Why IoT could be the next ransomware target

by Simon Howe, Director of Sales Asia Pacific for LogRhythm

When 55 speed cameras in Victoria were infected with the WannaCry ransomware last year, questions were quickly raised about the network’s integrity.

Had the malware been specifically targeted at the camera system? Had it damaged the cameras? What assurances could be made that fines meted out to motorists were legitimate?

It would turn out the cameras were not targeted in a coordinated fashion, and that the infection was simply a mistake - the result of a technician connecting them one at a time to an infected piece of hardware.

So while it wasn’t an attack on a connected network of things, it showed what kind of fallout such an attack might bring, and it underlined the security threats posed by widespread adoption of the Internet of Things (IoT).

To date, the threat posed to IoT networks has been hard to quantify.

In addition to the Victorian incident, in February 2017 a viral tale emerged of an unidentified university’s network of vending machines being hijacked and converted into a bot that attacked the learning institution’s own network.

More recently, someone hijacked dozens of closed-circuit TV cameras across Japan. While the owners lost control of their cameras, it is unclear how much damage the incidents actually caused.

As IoT becomes more pervasive in homes and businesses, it seems inevitable that a more serious security breach will occur.

One reason IoT could become attractive to attack is because it already suffers from security weaknesses.

IoT systems represent a less well-defended target. Connected objects, in both the enterprise and consumer segment, often come with weaker built-in security: they're harder to patch, trickier to secure with third-party security products, and are often still found using the default password they were shipped with. In addition, standards around IoT security are not as yet fully developed.

Businesses know this: last year, an IDC study found security and privacy concerns are still the biggest perceived inhibitors for IoT projects in Australia.

Yet, IoT and associated analytics systems offer businesses enormous potential to optimise existing operations and create value and growth. These are powerful outcomes that continue to feed into business cases for IoT, both here and overseas.

According to analyst estimates, by 2020 there will be more than 20 billion objects connected to the internet. While the largest proportion will be in homes, business use will account for more than eight billion of those objects. From industrial robots to smart printers, each of those 'things' will represent a potential attack vector that cybercriminals can use against organisations with IoT capabilities.

IoT could become a prime vector for ransomware attacks. The potential to blackmail owners of connected ‘things’ to pay to regain control of their devices could prove particularly lucrative for attackers - much more so than targeting consumers.

Manufacturing businesses with industrial robots that are infected by ransomware could see production shut down altogether, causing losses running into hundreds of thousands of dollars. The consequences of ransomware suddenly switching off connected medical devices or autonomous vehicles don't bear thinking about.

With so much at stake, enterprises may decide that paying ransoms is simply a cost of doing business, and criminals may raise them accordingly.

However, while IoT may seem like an open goal for cybercriminals - particularly those seeking ransoms - technical factors may work to limit its attractiveness as an attack vector.

One is the relatively simple form factors that IoT devices have: without a screen, it's going to be difficult for ransomware writers to tell victims how to pay a ransom, or even that they're infected in the first place. There are also many layers of abstraction between an IoT device at the edge of a network and the crown jewels of corporate data at its heart, meaning ransomware writers will have to be both creative and devious to ensure their campaigns have enough impact to get businesses to pay up. While infecting IoT systems with ransomware may not be as simple as infecting PCs, that isn't likely to put off malware writers.

Researchers have already demonstrated proof-of-concept attacks using devices such as thermostats and robots. And, while high-profile infections have yet to make headlines, reports suggest the first IoT ransomware attacks have already happened.

th the use of IoT set to grow over the coming years, they're unlikely to be the last.

Tags LogRhythmIoTWannaCry

Show Comments