The Mirai botnet last year demonstrated the ease of which IoT-capable devices could be exploited, and according to one senior cybersecurity researcher, it won’t be long before we start to see ransomware targeting the Internet of Things.
“There’s been a lot of talk for a long time about the appalling state of security in general with IoT devices, and there have been some spectacular demonstrations of what might be possible,” said Nick FitzGerald, senior research fellow at ESET.
“The Mirai botnet showed that not only was the Internet of Things theoretically vulnerable, it was proven to be practically exploitable and economically worthwhile for cybercriminals to attack and use as part of their techniques and tradecraft.”
FitzGerald told IoT Hub that the absence of robust security with many IoT devices left them open to wide range of unpleasant or even disastrous threats.
He said that attack targets could range in scope from a smart TV, whose functionality is disabled unless a ransom is paid, to the control of a fleet of connected vehicles and the associated threat of accidents or injury.
“There is quite a range of scenarios, and we know that the criminal mindset is vast and diverse, often coming up with things that no-one has thought of,” he added.
“For the attackers, it’s about finding a sufficiently widespread device to exploit and for the venture to be economically viable.”
More often than not, the primary purpose of existing ransomware is the payment of an arbitrary ‘fee’ by those affected to ensure the release of affected data or systems.
“They’re not doing it for fun, or for notoriety, they’re doing it to make money,” FitzGerald said.
“If some new avenue like IoT devices proves especially easy or trivial for them to compromise – and therefore lowers the cost of development and distribution – it’s more likely that they would look for a way to monetise that opportunity.
“Alternatively, if an existing attack vector becomes more costly and reduces their return on investment, then they’re more likely to look for alternative methods of attack to make them money.”
Are we equipped to handle it?
FitzGerald said that current efforts to thoroughly investigate IoT ransomware as a threat have been “appallingly slow”, and that the threat is exacerbated by the expected deep integration of IoT devices with corporate infrastructure.
“If you’re being forced to rip out existing IoT devices every six months because they’re not able to accept security updates over the network, then it has a negative impact that the likelihood that the devices are going to be replaced,” he explained.
He also said that the impact of holding a simple internet-connected device – such as a thermostat – has much greater potential to cause large-scale disruption, beyond the impacted device itself.
“If a large enough number of connected thermostats in a particular geographic area were compromised you could cause the air conditioning systems attached to them to run at full power,” he said.
“The increase in power consumption not only inconveniences the home or business owner with a higher power bill, but could also disrupt and impact the power supply in the local grid.
“So even though the entry point is a simple smart home device, the actual target is much bigger, being the power generation and distribution networks in this case.”
A long road ahead
FitzGerald expects IoT to pervade in the lives of every person, whether they like it or not, and this causes an inherent difficulty to solve the ransomware threat.
While a number of consortiums such as the Open Connectivity Foundation, the ZigBee Alliance and others all emphasise the importance of robust security for IoT devices, he still sees an uphill battle ahead to make it a reality.
“The problem with security is that different regions have different regulations, and it becomes a nightmare for a device manufacturer to cater to each market region’s demands,” he said.
“To get some sort of multinational agreement takes years to achieve, and we can’t stop creating IoT devices or stop using existing ones in the meantime.
“I suspect that in the long term, it’s probably going to be some sort of regulatory intervention that will cause the greatest improvement, but I don’t know if advocating for that is going to help, specifically.”