What if hackers took control of your thermostat in the middle of winter and demanded payment before you could turn the heat on? Or if threat actors held the power grid, industrial facilities, or hospitals hostage for ransom? Or what if hackers demanded payment before you could turn on your car engine or open your front door with a smart lock?
Those are just a few of the possible future targets of IoT ransomware, where seemingly everything is becoming a connected computer—ranging from traffic lights to your microwave oven, as security expert Bruce Schneier writes in The Washington Post.
The fact that the WannaCry ransomware virus has hit more than 200,000 computers in 150 countries should serve as a wakeup call about the looming risk of IoT ransomware. If threat actors could cause so much chaos by primarily targeting personal computers, imagine the chaos they could cause by targeting IoT environments. “Who really cares about the desktop environment anymore?” asks Peter Tran, GM and senior director at RSA Security.
Tran says that it could be misleading to focus solely on the money-generating potential of the WannaCry virus. While it is true that the attackers have, to date, collected some $80,000 from the attack, it is strange that only three virtual wallets were hard-coded into the malware itself. “It doesn’t make sense that an attack of this scale was purely a money-making venture,” Tran says. While it’s not clear what the attackers’ incentives were, it is possible that WannaCry is part of a “massive reconnaissance effort to see what infrastructures globally are up to par,” Tran says.
Last week, President Trump signed a cybersecurity executive order mandating a move to cloud computing to unify the federal government’s infrastructure and its security strategy. “That is exactly the kind of move I would want to see if I were an adversary,” Tran says. “I would say: ‘You just reminded me that you had a massively aging infrastructure—and I know that there are similar problems internationally, so let me just go sweep the environment to see how bad it is.”
There is a precedent for attacks like WannaCry, on a smaller scale, that were exceptionally good at winning press attention but less efficient at generating money for the hackers and prompting people to patch their computers. “The problem is, historically, when people rush to patch systems, attackers anticipate that,” Tran says. “And they know that not all patches are created equal, and not all of them are 100% effective. Often, the patch is effective against the immediate vulnerability, but it can create another hole just as if you were plugging a leaking dam and you didn’t realize there were other cracks diverted someplace else.”
The real worry with WannaCry is that it potentially gives threat actors the means to build a stronger attack infrastructure. Just like manufacturers have a supply chain infrastructure, hackers have a similar kind of infrastructure built up based on their reconnaissance and massive repositories of malware that is just sitting and waiting to be weaponized on demand. IoT ransomware, thanks to the vast and growing attack surface of the Internet of Things, is leading to an uptick in cyber intelligence from threat actors preparing for the next generation of attacks. Tran surmises: “This could be the Wild West for hacking. The big question is: Can security scale to it?”