Ben Dickson shares his thoughts in this blog which was originally posted here on Tech Talks Blog.
At the recent Def Con hacking conference in Las Vegas, two researchers from cybersecurity firm Pen Test Partners showed that they could inflict your smart thermostat with ransomware from hundreds of miles away, and force you to fork over cash (usually bitcoins) before you could regain control of the appliance.
Ransomware has been around for a while. It’s a breed of malware that locks down access to your files by encrypting them and sells you the decryption key that will give you back access to the files. IoT ransomware is relatively new. However, this isn’t the first time that the topic of IoT ransomware has been brought up by cybersecurity experts. Experts from Symantec presented a research on ransomware for wearables (aka “ransomwear”) last year at the Black Hat conference. The issue was also raised by experts at the Institute for Critical Technology (ICIT), specifically in regards to healthcare IoT.
Unfortunately, though, IoT ransomware isn’t being given enough attention, or not being looked at from the right perspective, which can lead to its underestimation and disastrous outcomes that could result not only in financial losses, but in loss of life as well.
Why is IoT ransomware being underrated?
The fact that IoT ransomware is not being given enough attention stems from the fact that it is being perceived in the same light as traditional ransomware.
However there are two key differences.
The classic ransomware model owes its success to its irreversibleness. When your PC, laptop or smartphone becomes inflicted with ransomware, your valuable files are encrypted and the only thing that can give you back those files is the private key, which is in the hands of the culprits (that is unless you have a backup of your files).
And that is why you’re left with no other option than to pay the ransom. That’s why even the FBI recommends to pay the ransom.
That is simply not feasible with IoT. First of all, with most IoT data being stored in the cloud, there’s little or nothing of value on the devices themselves. So even if the data becomes encrypted, there’s little incentive for the owner to pay the ransom.
Which means, ransomware attackers will have to fall back to the older form of ransomware, the one that locks your device and ransoms you for regaining access to its functionality. And that is as trivial to overcome as resetting the device and installing new patches and updates, which is even easier to accomplish with IoT devices than PCs.
The second argument that discredits IoT ransomware has to do with the perspective of the attackers. Ransomware developers are always looking to make the most money for the least effort. So an exploit of Windows or Adobe Flash or Internet Explorer will enable hackers to target hundreds of millions of users. But IoT devices are so various that each of them would have to be targeted in a different way, which would make it more of a challenge for hackers.
There’s also the minor issue of needing a user interface such as a screen display to inform the user that they’ve been hacked by ransomware. A considerable percentage of IoT devices lack any display mechanism and the hackers will have to go the extra step of discovering the user’s email or hacking the app that controls the device as well.
These factors will not create enough financial motivation for hackers to invest in IoT ransomware. Or so we think.
Why should it be taken seriously?
The correct use of IoT ransomware hinges on being timely and critical, not on being irreversible. The entire point is to strike at the target at a time and place where they won’t be able to reset the device or counter the effects of the ransomware and will be more willing to pay the ransom.
So instead of looking for valuable files on your Nest Thermostat, hackers will lock it up with ransomware while you’re away on vacation and send you a notification to tell you that your smart home has been hacked and you either have to pay a ransom or the thermostat gets locked at a high temperature. By the time you fly back home to disable or reset the thermostat, your home will get fried, and if not, you’ll have to settle for the huge electricity bill that will come at the end of the month because of the active use of the appliance.
In the connected car industry, hackers will track you down and hack your car while you’re on a desert highway, with no means to fix the problem on your own and no access to service centers. Then you’ll be forced to either cooperate with the hackers or hitchhike your way to the nearest city to get help.
In industrial IoT, things can get even nastier. Imagine a hacked power grid (and these things do happen). The hackers won’t give you 48 or 72 hours to hand over the cash, as is the case with traditional ransomware. They’ll give you 30 or 45 minutes turn over bitcoins. And after that, it’ll be total blackout.
Medical IoT can become an attractive target for ransomware as well. Your pacemaker or drug infusion pump in the control of hackers can be a dangerous situation. How about handing over a bitcoin or seeing your heart skip a beat?
The IoT ransomware model is fundamentally different from the computer and laptop paradigm, but no less dangerous. It is only a matter of time before hackers decide it’s worth their time and try their hand at hacking IoT devices for ransom. This is another reminder of the cybersecurity tradeoffs that IoT poses on consumers.
What’s important is that we keep our vigil and stay prepared to protect ourselves and our devices against such attacks. I will soon be writing about IoT ransomware and the possible solutions. I welcome any sort of expert opinion on the topic.
The views and opinions expressed in this article are those of the authors and do not necessarily reflect the official policy or position of the IoT Security Foundation.