As stated in the IoT Ransomware Attacks – Part 1 IoT ransomware is not just holding your data hostage, it can lead to denial of service until the demanded ransom is payed to the hackers, which is quite a big market for hackers to see the money. There will be a greater threat for all industries using IoTs.
The consumer IoT industry can still wait
Proof of concept ransomware attacks has already been presented at the consumer IoT level, which includes smart homes and offices, connected (and soon autonomous) cars and wearables.
Let’s say you get in your connected car in the morning or your autonomous vehicle and you get a pop-up that says, ‘If you pay me $500 I’ll let you drive to work today,’ . It isn’t a scenario that is likely to happen today, but it’s certainly not going to be outside the realm of possibility from what we might face in near future.
There’s also the possibility of malicious actors stealing critical data and private information that is being sent to the cloud, such as video feeds from connected cameras in homes and data generated by health devices and blackmailing the owner into paying a ransom to avoid the publication of the embarrassing or harmful content.
It’s still too early to say the threat of ransomware in smart homes and connected cars is imminent, even though consumer-level IoT devices are often attributed with very poor security. The hodgepodge of software and hardware that constitute the consumer IoT industry actually make it hard to stage widespread ransomware attacks.
Currently, the IoT industry is fragmented, lacking a standardized approach, operating system, and communication system. This has made it more difficult for ransomware criminals to conduct a generalized attack. Each attack would need to target a specific type of IoT device, which reduces the number of devices that can be targeted at the same time.
We can thus conclude that for the moment, the cost-benefit balance of staging ransomware attacks against consumer IoT devices might not be motivating enough for malicious actors. But this is a situation that is likely to change in the future, as IoT becomes more pervasive in homes and offices.
But the threat to industrial IoT is imminent
However, industrial IoT ecosystems already have every characteristic of an attractive ransomware target. This can include any of the critical infrastructure that affect the lives of thousands and millions of people and have huge operational costs.
For instance, this year, U.S. hospitals were hit by a wave of ransomware attacks that disrupted their operations by denying them access to pertinent file systems. IoT ransomware attacks can be even worse, especially as IoT technology finds its way into the more critical sectors of medicine and healthcare.
If a dark-actor compromises a hospital’s IoT systems, patient health could be at risk — and the value of a life pales in comparison to a ransom demand — so the potential of initial pay out by the hospital might be high because they need to buy time to remediate the infiltration.
This scenario can also play out in facilities such as manufacturing plants, where the ability to suspend operations of high value could prompt a payment if the loss of productivity is too substantial.
Another big target of IoT ransomware can be power plants and electricity grids. Just consider the 2003 Northeast U.S. blackout as an example, which, although not a cyber attack, was partly due to a software failure. The disaster cut off electricity for more than 55 million people, caused 11 deaths and resulted in an estimate $6 billion damage.
Most don’t attribute this sequence of events to a bad actor, just a series of bugs and bad coincidences. But a similar series of events could be caused by bad actors, and these bad actors could create these events for their own economic gain. Would electric utilities pay to prevent this kind of damage? Would politicians? Would businesses?
Ransomware for the IoT could easily create impacts that are even bigger, and ransomware developers may want to find out.
How to make IoT ecosystems and devices more robust against ransomware
While there’s no silver bullet or one-size-fits-all solution to protecting IoT devices and ecosystems against ransomware attacks, experts do believe that some general guidelines and practices can help organizations and manufacturers improve their defenses against IoT ransomware.
Cyber experts emphasizes remote firmware updates as a decisive factor to creating devices that are more resilient to IoT ransomware, because “security is a journey not a destination, meaning that a device is not built secure forever”. Every IoT product should be updated very easily and effectively, but also securely.
This is especially true because, if not secured, update channels can themselves become mediums to infect devices with ransomware. Secure updating means using well-known industry best practices, that is locking the processor and firmware and encrypting the communication within the devices. A robust OTA(Over the Air) update mechanism can also serve as a means to recover devices that have fallen victim to IoT ransomware.
There is a need for a firm authentication mechanism to protect against IoT ransomware attacks. In some cases, IoT devices are not even authenticated, which makes it trivial to spoof a product. Doing this at large scale could disable millions of products — a problem not just for the companies, but also for their customers. Device spoofing can become especially problematic in a ransomware scenario when a server that connects millions of devices becomes infected with the ransomware.
Security experts proposes to mitigate security risks through authentication and certificate life-cycle management, and standardized code base for network security, which prevents a number of the attack vectors that ransomware hackers may otherwise use to bring a system down.
The IoT security landscape will continue to remain complicated and thorny while the industry is still going through its development phase. For the time being, malicious actors are still weighing and exploring the possibilities and financial value that this hot new phenomenon might offer. Meanwhile, the efforts made by manufacturers and adopters of IoT devices leave a lot to be desired. This will probably change when hackers learn to monetize IoT vulnerabilities and decide to take full advantage. Let’s hope we’ll be ready when they do.