Ransomware and the Internet of Things

We all know that ransomware has become a huge problem, hitting businesses and consumers alike as it encrypts valuable data and attempting to extort sometimes large sums of money for safe recovery.

But at least we can console ourselves with one thought: the threat has been confined to encrypting data on computers and web servers, or locking users out of their systems until a ransom has been paid.

But the rise of the Internet of Things (IoT) means that the nature of what we consider to be a computer is constantly widening, and these other devices could be target for ransomware in the future warns a report from the Institute for Critical Infrastructure Technology (ICIT).

The report, rather alarmingly entitled “Combatting the ransomware blitzkreig”, discusses various families of crypto-ransomware and underlines the importance of computer users to be prepared for such attacks with a layered defense.

But the particular part of the report that caught my eye was the section where it described potential future threats:

IoT devices offer a potential growth bed to any ransomware operation because the devices are interconnected by design and many pointedly lack any form of security. A selection of traditional malware will be too large to ever run on a number of IoT devices, but ransomware, predominantly consisting of a few commands and an encryption algorithm, is much lighter.How much do you predict someone would pay to remove ransomware from a pacemaker? The scenario is not too far-fetched; in fact, it is much more deadly. Many medical devices, such as pacemakers, insulin pumps, and other medication dispersion systems are internet or Bluetooth enabled. Ransomware could utilize that open connection to infect the IoT device.

I feel that the issue the ICIT is raising in this report is not too far fetched.

We know from past experience that many cybercriminals have no qualms about putting lives in danger, and that many IoT devices suffer from weak security compared to regular computers, suffer from hard-coded passwords, may have no simple updating infrastructure, and can be riddled with a wide variety of vulnerabilities.

We have even seen devices such as CCTV cameras and routers, that you wouldn’t naturally consider the typical botnet recruits, being exploited to launch DDoS attacks.

So, what’s so different about such internet-enabled devices being meddled with in ransomware-style attacks, where the hackers demand a Bitcoin payment be made for the device’s return to normal operation? Why couldn’t ransomware target medical devices, for instance?

If criminals believe there is easy money to be made, surely some will be tempted to explore ransomware attacks against IoT devices in future.

The report goes on to quote Jon Miller from Cylance, that another form of attack against IoT devices could see attempts to reduce their battery life:

“…even light encryption on a pacemaker could decrease its battery life from about a decade to as little as a few years or even a few months because the device is not designed to sustain those operations. The more resource intensive the encryption, the more dire the situation.”

Of course, anyone launching an IoT ransomware attack will need to consider just *how* they will inform the device’s owner of their financial demands. That’s obvious on a laptop, but presents more of a challenge on a pacemaker unless the attacker has also managed to determine, say, their victim’s email address.

Whether ransomware attacks against IoT devices are going to be as regular a part of our future as attacks on traditional computer systems are today, remains to be seen.

But it surely is another reason for us to be even more concerned that security is treated as a priority by all companies manufacturing internet-enabled devices.

Author Graham Cluley, We Live Security

Follow us

Copyright © 2016 ESET, All Rights Reserved.