Attacks on the IoT could be more serious than you think
It’s no newsflash that the Internet of Things (IoT) is seeping into every aspect of our lives. It’s wearable, portable, and even implantable, transforming physical objects (and people) into a connected universe that’s changing the way we live and work.
Gartner forecasts that there will be 20.4 billion IoT devices deployed by 2020. And some cybersecurity experts fear that’s setting the stage for a nightmarish scenario of smart devices as the next target of ransomware.
In its Threat Horizon 2019 report, the Information Security Forum (ISF) – a nonprofit association that researches and analyzes security and risk management issues – ranked ransomware aimed at the IoT as one of the biggest threats facing people and organizations this year.
Ransomware is a breed of malware that typically locks down access to files by encrypting them – and then sells the business or other target the encryption key. Organizations suffered a median cost per ransomware attack of $133,000 in 2017, including the ransom, downtime, and recovery costs.
Ransomware is a billion-dollar industry for cybercriminals – it’s so lucrative that ransomware-as-a-service is now a thing, enabling hackers to launch attacks with minimal upfront costs.
But here’s the thing: the impact of ransomware on smart devices can be far worse than a hacker simply blocking a user from accessing data. It can interfere with the functionality of the device itself – a situation that has the potential to disrupt business operations and automated production lines, as well as cause real physical harm or death to its victims.
The ISF also predicts that cybercriminals will use IoT devices as gateways for installing ransomware on other devices and systems throughout organizations.
Worst-case scenarios for ransomware aimed at the IoT
Consider what could happen if attackers target critical systems such as power grids, threatening to shut them down if ransoms aren’t paid by a certain time. An infected smart lock could shut people out of their homes or businesses – or leave them open and vulnerable to anyone who wants to peruse their contents. A smart thermostat in a hospital could harm patients and ruin medications if hackers seize control and intensify the heat.
Smart cars could be prevented from starting or, even more frightening, shut down in the middle of a highway unless a ransom is paid. Smart medical devices present even more worrisome scenarios, as pacemakers or insulin pumps connected online could be switched off if ransoms are ignored.
The IoT is growing faster than IT departments can secure it. An RFID Journal report asserts that the number of IoT devices on a company’s network could be as high as 20 per employee – and businesses aren’t even aware that many personal devices are connecting.
And with California the only state to pass a law regulating IoT security and federal bills so far failing to gain traction, many IoT manufacturers have little incentive to make cybersecurity a priority.
The massive Mirai botnet attack in 2016 spotlighted just how poorly secured many IoT devices are. As the biggest DDoS attack ever, it exploited weaknesses in webcams, DVR players, and other IoT devices to shut down huge portions of the Internet for hours, including the websites for Twitter, Netflix, and CNN.
Spiceworks’ State of IT 2019 report states that 29 percent of organizations have adopted IoT devices, and another 19 percent plan to this year. But only 36 percent of IT professionals feel confident in their ability to thwart cyberattacks against them.
IoT ransomware: a new paradigm
There are several reasons the threat of IoT ransomware is only just being taken seriously in cybersecurity circles. The first is the way traditional ransomware works: It owes its success to its irreversibility. Ransomware that attacks a computer or smartphone encrypts valuable files so they can only be opened by the cybercriminal’s private key – leaving you no choice other than paying the ransom if you want the files back, or starting fresh from a back-up.
But the game changes when it comes to the IoT. Most IoT data is stored on the cloud so there’s little of value on the devices themselves. No one will care to pay a ransom if it’s encrypted.
Hackers’ only hope of success is locking the device and demanding a ransom to regain access to its functionality. But even then, resetting the device and installing new patches and updates should eliminate the problem.
Another stumbling block is that many IoT devices lack interfaces like screen displays to inform users they’ve been hacked by ransomware. Cybercriminals will have to go the extra step of discovering their target’s email or hacking the app that controls the device.
Cybersecurity experts have been skeptical that IoT ransomware could generate enough returns to make it worth all that effort. Ransomware that exploits Windows or Internet Explorer, for instance, targets hundreds of millions of users. Each type of IoT device needs to be targeted in a unique way – lessening the financial motivation.
But when it comes to IoT ransomware, the secret to a hacker’s success will come down to timing. If hackers strike at a critical time and place where people can’t reset their device or counter the effects, they will be much more likely to pay a ransom.
That means seizing control of a company’s smart cargo truck when it’s on a rural highway, for instance, far from the nearest service center. The company might choose to pay the ransom instead of increasing its financial losses with every second the cargo is stuck. Manufacturing businesses with industrial robots infected by ransomware might quickly pay to avoid production completely shutting down. Or, what hospital could risk refusing to pay a ransom to a hacker who creates a life-or-death situation by seizing control of mission-critical medical devices?
6 steps to stronger IoT security
Here are six steps businesses can immediately take to shore up their defenses against IoT ransomware:
- Never implement devices on your network that can’t have their software, passwords, or firmware quickly updated.
- Of course, minimize vulnerabilities by always patching IoT devices with the latest software and firmware updates.
- Immediately change the default username and password of any IoT device. The Mirai IoT botnet infected devices by deciphering their default login information.
- Every IoT device on your network should have a unique password.
- Raise awareness of the IoT ransomware threat across your organization and mandate minimum security requirements.
- Incorporate IoT ransomware scenarios into your cybersecurity plan and run regular simulations.
Of course, even with these strategies in place, IoT devices represent a target within your organization: they can be harder to patch, trickier to secure, and, more often than not, are still using the default password they came with. A skilled cybersecurity provider can offer next-generation endpoint security tools to monitor and block ransomware aimed at IoT devices before an attack causes major financial losses – or worse – to your organization.