ransomware in iotWhat is the relationship of Ransomware in IoT?

One of the most recent examples (June 25 2019) of Ransomware in IoT devices is Silex, similar to the BrickerBot malware developed by a hacker called The Janitor, in 2017. Bricking is essentially rendering a consumer electronic device damaged beyond repair, hence the name of the malware.  Silex was written by a 14-year-old kid who goes by Light Leafon, with big plans to keep developing malware with even more destructive functions.  There is no apparent motive beyond his mischief (albeit mischief steeped in talent).

Silex works by “trashing an IoT device’s storage, dropping firewall rules, removing network configuration, and then halting the device.” Recovering such devices without deep knowledge of the technology is unlikely, which inevitably would lead the owners to assume a hardware failure and dispose of the device, which arguably, is the point of the malware – to brick it. But in most cases, cyber criminals are looking for a ransom.

I bring this up, because the style and purpose of ransomware in the past is not necessarily coming from the same intent, but ransomware is definitely not going away. It’s going to evolve.

“2019 will be the year of Ransomware Rising – A new business will fall victim to ransomware every 14 seconds in 2019 – and every 11 seconds by 2021…”

Classic Ransomware versus Ransomware in IoT

Hackers are going to continue to exploit new technologies as quickly as they’re being created. But data being collected by IoT devices is often not the kind of data that can really be exploited for ransom, as could a threat to privacy or sensitive information, for example. Owners of this kind of data have less incentive to pay a ransom, encrypted or not, so hackers are naturally adapting to shutting down the functionality of the device (bricking), for ransom, instead.

Ransomware in IoT has an entirely different approach that is dependent on strategy and timing, but also not destroying the device beyond repair. If the device is bricked completely, it can’t be reversed. Therefore the cyber criminal gains nothing except inconveniencing someone. Typically, the intent is not just an act to brick the device for the sake of bricking the device. It’s money motivated. And IoT devices are so specialized that each of them would have to be targeted in a different way in order to gain anything from a software exploit. Instead, locking up the functionality of the device itself, will turn out to be more profitable.

There are a variety of ways that losing control of your IoT device could be costly personally, and in business. If your IoT device in manufacturing, for example, is designed to regulate the temperature of a depreciating asset, such as manufacturing equipment, it could lock up the functionality so that it sets the limits to dangerous temperatures, therefore causing damage to the machine itself, or to other facets of the manufacturing process.

Hackers could access a power grid, and require that you pay a ransom, or suffer a major blackout that could be detrimental to your business. Medical IoT could be exploited to collect ransom by intentionally causing a pacemaker or drug infusion pump to malfunction. An infected smart lock could lock people in or out of their houses, or remain permanently open, allowing full access to a victim’s home and belongings. Infection of smart fridges, smart bulbs, or any number of smart devices in a home, could also cause disruption. Let’s not even mention what can happen if a criminal accesses a smart car. The list goes on.

More Ransomware in IoT statistics:

  • 1.5 million new phishing sites are created every month
  • Ransomware attacks have increased over 97% in the past two years
  • 850.97 million ransomware infections were detected by the institute in 2018
  • 34% of businesses hit with malware took a week or more to regain access to their data
  • In 2019 ransomware from phishing emails increased 109% over 2017

Industries that are specifically targeted:

  • Healthcare
    • Nearly 50% of ransomware incidents reported in 2018 involved healthcare organizations
    • 18% of healthcare devices have been the target of malware
    • CSO estimates that healthcare malware attacks will likely quadruple by 2020
  • Finance
    • 90% of all financial institutions have experienced ransomware in the past year
    • Attacks on businesses increased to one every 40 seconds (in the first quarter of 2019)
  • Mobile (handheld devices)
    • 18 million mobile malware incidences in 2018
    • Roughly 80% of mobile malware is delivered via app
    • Majority of threats in 2018 were targeting Android OS

Those who choose to utilize IoT without also implementing the proper side-by-side security measures, are going to have a rough experience as hackers get more creative and sophisticated about their exploits. On a fundamental level, ransomware in IoT is very different than the laptop and computer paradigm, but it can still be costly on an individual level, and in business.

Are there currently any regulations for security in IoT devices?

Right now, many U.S. vendors and manufacturers for consumer IoT devices simply aren’t putting in the extra effort to ensure security because there isn’t anything holding them responsible for being compliant. But the UK government has published it’s proposed Code of Practice for Security in Consumer IoT in 2018, which is aimed at creating a free, secure cyberspace, and hopefully making the UK the safest place in the world for being online. They’re off to a great start with the General Data Protection Regulation (GDPR) policies put in place in the last year or so as well.

The Code of Practice includes 13 priority principles that manufacturers, service providers, app developers and retailers should follow when creating and supplying IoT products and services. It’s intended to ensure that each part of the supply chain

IoT

ensures that their suppliers follow good security practices and apply them.

