Ransomware and Internet of Things: Partners in Crime

If you’ve been reading cybersecurity publications lately, you’re probably aware that ransomware  and Internet of Things (IoT) are now some of the biggest concerns within the cybersecurity community. Besides all of the relevant scenarios and security products that are presented to prepare for or attempt to prevent ransomware attacks or an IoT breach, there is one scenario that isn’t being talked about – ransomware attacks on IoT devices. This blog will attempt to shed some light on how these factors can work together to put your organization, and even human lives, at risk, as well as suggest ways that such an event can be prevented.

At the recent Black Hat conference in Las Vegas, two cybersecurity researchers, Billy Rios and Jonathan Butts demonstrated how the mechanical arm of an automated car washing machine could be hacked to cause damage to a vehicle, and potentially threaten human life. This is not the first time that Rios and Butts have put a connected device to the test; the team has successfully hacked a pacemaker and a smart car to highlight life-threatening vulnerabilities. They are probably not the only team that has made a point of demonstrating the dangers of IoT malware and ransomware, yet still, manufacturers, organizations and consumers continue to produce, purchase and deploy these inherently vulnerable devices. What makes IoT ransomware a grave security flaw?

Let’s start by stating that all connected devices (not just IoT devices) are potential victims of ransomware attacks because they are connected to the Internet. Ransomware attempts to gain access to mission-critical data on the network, then encrypting that data until the organization or individual pays the ransom (usually in a cryptocurrency), at which point they are provided the encryption key to recover the data. While ransomware is well understood when it comes to more “traditional” devices such as computers, phones, and servers, IoT devices are rarely considered as a point-of-entry, and if they are, there’s no way to patch, protect or install anti-virus software. Really, your best hope with an IoT device is that the manufacturer installed firmware and that there are available upgrades that somehow address ransomware risks. In the majority of cases, these firmware updates simply do not exist.

Then there’s the issue of visibility. When organizations and individuals connect IoT devices to their network, the excitement of deploying a new technology resulting in greater efficiency tends to overshadow precautionary measures to ensure the device is secure. There are a number cases in which organizations were attacked via IoT devices that they didn’t have knowledge of. In addition, many of these devices have default passwords that can be easily discovered through the Shodan search engine, Hydra or other IoT search tools and password generators. In most cases, the username is ‘admin’ and well, the password is the same. Oversight of IoT devices on the network greats a gaping hole for hackers to plant ransomware that, while not directly targeting the IoT device, can reach the mission-critical data they are after by gaining access to the network.

Finally, there is the physical aspect of IoT devices. Usually, these devices are deployed to control temperatures in the HVAC room, or as a smart coffee machine, smart TVs and in industry as part of the movement to connect machinery to the Internet (Industry 4.0). That means that unlike most computers and other “traditional” devices, IoT devices are tied to a physical function that could have real, and potentially dangerous consequences. The demonstration of the car wash hack is a good example, but what about IoT door locks that could trap people in a building or prevent entry, or a smart TV that allows for espionage. At the moment, the majority of these are hypothetical scenarios, but as the Mirai botnet incident demonstrated (what’s known as a pivoting attack), the hacking of IoT devices presents a real threat that should be addressed now, rather than later.

At the moment, IoT manufacturers aren’t doing much to make sure these devices are secure, so what should organizations eager to implement IoT devices do to make sure that they aren’t putting their network at risk?

The first thing that should be done is to find out if the IoT devices you’ve deployed have firmware, and if they do, if that firmware can be upgraded. But, as mentioned, not all IoT devices have firmware, which is why the next step should be to secure the IoT network with firewalls or create a network perimeter. With the devices quarantined in a “safe” part of the network, pivot attacks and access to mission-critical data on other devices are (largely) out of the question. Visibility is key for knowing where hidden threats lie on the network, which is why a solution that discovers IoT devices, their location and characteristics should be an essential part of any security stack. If possible, deploy a network access control solution that will allow for authentication of IoT devices to ensure that vulnerable devices can’t enter the network and gain access. Finally, and as previously mentioned, consistently update the default passwords and manage the security certificate lifecycle (if any).

While we haven’t heard of too many IoT ransomware attacks yet, you can bet that they will be in the news soon enough. Beat the black hats to the chase and shore up your network with IoT visibility, discovery and control tools that will protect against malicious exploits, including malware and ransomware.

Find out more about Portnox’s Rapid Ransomware Control & Response Solutions.