Ransomware and IoT — threats come together at RSA
Symantec Security Response researcher Candid attended RSA, the cybersecurity community’s big annual conference, last week. He shares some insights.
Some of the main talking points at this year’s RSA conference in San Francisco were ransomware, the Internet of Things (IoT), and ransomware on IoT devices.
Since we live in a cloud generation world, discussions of these areas were often paired with discussions on aspects of the cloud and machine learning, or more specifically AI, which is needed to work through all the data generated by such devices.
With tens of thousands of attendees at the conference, I sometimes felt a bit like one of those many connected IoT devices myself. I don’t mean the crowd knowledge aspect, but rather that trying to get through the entry doors often felt like being part of a human DDoS attack.
Ransomware
But all jokes aside, the conference reinforced that ransomware is still one of the biggest threats to consumers. Especially as we have seen an increasing number of ransomware attacks against corporations in recent times.
In 2016, 31 percent of all ransomware detections blocked by Symantec were in enterprise environments. Of course, many of these infection attempts are collateral damage of large campaigns, and aren’t specifically targeted at enterprise customers. But the result is similar, with the difference being that targeted ransomware attacks do tend to infect more computers and ask for more money. We have seen plenty of examples of hospitals and public transportation systems being hit by ransomware in the past.
A recent ransomware infection case at a hotel in Austria was brought up frequently at the conference. Many journalists who reported on the incident, and even some of those who referenced it at the conference, did not realize that the attack did not specifically focus on the keycard system for the doors and that no customers got locked into their rooms. Rather, it was a collateral side effect of a common ransomware infection. Similar consequences have been seen in other sectors.
However, targeted ransomware attacks do exist. Symantec has monitored a few groups actively going after valuable targets in order to extort money through crypto ransomware. Such targets often rely heavily on their IT infrastructure. Even if the victims do have a working backup, if it takes too long for them to restore it, they may lose a substantial amount of money, meaning they may choose to pay the ransom in order to regain access to their data.
Furthermore, not every attack that asks for a ransom involves malware. In January, we saw various attacks against cloud databases, such as MongoDB, where it was more a classical extortion scam than ransomware. Of course, for the victim, the technical details make little difference, it is devastation nonetheless.
Internet of Things (IoT)
When talking about IoT devices, the Mirai botnet is a good current example to illustrate the extent of the problem. This botnet of tens of thousands of connected home devices took down parts of the internet last year with the largest distributed denial of service (DDoS) attack ever witnessed, the attack on DNS provider Dyn.
Unfortunately, many IoT devices still come with default passwords and little security, which makes it easy for attackers to compromise them and recruit them for their botnet.
The RSA conference also raised a few interesting questions around IoT devices in the areas of ethics and liability. One grim example mentioned during a keynote queried what would happen if the artificial intelligence of a house-cleaning robot realized that the dog is the source of most dirt. Would it decide to kill the dog in an attempt to solve the problem? How can developers ensure that this will not happen? Who would be liable if it does happen, and do we need global regulations to cover these types of issues?
Difficult questions to answer, but definitely an interesting space to watch for the future.
Consumers have started to become more aware of security issues with IoT devices. A recent survey conducted by Symantec, the Norton Cyber Security Insights Report, showed the following:
- Almost two-thirds (62 percent) of respondents believe that as connected home devices become more popular, hackers will start targeting them more often.
- More than half (52 percent) believe it’s more likely someone could gain unauthorized access to their connected home device than to their physical home.
- A whopping 72 percent believe connected home devices provide hackers with new ways to steal their personal information.
Unfortunately, despite being aware of the risks, many users still fail to actually secure their devices.
- One in six admit their Wi-Fi network is not password protected.
- One-third do not change the default password when setting up their Wi-Fi network.
- More than half (51 percent) admit they don’t know how to set-up a secure home Wi-Fi network or router, or keep its software up-to-date (73 percent).
- Nearly half (44 percent) of consumers surveyed don’t believe there are enough connected device users for them to be a worthwhile target for hackers.
Ransomware on IoT
Ransomware on IoT devices is actually a topic I presented on back in 2015 at the VB conference, after I infected my smart watch and my smart TV with ransomware as a proof of concept. Luckily, so far we have only seen proof of concept and a few collateral ransomware infections on such smart devices.
Attackers are still making a lot of money through end users’ computers and corporate extortion, hence there is no need for them to go after the IoT devices — yet.
Once attackers do decide to target IoT devices with ransomware they will follow a few principles. Assuming that the primary goal of the attacker is to generate profit, a few threat types would apply to IoT:
- Ad fraud and clickjacking
- Locker ransomware, making the device unusable
- Pivoting, using the device to attack the home network
- DoS attacks
As IoT devices often don’t contain much data, it is rarely interesting to steal information and often there would be only a very limited set of people interested in buying such data. It might also be simpler for the attacker to attack the backend systems if they wanted access to all the gathered data.
Using the infected devices to mine cryptocurrencies or place premium phonecalls would fail due to the limited resources. Of course, there are special cases, depending on each device, like the CCTV camera that could be used to blackmail you on the threat of revealing private recordings to the whole world.
One of the important prerequisites is that any ransomware threat needs a way to communicate its demands to the user. Otherwise, how would you know that your smart toaster is being held to ransom and hasn’t just stopped working? So, either a display like the smart TV or an app on your smartphone that controls the devices is needed for the attack to succeed.
In the second case, the attackers would more likely attack the smartphone app directly, instead of going for your light bulb, and work backwards. In addition, the ransom amount would depend on the cost of the device itself. If the smart lightbulb costs $30, most people would probably not pay a ransom of $1,000.
IoT devices will evolve in the near future, and we can be sure that we will see threats evolve as well. Of course, those of us working in cybersecurity are closely monitoring the space to be ready, once the threat level increases.
Check out the Security Response blog and follow Threat Intel on Twitter to keep up-to-date with the latest happenings in the world of threat intelligence and cybersecurity.
Like this story? Recommend it by hitting the heart button so others on Medium see it, and follow Threat Intel on Medium for more great content.
