
Industry executives and experts share their predictions for 2018. Read them in this 10th annual VMblog.com series exclusive.
Contributed by Thomas Fischer, Global Security Advocate, Digital Guardian
IoT Ransomware Will Reach Mass Proportions
The Internet of Things (IoT) - consumer,
medical or manufacturing - is a Pandora's box, resisting containment or
conservatism. As with any innovation, convenience often trumps security -
a truth borne out by researchers compromising everything from cars to
pacemakers. While these compromises are interesting academic experiments, there
is a confluence of conditions that could portend a more concerning potential in
2018.
In 2017, the security community saw the first
significant exploitation of IoT devices by malicious parties through the Mirai
malware. Exploits which in turn recruited devices into a network botnet that
went on to be used to create large-scale, disruptive denial-of-service attacks.
At the same time researchers from Pen Test
Partners (https://www.pentestpartners.com/security-blog/thermostat-ransomware-a-lesson-in-iot-security/)
demonstrated during Def Con 24 that it was possible to lock a thermometer with
ransomware.
Unlike traditional ransomware that takes
information hostage on computers and servers, the goal of IoT ransomware is to
lock the victim out of controlling a device's functions. And while it can be
rare to have critical data stored on IoT devices, the timely lack of data is a
primary reason why locking the user out will have an impact.
Imagine that you're locked out of your home
thermostat and you're in the middle of winter with a temperature of 10 to 15
degrees Fahrenheit outside. Your instinct will be to figure out how to pay the
ransomware and get control back before you freeze. We can apply this same
principal to perhaps a larger scale IoT infrastructure, like the HVAC system of
your data center. What damage could a shutdown of the air-conditioning do to
the servers in the data center? Could it ultimately affect the ability to do
business?
In the same way, we can see similar types of
attacks on medical IoT devices, the impact of locking out the user of a
pacemaker or drug infusion pump could have life-threating results.
Interestingly, these IoT devices are based on an
embedded system with a data gathering application that communicates with cloud
application and storage capabilities. It's feasible that the same way a
malicious party could corrupt or encrypt data being sent to the cloud
application is the same way the system can be subverted to lock the device. This
will be a target as it has a greater long-term impact. One example is
encrypting the videos being captured and stored centrally on an IoT camera,
rendering them useless.
Now that we've outlined the concept of malicious
third parties controlling IoT devices, we can assume we will see more IoT
ransomware activity in 2018. The factors that make this interesting and viable
include the lack of reduced security in IoT devices. It's no secret that these
devices have default credentials, use insecure configurations and protocols,
and are notoriously difficult to upgrade.
Even if IoT credentials are modified from their
factory settings, chances are they're in the hands of hackers already. Case in
point, a cache of 1.4
billion clear text credentials was found on the Dark Web in the beginning
of December 2017.
Additionally, the appearance of very low-level
protocol hacks like KRACK are going to give attackers new ways to bypass and
compromise the IoT infrastructure. This will have an impact when it comes to
targeting large-scale IoT devices like a building's HVAC system. Accessing and
controlling the low-level protocol could provide the ability to inject or
manipulate data. This could have serious implications if the IoT devices need
to synchronize or receive control messages from a cloud application. Manipulation
of the data could potentially send the wrong action or setting back to the IoT
device.
IoT device security must be evaluated from many
different angles, including software, hardware and the network, if it is to be
effective.
-
Software Security: Ensure
that the device manufacturer is building new devices on a robust and secure
software foundation.
-
Hardware
Security:
Physical security goes hand-in-hand with software security. Integrate
tamper-proofing measures into device components so they can't be accessed and
decoded without permission. Also, consider adding physical switches or breakers that will allow the
user to physically turn off certain features; for example, a physical mute
button for devices with microphones, hard upper and lower limit settings for
temperature control.
-
Network
Security: Use
secure protocols like HTTPS for data exchange between the IoT device and any
backend management or storage solutions. Ensure that strong authentication
methods are in place and that any default passwords or keys that can be, are
changed.
Using and implementing
basic security principles will help defend against IoT ransomware attacks. It's
important to treat IoT devices like any other IT system that is being deployed
and to secure these devices as you would any other device.
##
About the Author
Thomas Fischer, Global Security Advocate, Digital Guardian
Thomas Fischer is global security
advocate at Digital Guardian. Based out of the company's EMEA headquarters in
London, Thomas plays a lead role in advising customers while investigating
malicious activity and analyzing threats. He's a strong advocate of knowledge
sharing and mentoring in the InfoSec community and serves as the director of
Security BSides London and as a chapter board member of ISSA UK.