Ransomware is a familiar plague in the online world – it has existed for more than 25 years and become increasingly common during the past decade.
But, until recently, it has been aimed more at organizations or individual computers than devices. And that is changing. With the explosive growth of the Internet of Things (IoT) – estimates of how many connected devices will be in use by 2020 range all the way up to 200 billion – experts say it is about to get much more common at the consumer level. An attack surface that broad and that vulnerable is irresistible to cybercriminals.
Most of the headlines so far are still about organizational breaches – one of the most recent was at the Hollywood Presbyterian Medical Center in Los Angeles, which paid a $17,000 ransom demanded by hackers who had installed malware that encrypted files on some of its devices.
Even police departments have been among the victims, which usually end up paying a ransom that is not crippling but an ominous reminder that the encryption in such attacks is generally so robust that even experts cannot defeat it.
At the consumer level, the individual ransom demands are not expected to be huge either, since the number of potential victims offers the promise of enormous wealth to savvy criminals.
Some experts have been predicting for more than a year that consumer ransomware will become so common that it could become an annoying but routine part of the cost of living.
They say people could end up paying $20 to $100 or more a month in “rent” to digital mobsters just to make sure their car will start in the morning, their doors and windows won’t get unlocked remotely, their electric bill won’t show twice the actual energy use, their appliances won’t go haywire and their TV won’t turn into a spy camera. There is the realistic possibility that a ransom could be demanded to keep an embedded medical device from turning lethal.
Indeed, connected consumer devices range from TVs to cars, online gaming, toys, guns, wearable fitness trackers, smart appliances, thermostats, lights, wall switches, couches, toothbrushes, motion sensors, garage doors, baby cams, home security systems, utility monitoring, smoke alarms, embedded medical devices – just about anything that could be connected.
As Chris Hadnagy, founder, CEO and chief human hacker at Social-Engineer, put it at the time, “Imagine a world where a whole network can be compromised from a coffee machine – you don't have to imagine it – I have seen it first hand. Network-enabled devices means that someone can alter, adjust, spy, listen and use that device in any way they want if they compromise it.”
Even with all those warnings, compromising them remains alarmingly easy. Most do not have even basic security built in. And when vulnerabilities are discovered, it is not always easy or even possible to update or patch them.
So, not surprisingly, while it has not made major headlines, the growth of consumer-level breaches and ransomware is showing up in statistics. The FBI issued a statement last June that it had logged 992 complaints related to just one variant of ransomware, CryptoWall, between April 2014 and June 2015, with combined losses of $18 million.
That is expected to get worse. “We will see increase in IoT-based breaches,” said Sundaram Lanskmanan, vice president of technology at CipherCloud. “Every device that’s getting rolled out these days seems to have Internet connectivity. The hack can happen at any time from manufacturing to firmware updates past the production phase.”
More than just the loss of money or data is at stake as well. “There is a big difference between losing computer data and the safety risks involving a house or car,” said Will Dormann, senior vulnerability analyst in the CERT division of the Carnegie Mellon Software Engineering Institute.
“When you have more real-world devices connected, there can be risks involving human life, which are obviously much more serious," he said.
Dan Geer, CISO at In-Q-Tel and an adviser to U.S. intelligence agencies, raised another ominous possibility. He said money is likely to be the prime incentive in the early stages of IoT attacks, “but for the long haul, disinformation in sensor nets may well be of interest, as will the marshaling of things into, shall we say, zombie armies.
“As M. Hathaway said in the 60-day 'Cyberspace Policy Review' at the outset of Obama's first term, the primary targets at the national level are the defense industrial base and the tech firms with global dominance; the secondary targets are the counterparties of the above; and the tertiary are any devices that can be a platform for attacks on the secondary,” he said.
It also creates potential legal nightmares. Lanskmanan noted that while cars are required by federal regulation to have things like operating taillights, “if an IoT hacker disabled that taillight on a freeway, who will be held responsible?”
Of course it is possible for the market to punish vendors for security failures by refusing to buy products that become known for being easily hackable.
But Dormann said the practical reality is that most consumers don’t think much about security when they buy “smart” devices – they focus on features and price. “Security is usually not part of the purchasing decision,” he said.
