Contributed blog from Javvad Malik, security advocate at AlienVault
Over the last couple of years, two trends have risen rapidly in the world of technology: the internet of things (IoT), and ransomware.
The Internet of Things is where Internet connectivity is added to an otherwise normal 'thing' or device. These devices are then often marketed as 'smart devices'. This has given birth to items such as toothbrushes that can connect to Twitter, smart pillows for that enhanced sleeping experience, and smart hairbrushes that collect data on... well, I'm not sure exactly what.
The second big trend that has grown in recent times is ransomware, which is favoured by cyber-criminals looking to extort money from their victims. Once it is introduced onto a system, ransomware will generally encrypt the files on a victim's computer, and refuse to allow access until a ransom is paid.
But what happens when these two worlds collide, and cyber criminals start to plant ransomware onto smart devices? And how can you protect yourself from these kinds of attacks?
Whenever a new technology is adopted, there are teething problems. The user interfaces of smart devices are generally mobile apps that typically require users to go through painstaking processes of installation, account creation, pairing and configuration. Or worse still, the device might only communicate its status to users through a series of LEDs that make cracking the enigma code seem trivial by comparison.
Some devices are designed to only work when online, and do not have any redundancy to operate when intentionally or unintentionally taken offline.
There is also the issue of updates. To fix flaws, or introduce new functionality, companies have to push out updates to devices on a regular basis. Unfortunately, many times these occur at inopportune moments, and such devices become unusable for the duration of the upgrade. This can make smart devices vulnerable to a series of cyber attacks.
When Smart Devices Meet Ransomware
Cyber-criminal organisations operate much like any other business, looking for low costs and high returns with minimal risks. Ransomware ticks the traditional business boxes of having a low customer acquisition cost, good pricing potential, and the ability to instill a sense of buying urgency.
When you add IoT devices to the mix, the addressable market size grows significantly, so, developing ways to infect smart devices with ransomware seems like a natural evolution of criminal activity.
We've already seen some examples in the wild of smart TV's being infected, as well as proofs of concept that show how internet-connected thermostats could be attacked.
However, the impact of ransomware on smart devices extends well beyond a criminal simply denying access to files - it can have some real-world physical implications, too.
For example, ransomware that infects a smart-thermostat could potentially turn up the heating to full in the middle of summer, or turn it off completely in the winter unless a ransom is paid. While this might be an annoyance for most, it could prove harmful to some vulnerable victims.
An infected smart lock could lock people in or out, or remain permanently open, allowing full access to a victim's home. Smart fridges or smart bulbs, or any number of smart devices in a home, could also be impacted.
Progressing to even more dangerous scenarios, SmartCars, or cars with ever-increasing connected features, could be targeted to not start, or worse still, shut down in the middle of the motorway unless a ransom is paid. Also, as more medical devices such as pacemakers or insulin pumps are connected online, they could be hijacked and switched off if a ransom is not paid, with potentially lethal consequences.
Opting-out is Not an Option
In spite of all these flaws, smart-capabilities are making their way onto a huge number of devices. One can hold out for as long as possible, but given the direction the market is heading, it looks like it might soon be impossible to buy non-internet connected devices, regardless of whether one wants that functionality or not.
Terms & Conditions of usage will also apply in very different ways to devices that collect personal information. T&Cs generally need to be accepted before a consumer can utilise a device, but they could also be used to authorise the sharing of data about personal habits, as well as its use in targeted advertising.
Steps to Protect Yourself
Before purchasing a smart device, there are a few things that you should take into consideration in order to help minimise the impact of any attack.
It's important to assess the potential risks if a smart device is compromised. For example, a device such as a hairbrush may work perfectly fine even if the 'smart' features are unavailable, but other devices may not work at all if they become infected or their Internet connection is lost.
Another thing to bear in mind is whether the device will allow you to change default passwords, or disable unwanted functionality. If you are unable to change the default settings to make it more secure, then it is unlikely that you'll be able to protect it from an attacker.
You also need to consider how easy it would be to recover a device if it was infected with ransomware. The recoverability could be trivial, such as requiring the device to be simply reset to factory settings with the press of a button. Or it could be very involved, needing manufacturer codes. The worst case is there could be no option for victims but to pay the ransom, especially if the device contains sensitive data.
More than anything else, you need to understand what factors affect your ability to control your smart devices. After all, we can all envision what happens when devices refuse to accept their intended commands.