Why IoT could be the next big ransomware target

Internet of Things systems are becoming increasingly widespread so the importance of protecting connected devices from ransomware shouldn’t be underestimated

By Jo Best

Thu 29 Mar 2018 @ 15:04

Ransomware has become one of the dominant security threats to both large enterprises and small businesses alike. While some criminal organisations may be increasingly turning their attention to cryptojacking, ransomware could be set for a revival, thanks to the increasingly widespread use of Internet of Things (IoT) technology.

According to analyst estimates, by 2020 there will be more than 20 billion objects connected to the internet. While the largest proportion will be in homes, business use will account for more than eight billion of those objects. From industrial robots to smart printers, each of those 'things' will represent a potential attack vector that cybercriminals can use against organisations with IoT capabilities.

There are a number of factors that could potentially make IoT systems attractive to cybercriminals.

As recent attacks have shown, enterprises are potentially lucrative targets for those who distribute ransomware. While consumers may be willing to lose access to their data rather than pay a fee, some enterprises don't feel they have that option: hospitals, for example, have opted to pay thousands of dollars rather than be locked out of patient information.

The stakes will be higher, however, when it comes to ransomware and IoT. Not only can malware writers encrypt the data that IoT devices generate, store or access, but they can also stop those objects from working altogether, which may be the greater headache for businesses.

Consumers may write off losing access to minor smart objects such as connected toothbrushes, but being locked out of their home because ransomware has hit their smart locks would likely have most individuals reaching for their wallets.

Similarly, manufacturing businesses with industrial robots that are infected by ransomware could see production shut down altogether, causing losses running into hundreds of thousands of dollars.

The consequences of ransomware suddenly switching off connected medical devices or autonomous vehicles don't bear thinking about. With so much at stake, enterprises may decide that paying ransoms is simply a cost of doing business, and criminals may raise them accordingly.

As well as offering a richer payday for ransomware writers, IoT systems also represent a less well-defended target. Connected objects, in both the enterprise and consumer segment, often come with weaker built-in security: they're harder to patch, trickier to secure with third-party security products, and are often still found using the default password they were shipped with. In addition, standards around IoT security are not as yet fully developed.

What's perhaps more worrying is that consumers don't view security as a priority when buying their IoT devices, and a significant proportion would not be willing to spend extra for a better standard of security. While businesses may be happier to pay higher prices for more secure devices that are less at risk from ransomware, consumer devices still pose a threat: they may offer a roundabout route onto corporate networks if employees bring them into the office or inadvertently connect them while working at home.

While IoT ransomware may seem like an open goal for cybercriminals, technical factors may work to limit its spread. One is the relatively simple form factors that IoT devices have: without a screen, it's going to be difficult for ransomware writers to tell victims how to pay a ransom, or even that they're infected in the first place.

There are also many layers of abstraction between an IoT device at the edge of a network and the crown jewels of corporate data at its heart, meaning ransomware writers will have to be both creative and devious to ensure their campaigns have enough impact to get businesses to pay up.

Infecting IoT systems with ransomware may not be as simple as infecting PCs, but that isn't likely to put off malware writers. Researchers have already demonstrated proof of concept attacks using devices such as thermostats and robots. And, while high-profile infections have yet to make headlines, reports suggest the first IoT ransomware attacks have already happened. With the use of IoT set to grow over the coming years, they're unlikely to be the last.