Or, as encryption guru, author and CTO of Resilient Systems, Bruce Schneier, has put it more than once, “People don’t care because they don’t know enough to care.”
The reality is not all bleak, however, say experts like Zach Lanier, director of research at Cylance. He noted that many consumer devices, “may not store enough data locally to make it worth locking out the user, not to mention that a factory reset may clear up the issue – assuming the attacker hasn't tampered with or otherwise flashed malicious, backdoored firmware.”
Also, given the awareness of the growing threat, there are growing efforts to address its security risks. Those initiatives include BuildItSecure.ly, the Cloud Security Alliance IoT working group, the BSIMM and the Open Web Application Security Project (OWASP).
Lanier, who is involved with BuildItSecure.ly, said the goal is to, “identify the various components that make up an IoT device, as well as the supporting services, and their respective vulnerabilities and threats; and help educate vendors and customers on the necessary steps to ensure the security of these products and platforms.”
Another example is a report released earlier this month by the IEEE Center for Secure Design titled “WearFit: Security Design Analysis of a Wearable Fitness Tracker,” which pointed to security flaws the wearable industry should address and proposed security guidelines for those devices.
And Brian Witten, senior director, IoT, at Symantec, said his firm is pushing what it calls “four cornerstones of security” for IoT devices, which include having the capability for field updates.
“Without the ability to update your devices, you have no way to predict how they'll be attacked in the years to come, and attackers are quite nimble,” he said.
Field updates carry their own risks, however. Geer, in a BlackHat keynote address, noted that if devices have remote management interfaces, “the opponent of skill will focus on that and, once a break is achieved, will use those self-same management functions to ensure that not only does he retain control over the long interval but, as well, you will be unlikely to know that he is there.”
Geer recommended that embedded systems become more like humans – in that they would, “be certain to die no later than some fixed time,” and therefore be replaced.
All of those, however, could be described as “carrot” incentives for better IoT consumer security – they offer assistance and encouragement, but no sanctions for lax security.
And there are currently no laws that mandate specific security requirements for IoT consumer devices. There is not even an established seal of approval from an Internet organization comparable to Underwriters Laboratories (UL) which, as Dormann put it, tests and certifies products so, “a consumer has some amount of certainty that it won’t burn your house down.”
But the “stick” incentive is developing, if gradually. The Federal Trade Commission (FTC), in a report issued more than a year ago, recommended that Congress pass, “strong, flexible, and technology-neutral federal legislation to strengthen its existing data security enforcement tools and to provide notification to consumers when there is a security breach.”
Beyond that, the agency said that IoT device developers, “should build security into their devices at the outset, rather than as an afterthought,” and that the process should include, “testing their security measures before launching their products.”
Vendors who fail to do that could be targeted by the FTC. Just this week, the Taiwan-based computer hardware maker ASUSTeK Computer agreed to a settlement with the agency over charges that security flaws in its home routers, “put the home networks of hundreds of thousands of consumers at risk.”
Most home routers are notoriously insecure, but the FTC’s action in this case could be the first signal that there could be government consequences for it.
Jarad Brown, an attorney with the FTC’s Bureau of Consumer Protection, noted that even without specific legislation, the failure to provide security to devices could amount to “unfairness or deception” – practices that can result in FTC sanctions.
Geer recommended several changes that would promote better security, including strict liability for developers to replace “100-page EULAs (End User License Agreements),” in which the consumer has to agree that just about any problem is not the fault of the developer or manufacturer.
He also said “independent, destructive testing” would help, and added that this may actually be in the works since UL, and major reinsurers like Zurich and GenRe, “are making some useful noises.”
Lanier is optimistic that things will improve. He noted that part of the challenge is just keeping up with the pace of technology – numerous companies have produced products like smoke alarms, thermostats and even toys for decades that never had Internet connectivity, and now they do.
“However, slowly but surely, this is changing overall,” he said. “Vendors are generally becoming more acquainted with secure development practices, vulnerability handling, and the like.”
Witten agreed. “We're working with a number of organizations to make it easier for customers to know how much security has been built into the devices and systems that they are considering purchasing,” he said.