2017 will likely be remembered as the year of ransomware, with high-profile attacks by WannaCry and NotPetya dominating the headlines and causing widespread disruption to organisations around the world.
Unfortunately, the popularity of this technique shows no signs of slowing down anytime soon, and the threat vector is on track to become increasingly sophisticated and exacerbated in the year ahead thanks to the growing number of unsecured Internet of Things (IoT) devices on the market.
When these two worlds collide, and cyber criminals start infecting smart devices with ransomware, it will vastly expand the network of potential targets for cybercriminals – making the “ransomware of IoT” a new nightmare that the security world will have to prepare for 2018.
How ransomware evolved in 2017
With lower execution costs, high returns and minimal risk of discovery (compared to other forms of malware), ransomware has quickly become a preferred method of attack for cybercriminals. It’s now easier than ever for virtually anyone – even individuals with minimal security knowledge – to extort money from companies and individuals through do-it-yourself ransomware toolkits or via ransomware-as-a-service (RaaS) providers, who provide all of the infrastructure needed to launch a ransomware attack and collect the proceeds from infected victims.
Cybercriminals generally aim to take the path of least resistance while achieving maximum ROI, and RaaS lets them do just that, delivering an all-inclusive, easy-to-use and very lucrative service for would-be attackers.
The IoT problem
Earlier this year, we saw the devastation caused by Mirai and similar malware, which recruited insecure IoT devices to create botnets capable of launching huge DDoS attacks. The problems presented by insecure IoT devices will continue to worsen in 2018, as more and more manufacturers connect their products to the internet.
Some of these may be relatively harmless, such as a salt shaker that tracks your daily salt intake, but others, such as child’s smartwatch that could be hacked and enable attackers to spy on a family, could have more severe consequences.
To increase ease-of-use, IoT devices are generally designed with a lack of security features, and they typically don’t offer consumers the option to upgrade or apply patches when there are issues.
Additionally, many vendors choose convenience over implementing proper security measures, e.g. using default credentials in their products, which are easy for an attacker to compromise.
This approach is a flagrant violation of best practices in product development, and the result is that such devices are left wide open for attack and infection. When it comes to the security of their products, IoT device manufacturers operate largely without regulation, standards or oversight – creating a perfect situation for cybercriminals to exploit.
When IoT meets ransomware
The impact of ransomware on smart devices extends well beyond a criminal simply preventing a user from being able to access the data on their devices – it could also interfere with the functionality of the device itself, a situation that can have real, and potentially dangerous, physical implications. For example, ransomware that infects a smart thermostat could potentially turn up the heating to full in the middle of summer, or turn it off completely in the winter unless a ransom is paid. While this might be only an annoyance for most people, it could prove harmful to some vulnerable victims.
An infected smart lock could lock people in or out of their houses, or remain permanently open, allowing full access to a victim’s home and belongings. Infection of smart fridges, smart bulbs, or any number of smart devices in a home, could also cause disruption.
Progressing to even more dangerous scenarios, smart cars, or cars with ever-increasingly connected features, could be targeted to not start, or worse still, shut down in the middle of a motorway unless a ransom is paid. Also, as more medical devices such as pacemakers or insulin pumps are connected online, they could be hijacked and switched off if a ransom is not paid, and the consequences of this could be potentially lethal.
When it comes to securing IoT devices, many vendors simply aren’t willing to put in the extra effort to ensure security because there is not yet any regulation to require it. Could 2018 finally be the year we see governments around the world take an active role in IoT security and put pressure on manufacturers to do the right thing for consumers? Let’s hope that it won’t take a ‘ransomware of IoT’ nightmare for governments and manufacturers to step up and address this growing cyber threat, and finally put consumer safety above convenience.
Sourced by Javvad Malik, security advocate at AlienVault