  1. No default passwords.
    1. All Iot device passwords shall be unique and not re-settable to any universal factory default value.
    2. This primarily applies to device manufacturers.
  2. Implement a vulnerability disclosure policy.
    1. All companies that provide internet-connected devices and services shall provide a public point of contact as part of a vulnerability disclosure policy in order that security researchers and others are able to report issues. Disclosed vulnerabilities should be acted on in a timely manner.
    2. Applies to device manufacturers, IoT service providers, mobile app developers.
  3. Keep software updated.
    1. Software components in internet-connected devices should be securely update-able. Updates shall be timely and should not impact on the functioning of the device. An end-of-life policy shall be published for end-point devices which explicitly states the minimum length of time for which a device will receive software updates and the reasons for the length of the support period. The need for each update should be made clear to consumers and an update should be easy to implement. For constrained devices that cannot physically be updated, the product should be isolatable and replaceable.
    2. Applies to device manufacturers, IoT service providers, mobile app developers.
  4. Securely store credentials and security-sensitive data.
    1. Any credentials shall be stored securely within services and on devices. Hard-coded credentials in device software are not acceptable.
    2. Applies to device manufacturers, IoT service providers, mobile app developers.
  5. Communicate securely.
    1. Security-sensitive data, including any remote management and control, should be encrypted in transit, appropriate to the properties of the technology and usage. All keys should be managed securely.
    2. Applies to device manufacturers, IoT service providers, mobile app developers.
  6. Minimize exposed attack surfaces.
    1. All devices and services should operate on the ‘principle of least privilege’; unused ports should be closed, hardware should not unnecessarily expose access, services should not be available if they are not used and code should be minimized to the functionality necessary for the service to operate. Software should run with appropriate privileges, taking account of both security and functionality.
    2. Applies to device manufacturers and IoT service providers.
  7. Ensure software integrity.
    1. Software on IoT devices should be verified using secure boot mechanisms. If an unauthorized change is detected, the device should alert the consumer/administrator to an issue and should not connect to wider networks than those necessary to perform the alerting function.
    2. Applies to device manufacturers.
  8. Ensure personal data is protected.
    1. Where devices and/or services process personal data, they shall do so in accordance with applicable data protection law, such as the General Data Protection Regulation (GDPR) and the Data Protection Act 2018. Device manufacturers and IoT service providers shall provide consumers with clear and transparent information about how their data is being used, by whom, and for what purposes, for each device and service. This also applies to any third parties that may be involved (including advertisers). Where personal data is processed on the basis of consumers’ consent, this shall be validly and lawfully obtained, with those consumers being given the opportunity to withdraw it at any time.
    2. Applies to device manufacturers, IoT service providers, mobile app developers, retailers.
  9. Make systems resilient to outages.
    1. Resilience should be built in to IoT devices and services where required by their usage or by other relying systems, taking into account the possibility of outages of data networks and power. As far as reasonably possible, IoT services should remain operating and locally functional in the case of a loss of network and should recover cleanly in the case of restoration of a loss of power. Devices should be able to return to a network in a sensible state and in an orderly fashion, rather than in a massive scale reconnect.
    2. Applies to device manufacturers and IoT service providers.
  10. Monitor system telemetry data.
    1. If telemetry data is collected from IoT devices and services, such as usage and measurement data, it should be monitored for security anomalies.
    2. Applies to IoT service providers.
  11. Make it easy for consumers to delete personal data.
    1. Devices and services should be configured such that personal data can easily be removed from them when there is a transfer of ownership, when the consumer wishes to delete it and/or when the consumer wishes to dispose of the device. Consumers should be given clear instructions on how to delete their personal data.
    2. Applies to device manufacturers, IoT service providers, mobile app developers.
  12. Make installation and maintenance of devices easy.
    1. Installation and maintenance of IoT devices should employ minimal steps and should follow security best practice on usability. Consumers should also be provided with guidance on how to securely set up their device.
    2. Applies to device manufacturers, IoT service providers, mobile app developers.
  13. Validate input data.
    1. Data input via user interfaces and transferred via application programming interfaces (APIs) or between networks in services and devices shall be validated.
    2. Applies to device manufacturers, IoT service providers, mobile app developers.

What are some steps to take against Ransomware in IoT now?

While the Code of Practice in the UK is a good example of effective cyber security policy, the U.S. has not yet caught up to this level. Partnering with an IT firm to manage your organization’s security is the best move. There are plenty of ways to monitor security on IoT devices. Even with a full time IT hire, it’s unlikely that a single person in your firm has the scope of experience or knowledge to manage and monitor all aspects of an organization’s technology and cyber security. Especially at the Endpoint level when deploying new IoT devices. SMBHD offers Security Information and Event Management solutions (SIEM) for businesses that can cover your IoT devices.

Contact SMBHD to talk about Plans and Packages for:

  1. Patching and updates
  2. Anti-virus and network monitoring
  3. Backup and disaster recovery
  4. Endpoint backup
  5. Secure file sync and share
  6. Education and awareness
  7. SIEM as a Service

Take the SMBHD Maturity Assessment now! 

Sources:
https://www.zdnet.com/article/new-silex-malware-is-bricking-iot-devices-has-scary-plans/
https://www.allot.com/blog/10-ransomware-attacks-2019/

https://www.iotsecurityfoundation.org/the-iot-ransomware-threat-is-more-serious-than-you-think/