Do you remember a time before the Internet of Things (IoT) became mainstream? When ‘smart devices’ were costly and bulky. Those days are now a distant memory, such as the shrilling sounds of a dial-up modem connecting online.
Nowadays it appears as if any item, no matter how common or standard, will be not only internet-connected, but packaged with a whole suite of features and API’s to allow it to connect with other apps.
This has given birth to items such as toothbrushes that can connect to twitter, smart pillows for that enhanced sleeping experience, and smart hairbrushes that collect data on… well, I’m not sure exactly what.
Whenever a new technology is adopted, there tends to be “teething pain”. The user interface for smart devices is often a mobile app which often needs a painstaking process of installation, account creation, pairing and configuration. Or worse, the device communicates its status through a series of LED’s that makes cracking the enigma code seem trivial by comparison.
Some devices are also designed to only work when online, and not have any redundancy to operate when offline. This can make them susceptible to intentional, as well as unintentional denial of service attacks.
There is also the issue of updates. To fix flaws, or introduce new functionality, companies have to push out updates to devices. Unfortunately, many times these occur at inopportune moments, rendering a device unusable for the duration.
And all of that is not withstanding the bandwidth and load of having a dozen extra devices placed on networks.
Opting-out is not an option
Even with all these flaws, “smart”capabilities are making their way onto nearly all devices. One can hold out for as long as possible, but with the direction the market is heading towards, it looks like it will soon be impossible to buy a non-internet connected device; regardless of whether one wants the functionality or not.
Terms & Conditions of usage will also apply in very different ways to such devices. These T’s&C’s will need to be accepted in order to utilise the functionality, which could lead to data about personal habits being shared widely, as well as targeted advertising.
A target-rich environment
However, putting aside the ridiculousness of some smart devices, and some of the challenges with others there’s more to the story. As smart-devices increase in popularity, they become a more attractive target to hackers and cyber-criminals.
One of the most rapidly growing areas of cyber-crime in recent months has been ransomware.
Cyber-criminals operate much like any other business, looking for low costs and high returns with minimal risks.
Ransomware ticks the traditional business boxes of having a low customer acquisition cost, has good pricing potential, and it instils a sense of buying urgency.
With IoT, the addressable market size has grown significantly, and shows no sign of slowing down. So, infecting smart-devices with ransomware seems like the natural evolution. We’ve already seen some examples in the wild of smart TV’s being infected, as well as proof of concepts showing how internet-connected thermostats could be attacked.
Measuring the Risk of IoT-Ransomware
The risk of ransomware on smart-devices will vary. The likelihood and ease of exploitation will depend on several factors such as how prevalent the devices are, and whether they use default credentials or weak protocols.
The other consideration is how easily a compromised smart-device can be recovered if infected with ransomware. The recoverability could be trivial, requiring the device to be simply reset to factory settings with the press of a button. Or it could be very involved, needing manufacturer codes, or leaving no option but to pay the ransom if it contains sensitive data.
To help illustrate, one could adapt the Langford/Malik risk model for IoT ransomware risk.
For smart device ransomware, the asset value determination has an added factor on top of ransomware which targets traditional technologies such as laptops and desktops. On a PC, ransomware will only affect the data that is stored in them. However, with IoT, in addition to the data in the devices, it can render physical functions inaccessible.
For example, ransomware that infects a smart-thermostat can turn up the heating to full unless a ransom is paid. A smart lock may lock people in or out, or remain permanently open. Similarly, a smart fridge or smart lighting can also be impacted.
Looking forward, Smart Cars and even Smart Cities can be targeted - while real-life attacks have not been seen, the impact of ransomware on such utilities can truly be life-threatening.
Hardening the Things
There’s no escaping the IoT invasion. In the future, many ‘dumb devices’ will be near-impossible to procure.
The risks from ransomware or other similar techniques to hold smart devices ‘hostage’ will continue to rise. As such, it is important for buyers to be more astute in their buying choices. Before buying and using a smart device, one should assess the risk if it is compromised. One should also assess how easy it is to harden devices by changing default credentials and disabling any insecure protocols. Finally, one should prepare for the worst and have recovery plans in place, in the event that a device does become infected. After all, we can all envision what happens when a device refuses to accept intended commands.