Industry executives and experts share their predictions for 2018.  Read them in this 10th annual VMblog.com series exclusive.

Contributed by Thomas Fischer, Global Security Advocate, Digital Guardian

IoT Ransomware Will Reach Mass Proportions

The Internet of Things (IoT) - consumer, medical or manufacturing - is a Pandora's box, resisting containment or conservatism.  As with any innovation, convenience often trumps security - a truth borne out by researchers compromising everything from cars to pacemakers. While these compromises are interesting academic experiments, there is a confluence of conditions that could portend a more concerning potential in 2018. 

In 2017, the security community saw the first significant exploitation of IoT devices by malicious parties through the Mirai malware. Exploits which in turn recruited devices into a network botnet that went on to be used to create large-scale, disruptive denial-of-service attacks.

At the same time researchers from Pen Test Partners (https://www.pentestpartners.com/security-blog/thermostat-ransomware-a-lesson-in-iot-security/) demonstrated during Def Con 24 that it was possible to lock a thermometer with ransomware.

Unlike traditional ransomware that takes information hostage on computers and servers, the goal of IoT ransomware is to lock the victim out of controlling a device's functions. And while it can be rare to have critical data stored on IoT devices, the timely lack of data is a primary reason why locking the user out will have an impact.

Imagine that you're locked out of your home thermostat and you're in the middle of winter with a temperature of 10 to 15 degrees Fahrenheit outside. Your instinct will be to figure out how to pay the ransomware and get control back before you freeze. We can apply this same principal to perhaps a larger scale IoT infrastructure, like the HVAC system of your data center. What damage could a shutdown of the air-conditioning do to the servers in the data center? Could it ultimately affect the ability to do business?

In the same way, we can see similar types of attacks on medical IoT devices, the impact of locking out the user of a pacemaker or drug infusion pump could have life-threating results.

Interestingly, these IoT devices are based on an embedded system with a data gathering application that communicates with cloud application and storage capabilities. It's feasible that the same way a malicious party could corrupt or encrypt data being sent to the cloud application is the same way the system can be subverted to lock the device. This will be a target as it has a greater long-term impact. One example is encrypting the videos being captured and stored centrally on an IoT camera, rendering them useless.

Now that we've outlined the concept of malicious third parties controlling IoT devices, we can assume we will see more IoT ransomware activity in 2018. The factors that make this interesting and viable include the lack of reduced security in IoT devices. It's no secret that these devices have default credentials, use insecure configurations and protocols, and are notoriously difficult to upgrade.

Even if IoT credentials are modified from their factory settings, chances are they're in the hands of hackers already. Case in point, a cache of 1.4 billion clear text credentials was found on the Dark Web in the beginning of December 2017.

Additionally, the appearance of very low-level protocol hacks like KRACK are going to give attackers new ways to bypass and compromise the IoT infrastructure. This will have an impact when it comes to targeting large-scale IoT devices like a building's HVAC system. Accessing and controlling the low-level protocol could provide the ability to inject or manipulate data. This could have serious implications if the IoT devices need to synchronize or receive control messages from a cloud application. Manipulation of the data could potentially send the wrong action or setting back to the IoT device.

 IoT device security must be evaluated from many different angles, including software, hardware and the network, if it is to be effective.

• Software Security: Ensure that the device manufacturer is building new devices on a robust and secure software foundation.
• Hardware Security: Physical security goes hand-in-hand with software security. Integrate tamper-proofing measures into device components so they can't be accessed and decoded without permission. Also, consider adding physical switches or breakers that will allow the user to physically turn off certain features; for example, a physical mute button for devices with microphones, hard upper and lower limit settings for temperature control.
• Network Security: Use secure protocols like HTTPS for data exchange between the IoT device and any backend management or storage solutions. Ensure that strong authentication methods are in place and that any default passwords or keys that can be, are changed.

Using and implementing basic security principles will help defend against IoT ransomware attacks. It's important to treat IoT devices like any other IT system that is being deployed and to secure these devices as you would any other device.

##

About the Author

Thomas Fischer, Global Security Advocate, Digital Guardian

Thomas Fischer is global security advocate at Digital Guardian. Based out of the company's EMEA headquarters in London, Thomas plays a lead role in advising customers while investigating malicious activity and analyzing threats. He's a strong advocate of knowledge sharing and mentoring in the InfoSec community and serves as the director of Security BSides London and as a chapter board member of ISSA UK.