Since the beginning of the year, several distributed denial-of-service (DDoS) attacks warned of the mounting threat of Internet of Things botnets. But absent a firm response from the tech industry and governments, the attacks grew in size and frequency, culminating in the late October DDoS attack against Dyn, which resulted in millions of people in the U.S. and across the world losing access to major websites.
The recent attack against the San Francisco Municipal Transportation Authority (SFMTA) might be the precursor to the next wave of ransomware attacks that will target the Internet of Things and Industrial Control Systems (ICS). Are we ready to face it?
What was significant about the SFMTA attack?
Ransomware is a kind of malware that locks vital digital resources and forces the owner to pay a ransom to the attackers in order to regain access to them. The most prevalent form of the malware is cryptoransomware, a virus that encrypts your files and sells you the decryption key, usually in bitcoins.
The SFMTA attack was a shift from the traditional ransomware attack in that it targeted functionality: The system wouldn’t take passengers’ money. SFMTA was forced to turn off its payment machines and give free rides to passengers until the system was restored to normal.
With the fast growth of the Internet of Things, anything and everything is becoming connected to the internet, making them potential targets. Many of these systems are aging and weren’t initially designed for the hostile nature of an internet environment. Even new devices being manufactured and shipped to the market are in large part riddled with security holes that are hard—and sometimes impossible—to fix, and connecting them will introduce new attack vectors for hackers to exploit.
What to expect from IoT ransomware attacks?
Even though it’s fair to say that, aside from a few days’ worth of revenue, SF Muni and the city weren’t very badly affected, the attack gives a good portrayal of what IoT-based ransomware attacks will look like.
What’s important is that IoT is effectively expanding the reach of the internet to the physical world, which creates a whole new range of cyberthreats that can be much more critical than some jerk hacking into your email or stealing your private data.
For the most part, expect the attacks to be focused on targets that conduct critical and costly tasks and cannot afford disruption in their ongoing operations, even briefly.
For instance, if a dark actor compromises the IoT systems of a hospital, the health and lives of patients will be at risk, and the target will be more likely to pay out because the ransom will pale in comparison to the life of a surgery patient.
Manufacturing plants where suspension of activity will cause a substantial drop in productivity can become targets of IoT ransomware attacks as well. These types of targets will be more incentivized to fork over the ransom rather than investigate and root out the malware.
After SF Muni, there’s already speculation over the target and damage of the next transit hack, such as critical infrastructure.
City power grids, for example, can also become an attractive target. The $6 billion damage that the 2003 Northeast U.S. blackout left in its wake show how devastating power failure can be. And last year’s hack of Ukraine’s electricity network showed that attacks against power grids are possible. Though that particular attack was politically motivated, there’s no reason why the same scheme can’t be used to extort money from the victims.
You could be a target, too
A proof-of-concept attack against a brand of connected thermostats gave insights into how ransomware attacks against smart homes might take place. In a hypothetical attack, hackers could take control of your thermostat while you’re away on vacation and threaten to lock it on a high degree unless you pay the requested ransom. Not having direct access to the appliance will leave you with few options.
Intel Security’s senior vice president, Chris Young, shed light on the matter in an interview with Bloomberg, in which he laid out a scenario where hackers take over an internet-connected car and ask the driver to pay a ransom in order to be able to drive to work.
While these scenarios might sound funny at the moment, with connectivity encroaching over homes, offices, vehicles, and everything else, the possibility that soon consumers will also become targets of IoT ransomware attacks is not far-fetched.
What needs to be done?
The signs are clear that IoT-based attacks will grow worse in the coming months. However, there are ways that the IoT security mess can be fixed. It will require the involvement and contribution of everyone involved, including manufacturers, service providers, the government, and consumers themselves.
The tech community failed to contain the recent wave of DDoS attacks in time. Will it succeed to prevent the tsunami of IoT ransomware attacks rising up on the horizon?