Ransomware and the Internet of Things: A Growing Threat
IoT's integration into the world of business, along with the evolution of ransomware, creates the perfect storm for a cybersecurity arms race.
Sekhar Sarukkai, Skyhigh Networks
"If we had computers that knew everything there was to know about things -- using data they gathered without any help from us -- we would be able to track and count everything, and greatly reduce waste, loss and cost. We would know when things needed replacing, repairing or recalling, and whether they were fresh or past their best."
When technology pioneer Kevin Ashton first explained this idea in 1999, a concept he termed the Internet of Things, a scenario like your fridge anticipating your grocery needs and even ordering for you would have seemed preposterous. After all, the full capabilities of the internet hadn't been unlocked yet, the cloud as we know it hadn't been born and unrelated devices had little or no ability to communicate wirelessly.
Today, of course, nobody would dispute the statement that Ashton made in 1999 in the RFID Journal: "The Internet of Things has the potential to change the world, just as the Internet did. Maybe even more so."
But just as IoT promises to transform our world, the future doesn't bode well for IoT security.
The recent rash of ransomware attacks is just one example of how bad actors are taking advantage of security vulnerabilities to compromise both individuals and organizations. The emerging integration of IoT into the world of business, along with the evolution of ransomware, creates the perfect storm for a cybersecurity arms race.
The State of IoT
There may be some time before Ashton's belief -- that the Internet of Things may change the world more than the internet -- is fully realized. But we are starting to see the beginning of a revolution.
At its core, IoT refers to a growing network of devices and other objects ("things") to communicate with each other and with the internet. The devices, which have IP addresses, are typically embedded with sensors that can identify parameters like location and temperature and transmit data to a server or another device.
In the business world, IoT could mean anything from improving transportation logistics and supply chain effectiveness, to automating inventory management and maximizing resource management.
Airbus, for example, equips its technicians on aircraft assembly lines with smart tools and wearable technology to help improve quality and productivity. UPS analyzes data captured by sensors in its 80,000-vehicle fleet to reduce fuel consumption and idling time and to improve route efficiency.
We are seeing only the beginning of how companies are capitalizing on IoT's ability to coordinate machine-to-machine, people-to-people and people-to-machine communication in order to innovate how they do business.
Gartner estimates that the number of connected "things" will reach 6.4 billion in 2016, with an astounding 5.5 million new things becoming connected every day. By 2020, Gartner's prediction puts IoT at 20.8 billion in the consumer and business sectors, while Cisco estimates an even more robust 50 billion.
Ransomware a Growing Threat
The Institute of Critical Infrastructure Technology (ICIT) expects 2016 to be "the year ransomware will wreak havoc on America's critical infrastructure community," with new attacks becoming common "while unattended vulnerabilities that were silently exploited in 2015 will enable invisible adversaries to capitalize upon positions that they have previously laid claim."
As the ICIT explains it, ransomware's effectiveness is due to the fact that the cybersecurity field is not well prepared for it. Ransomware can often bypass controls in place, and response by law enforcement is minimal. For organizations that are under attack, it's a crippling experience, as we saw in the case of Hollywood Presbyterian Center, which had to redirect its patients to other providers.
Although some debate the ethical question of whether ransomware victims should pay or not, many of those under attack simply have no choice. FBI estimates that the losses from CryptoWall-related incidents alone cost victims more than $18 million between April 2014 and June 2015, and that's just based on known cases. The Cyber Threat Alliance estimates the global losses from Cryptowall to be around $325 million since CryptoWall was first deployed in January 2015, with more than 400,000 attempted infections identified.
Evidence of the growing sophistication of the hackers has been mounting. McAfee Labs, for example, saw a rise in ransomware samples in the second quarter of 2015 — to more than 4 million, compared to 1.5 million just the previous quarter.
Ransomware Meets IoT
HP estimated in 2014 that 70 percent of most commonly used IoT devices were vulnerable to attacks, while International Data Corporation says that by 2017, 90 percent of organizations will have a breach related to IoT.
Since anything that has an IP address and is connected to the internet can be hacked, HP's estimate is especially troubling -- but not surprising. Barbie dolls that can be used to steal user credentials. Security cameras sending unencrypted video that can be intercepted. HVAC systems that can be used remotely to gain access inside a network. Reports abound of vulnerabilities being discovered in one smart device or another.
We've already seen examples where these threats are not simply vulnerabilities that "could be" exploited. Last year, an attack on Virginia State Police’s fleet rendered state troopers powerless as they lost control of their cars. Also last year, hackers took control of a Jeep that was driving on a highway at 70 mph. Luckily, white hats were the "culprits" in both those scenarios as they were controlled demonstrations.
While it's true that these kinds of attacks would require elaborate and lengthy planning, it’s only a matter of time before these kinds of headlines are made by black hats instead.
Let's throw ransomware into this scenario. Imagine coming home to a message on your fridge that says you must pay a quarter of a bitcoin to remove the malware that has shut if off. Or imagine the app that controls your smart thermostat demanding payment if you want your temperature to drop below 120 degrees. Sure, these are benign examples -- but what if this could happen to every single internet-connected object in your house?
And what if it weren't just basic electronics or appliances being "hijacked?" Let's say a hacker remotely takes control over your WiFi-enabled rifle or disables your child’s insulin pump unless you pay up.
Are those scenarios scary? Of course. Far-fetched? Not really, considering that those vulnerabilities actually do exist and that ransomware is rapidly evolving and becoming more sophisticated, including the emergence of new trends such as ransomware-as-a-service.
'IoT Only as Secure as Its Network'
As EY pointed out in its "Cybersecurity and the Internet of Things" white paper: "The security of the 'thing' is only as secure as the network in which it resides: this includes the people, processes and technologies involved in its development and delivery."
What complicates this -- in addition to the huge number of endpoints and their lack of security -- is the fact that IoT integrates not only disparate devices but also communication protocols, carrier networks and apps. Then, add to that another layer -- the cloud, which has its own security challenges.
Unfortunately, many security professionals still focus largely on defending only the network and the data. As the Internet of Things becomes more embedded into business functions, that approach is no longer enough. IoT is not only a disruptive force in how organizations do business; it's also a paradigm shift for cybersecurity. This is especially true as the IoT industy grows exponentially, attracting more and more attention from bad actors — just as networks, the cloud and endpoints have done.
A good first step: Examine IoT devices for security vulnerabilities and take steps to address them before the devices are installed.
As the march toward the Internet of Things continues, fueling a new type of economy, every sector will have to confront these new security challenges. It's only a matter of time before security vendors and hackers are engaged in a full-blown arms race.
Sekhar Sarukkai is a co-founder and the chief scientist at Skyhigh Networks, driving the future of innovation and technology. He brings more than 20 years of experience in enterprise networking, security and cloud services development to the company.