becomes a practical and cost-effective alternative.  

The same reasoning behind the thermostat example can be applied to a wide range of other IoT devices. It wouldn't be difficult to imagine a hijacked smart lock taking on a mind of its own or a connected lightbulb refusing to illuminate. However, one can also imagine more disturbing scenarios arising from advanced IoT use cases, such as connected cars and smart cities. In such cases, a successful ransomware attack could extend well beyond a minor inconvenience, exposing affected victims to potentially dangerous or even life-threatening consequences.

However, IoT isn't a lost cause altogether. As with any emerging technology, IoT device vendors need to work out the security bugs in their products, and they're already beginning to do so. For every snooping Barbie discovered and connected car hacked, the industry moves one step closer to achieving the level of security that enterprise customers need. Similar to how the Target breach was a wake-up call for retailers, the IoT industry will inevitably be hit with an attack of a similar scope, whose repercussions will in turn serve as a major catalyst for industry-wide change.

Until we see this change, though, IT teams tasked with deploying connected devices must become more aware of the issues around IoT security and keep these in mind when deciding which devices to buy and deploy in their organizations. If your business can survive the next couple of years without going all in on IoT, it might be worth postponing purchases until the technology, especially the security, of these devices has evolved.

But if you absolutely can't wait, there are several considerations that are critical when purchasing a new device. These include:

  • Assess how easy it is to change default credentials. Many IoT-enabled devices, such as the Internet-enabled cameras that made up the Mirai botnet, are insecure because their owners never think to change the password. You wouldn't do that with your new laptop, would you?
  • Disable any insecure protocols. Not all devices are created equally, and device makers that fail to invest in secure protocols must be avoided. Right now, there is a lack of standards for what makes an IoT device secure, so it's up to buyers to assess what makes the device tick. For example, many vulnerable webcams were reported in 2016, due to a Real Time Streaming Protocol that enabled video sharing but didn't require a password for authentication.
  • Evaluate the recovery process. Many devices can have factory settings reset with one click, while others may require manufacturer involvement. Worse yet, in some cases, recovery may be impossible, forcing users to pay the ransom as a last resort. It's up to buyers to understand the recovery process for the devices they own, and to create a contingency plan should one of them be compromised. 

Whether you end up making the plunge into IoT or waiting until the kinks are worked out, the threats posed by Internet-connected devices are real. That being said, IoT is here to stay, so it's up to us to ensure it isn't allowed to compromise the security of our future. 

Related Content:

Javvad Malik is a London-based IT Security professional. Better known as an active blogger, event speaker and industry commentator who is possibly best known as one of the industry's most prolific video bloggers with his signature fresh and light-hearted perspective on ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19642
PUBLISHED: 2019-12-08
On SuperMicro X8STi-F motherboards with IPMI firmware 2.06 and BIOS 02.68, the Virtual Media feature allows OS Command Injection by authenticated attackers who can send HTTP requests to the IPMI IP address. This requires a POST to /rpc/setvmdrive.asp with shell metacharacters in ShareHost or ShareNa...
CVE-2019-19637
PUBLISHED: 2019-12-08
An issue was discovered in libsixel 1.8.2. There is an integer overflow in the function sixel_decode_raw_impl at fromsixel.c.
CVE-2019-19638
PUBLISHED: 2019-12-08
An issue was discovered in libsixel 1.8.2. There is a heap-based buffer overflow in the function load_pnm at frompnm.c, due to an integer overflow.
CVE-2019-19635
PUBLISHED: 2019-12-08
An issue was discovered in libsixel 1.8.2. There is a heap-based buffer overflow in the function sixel_decode_raw_impl at fromsixel.c.
CVE-2019-19636
PUBLISHED: 2019-12-08
An issue was discovered in libsixel 1.8.2. There is an integer overflow in the function sixel_encode_body at tosixel.c.