Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

08:00 AM
Javvad Malik
Javvad Malik
Connect Directly
E-Mail vvv

Threats Converge: IoT Meets Ransomware

Ransomware is already a problem. The Internet of Things has had a number of security issues. What happens when the two combine?

Ransomware had a breakout year in 2016, making headlines as it affected everything from hospitals to police stations. At the same time, attacks against Internet of things (IoT) devices — home appliances, toys, cars, and more, all brimming with newly exploitable connectivity — have continued to proliferate.

Most information security professionals agree that ransomware and IoT hacks will continue to increase in frequency, but one less obvious development that could be on the horizon is a convergence of both of these attack methods. So, what could the implications of an IoT ransomware attack be?

To answer this question, we first need to consider the potential target of an IoT ransomware attack. Ransomware usually goes after computers and networks that house the mission-critical data necessary to maintain the day-to-day operations of a business. Such targeting ensures that once this data has been encrypted and rendered useless, the organization has adequate incentive to purchase the cryptocurrency (typically Bitcoin) being demanded by the hacker to release its data.

Luckily for us, many IoT devices don't qualify as mission critical, as I doubt any parent is going to fork over a ransom to unlock their child's Hello Barbie. But there are certain devices that perform critical functions and therefore could meet this criterion. As IoT becomes more widespread and increases in sophistication, the number of potentially lucrative targets will only increase. Unlike with traditional ransomware, attackers that hijack IoT devices can not only compromise the data collected through a device's sensors, but could also render a critical device's physical functions inaccessible — greatly increasing the chances that a victim will pay up.

One device that is currently ripe for exploitation is the connected thermostat. Products like Nest and Ecobee remotely monitor and regulate the temperatures of homes. If compromised by hackers, they could be used to blast the air conditioning during a blizzard or crank up the heat in the middle of a July heatwave. Although this may seem like an inconvenience rather than a catastrophe for a typical homeowner, when applied to business environments, the stakes are raised. For example, an attacker who gains control of the HVAC systems of a large building could theoretically increase an organization's electricity bill to the point where paying a ransom becomes a practical and cost-effective alternative.  

The same reasoning behind the thermostat example can be applied to a wide range of other IoT devices. It wouldn't be difficult to imagine a hijacked smart lock taking on a mind of its own or a connected lightbulb refusing to illuminate. However, one can also imagine more disturbing scenarios arising from advanced IoT use cases, such as connected cars and smart cities. In such cases, a successful ransomware attack could extend well beyond a minor inconvenience, exposing affected victims to potentially dangerous or even life-threatening consequences.

However, IoT isn't a lost cause altogether. As with any emerging technology, IoT device vendors need to work out the security bugs in their products, and they're already beginning to do so. For every snooping Barbie discovered and connected car hacked, the industry moves one step closer to achieving the level of security that enterprise customers need. Similar to how the Target breach was a wake-up call for retailers, the IoT industry will inevitably be hit with an attack of a similar scope, whose repercussions will in turn serve as a major catalyst for industry-wide change.

Until we see this change, though, IT teams tasked with deploying connected devices must become more aware of the issues around IoT security and keep these in mind when deciding which devices to buy and deploy in their organizations. If your business can survive the next couple of years without going all in on IoT, it might be worth postponing purchases until the technology, especially the security, of these devices has evolved.

But if you absolutely can't wait, there are several considerations that are critical when purchasing a new device. These include:

  • Assess how easy it is to change default credentials. Many IoT-enabled devices, such as the Internet-enabled cameras that made up the Mirai botnet, are insecure because their owners never think to change the password. You wouldn't do that with your new laptop, would you?
  • Disable any insecure protocols. Not all devices are created equally, and device makers that fail to invest in secure protocols must be avoided. Right now, there is a lack of standards for what makes an IoT device secure, so it's up to buyers to assess what makes the device tick. For example, many vulnerable webcams were reported in 2016, due to a Real Time Streaming Protocol that enabled video sharing but didn't require a password for authentication.
  • Evaluate the recovery process. Many devices can have factory settings reset with one click, while others may require manufacturer involvement. Worse yet, in some cases, recovery may be impossible, forcing users to pay the ransom as a last resort. It's up to buyers to understand the recovery process for the devices they own, and to create a contingency plan should one of them be compromised. 

Whether you end up making the plunge into IoT or waiting until the kinks are worked out, the threats posed by Internet-connected devices are real. That being said, IoT is here to stay, so it's up to us to ensure it isn't allowed to compromise the security of our future. 

Related Content:

Javvad Malik is a London-based IT Security professional. Better known as an active blogger, event speaker and industry commentator who is possibly best known as one of the industry's most prolific video bloggers with his signature fresh and light-hearted perspective on ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-24
Shopware is an open source eCommerce platform. In versions prior to the admin api has exposed some internal hidden fields when an association has been loaded with a to many reference. Users are recommend to update to version You can get the update to regularly via the Auto-U...
PUBLISHED: 2021-06-24
Shopware is an open source eCommerce platform. In versions prior to private files publicly accessible with Cloud Storage providers when the hashed URL is known. Users are recommend to first change their configuration to set the correct visibility according to the documentation. The visibilit...
PUBLISHED: 2021-06-24
Shopware is an open source eCommerce platform. Versions prior to 5.6.10 are vulnerable to system information leakage in error handling. Users are recommend to update to version 5.6.10. You can get the update to 5.6.10 regularly via the Auto-Updater or directly via the download overview.
PUBLISHED: 2021-06-24
Shopware is an open source eCommerce platform. Versions prior to 5.6.10 suffer from an authenticated stored XSS in administration vulnerability. Users are recommend to update to the version 5.6.10. You can get the update to 5.6.10 regularly via the Auto-Updater or directly via the download overview.
PUBLISHED: 2021-06-24
Shopware is an open source eCommerce platform. Potential session hijacking of store customers in versions below We recommend to update to the current version You can get the update to regularly via the Auto-Updater or directly via the download overview. For older versions o...