Ransomware on the IoT
First, let me say this – we get other tech newsletters, and a couple of them — one in particular — seem to thrive on scaring people with desperate headlines: DOOM! DOOM! DOOM! We don’t to be like them, but we do want you to be informed. So today, we are going to give you some information on TNBT — or The Next Big Thing.
The IoT – a clever acronym for the Internet of Things – is creeping into all of our lives, a little bit more every day. From our thermostats, to our toasters, to our locks on our front doors the IoT is creeping into our lives. By 2020 cars will be more like a computer on wheels – but even now, many of your car’s functions are controlled by computers, some are connected to the IoT.
We are all aware, I think, of what ransomware is and what it can do to our computers. It can lock up our files and make them inaccessible unless we pay the ransom. These ransoms can run into the hundreds of dollars.
But the IoT opens up a whole new world to ransomware creators because the devices on IoT are designed to be interconnected, but with little or no security – in other words you can’t install security software on your “Smart” toaster, or your “Smart” thermostat, or the “Smart” locks on our doors. But even more scary are the medical devices like pacemakers, insulin pumps, which operate on the IoT and expose the individual using them to the risk of paying a ransom just to stay alive. It’s pretty serious and scary stuff to contemplate.
The the Institute for Critical Infrastructure Technology (ICIT) recently published a report entitled “Combatting the ransomware blitzkreig”,
IoT devices offer a potential growth bed to any ransomware operation because the devices are interconnected by design and many pointedly lack any form of security. A selection of traditional malware will be too large to ever run on a number of IoT devices, but ransomware, predominantly consisting of a few commands and an encryption algorithm, is much lighter.How much do you predict someone would pay to remove ransomware from a pacemaker? The scenario is not too far-fetched; in fact, it is much more deadly. Many medical devices, such as pacemakers, insulin pumps, and other medication dispersion systems are internet or Bluetooth enabled. Ransomware could utilize that open connection to infect the IoT device.
One truth we all already know is: Cybercriminals don’t care who they hurt. So for those using health equipment connected to the IoT, instead of being “Your Files Are Locked. Pay $300 to Unlock Them” could be “Pay Up or Die”.
The people who design these IoT connected devices have good intentions. But the struggle between good and evil has gone on since the day man first walked the Earth and technology allows good and bad things to happen faster.
Smart thermostats, refrigerators, washers, dryers, toasters, TVs, cars are all connected to the IoT – and all of them are built with very little security – they are all targets. And while you may not pay a ransom to get your toaster back, you may pay a ransom to be able to start your car. And worse, with pacemakers and other critical medical “smart” devices connected to the IoT the ransom may be a life.
The IoT is just beginning to blossom. Our lives are changing and nobody’s sure where all this is going to end up.
I hope that soon, those good people who make our lives easier and better through technology put a lot more emphasis on security – or none of us may ever be able to afford the ransom to get our lives back.
I don’t want to scare you; I just want you to think.
Please let us know what you think.
**More good reading on medicine and IoT can be found here.**
I think it comes down to the point they just don’t want to pay for it, and that is some where to hold cost down. At least until something bad happens or it becomes law.
I think we have to draw a line in the sand when it comes to “smart” things. There are some areas where it’s simply not worth the risk. To depend on, or take for granted, that the manufacturers or those who promote or implement IoT products to also keep us from harm or outside intrusion is just plain stupid. We’ll never know how many ransomeware victims exist because those victims will be (are) too embarrassed to tell us they’ve been duped.
Unfortunately, kids growing up today with the Internet of Things, are wanting more and more things… watches that count heartbeats, refrigerators that are controlled by apps from a smart phone, these are just as common to them as vinyl albums were to me in my day. They don’t see the risk, it’s there world. And because they buy everything cool that comes along, there’s a huge market. Money trumps all, you know. It will take a big catastrophe before the IoT gets the security everyone who uses it needs.
I am posting this article to my FB friends. The word needs to get out.
Thanks, Janis
I have a pacemaker/defibrillator. It has a computer that is read by a transmitter every night and then sent to the hospital computer to be looked at by a technician for abnormalities. If my unit gets infected by ransomware, how am I supposed to know it? It can’t talk to me. It can’t print anything out. It would just stop working and I would have to get to the ER as quickly as possible. The unit would have to be re-programmed by the company’s tech. Most every hospital has one available at all times for that. When you have one, you ask about things like this. What to do in the event of a failure. It happened to me once. The battery died and I did not know what the warning sound meant that was going off every morning for days. I do now. I’m on my 3rd one. This new model has a 12 year battery.
I have no idea how the ransomware criminals would contact you, and I don’t think it’s something you have to worry about right now. I’m sure that as more and more health equipment providers and hospitals become aware of how vulnerable devices connected to the IoT are, more attention will be paid to shoring up the gaping securing holes.
i have a medi-alert alarm that is connected to the landline which the ADSL comes through. in Australia we are running out the NBN for faster than fast speeds – they put it through to me & it blew out the alarm, the landline, the computer & the mobile went down twice….so it is somewhat of a problem.
Great article, never thought about it. Scares the beejeebers out of me just thinking about it. Keep up the very useful
Info articles coming.
Where they are going to eat us alive later on is insurance, I would think. It will be individual on washing machine, dryer, TV, refrigerator, car, and etc. that will go on after the manufactures warranty has long gone. You want be able to go with out it or be afraid to. My guess your homeowners policy will be pushed up with this stuff eventually. These things will be more easily knocked out with a power surge. It is more computerized. Also yes, probably security later. That is just my guess. My opinion!
I would like a toaster just to be a toaster. I don’t want my toaster to also be a clock, and open up the garage door, and have my bath water running. Just pop the toast.
It sounds like it is going to get even more expensive out there to buy anything. We are pricing are selves out in this country. Last time I looked a lot of people are retiring in this country.