Smartphones, watches, televisions and fitness trackers could be used to hold people to ransom over personal data, cyber security experts have warned. The risk to business is “significant and growing”, the National Crime Agency and National Cyber Security Centre say. IT security experts from Trustwave, TrapX, SentinelOne, Avast, (ISC)², MWR InfoSecurity, Thales e-Security, Axians UK, Imperva, DomainTools, Tenable, AlienVault, EclecticIQ and Cylance commented below.
Lawrence Munro, Security Specialist at Trustwave:
“Ransomware has become one of the most popular attack methods amongst cyber criminals because it is both easy to execute and extremely lucrative. Our 2015 Trustwave Global Security Report estimated that a success attack campaign would net a criminal a 1,425 per cent return on investment. These attacks will generally be targeted at organisations rather than individuals as the impact and potential payday for the criminal are much greater.
Mobile devices are an increasingly popular target as users tend to pay less attention to emails and links, and many users aren’t aware of their devices can be infected with malware.
All connected devices are still essentially computers and therefore potentially vulnerable to attack, although it is worth noting that only connected devices with screens would actually be able to convey a ransom message to the victim. However, they pose a much greater risk for secondary infections, passing on ransomware and other malware to more traditional devices they are connected to.
The most effective way to combat ransomware is to keep all data regularly backed up, and ensure all devices are kept patched and up-to-date. Connected devices should be kept on a separate network to main enterprise, with an airgap preventing any infections from crossing over.”
Kevin Eley, VP EMEA at TrapX:
“The NCSC recognises the significant opportunity that is growing for attackers given the increasing prevalence of internet connected devices.
Our own research, highlighting the medical and healthcare industry, identified such dangers relating to connected medical devices (see Medjack http://deceive.trapx.com/rs/929-JEW 675/images/AOA_Report_TrapX_MEDJACK.2.pdf) It stands to reason that criminals will seek to exploit other connected devices (whether business or consumer) to steal personal information or for ransom. The ultimate motivation primarily being financial gain. It is important that government and industry recognise these threats and work together to rapidly mitigate them.”
Tony Rowan, Chief Security Consultant at SentinelOne:
“When users decide to jailbreak their smart phones and download apps from their party sources, they can expect to get infected and altered versions of applications. In addition, unknown apps on those services are also likely to have malicious elements. If it’s “free”, it’s free for a reason. One of those reasons may be to infect the decide with ransomware. There have been rare instances of malicious apps getting onto the genuine application delivery stores but, in general, the controls applied by the app store management prevents most of this. That doesn’t mean that smart devices are not vulnerable to other attacks such as exploits against browser vulnerabilities for example.”
Peter Turner, Security Expert at Avast:
“Today’s news from the National Crime Agency and the National Cyber Security Centre about the rising risk of ransomware isn’t surprising. 2016 has been dubbed ‘the year of ransomware’ after we tracked unprecedented levels of ransomware attacks and the emergence of new strains and 2017 is currently set to be no different.
Between October 2015 and June 2016 at AVG, an Avast company, we detected 20,044,360 ransomware threats globally. Given that each attack on average demands a 1 bitcoin ransom (with an average monetary value of around $500 during this time period), we saved consumers and businesses globally at least $10,022,180,000 worth in ransom payments by preventing such attacks. Based on our long-term statistics, we save at least one device from a ransomware attack every single second.
Consumer and businesses can help to protect themselves against ransomware by ensuring they have the latest digital security installed and ensuring they maintain their devices by keeping all apps and programmes up to date. They also need to be vigilant about not opening suspicious emails and attachments or downloading software from unauthorised sources which may not be official and could contain ransomware. Observing simple rules and being smart about what we do online are all important defences against ransomware.”
Dr. Adrian Davis, Managing Director, EMEA at (ISC)²:
“Sadly, this report is no surprise. It highlights risks that are becoming ever more obvious. I’ve seen little to highlight where accountability lies for creating the environment we are all now in, and it isn’t just with the criminals and attackers. Many tech vendors think about usability and functionality and ignore security throughout the design, creation, testing and manufacturing process for their devices. As a result, consumers are ever more vulnerable and opportunities for cybercrime are on the increase. Vendors need to take security and privacy seriously and treat it as a fundamental component of what they do, not as an expensive and bothersome after thought. Consumers need to be more savvy and take basic precautions to protect themselves, and they must also exert their influence, demanding better of the manufacturers and services that provide them with devices that they trust and rely on every day.”
Robert Miller, Head of Operational Technology at MWR InfoSecurity:
“The concept of ransomware and the technologies affected by this type of malware are continuously being expanded. New strains of ransomware are being discovered on a weekly basis and with multiple platforms being targeted. This ranges from fitness bands to IP cameras, thus it can be difficult to fully understand the risks connected consumer devices are being exposed to.
As a result, end-users are finding themselves in a quandary when it comes to advice being issued by the NCA and NCSC. Some devices have well designed and effective security measures that would prohibit all but the most determined of attackers, whereas others have flaws that expose their owners to considerable risk. What is more concerning is manufacturers using phrases like “military grade encryption”, ignoring the fact that this wouldn’t stop the most likely forms of attack (such as using hardcoded credentials). Consumers often don’t understand that in most instances it is not the devices’ assumed weak encryption being leveraged in a compromise. As the Mirai malware showed us, there are devices sold today that are accessible over the Internet and compromised and controlled with just a few lines of code.
With the success of the business model at the core of ransomware being proven as being very profitable and reasonably anonymous, this is fueling its growth. Attackers have realised that the key issue is not how valuable ransomed data are to sell on underground markets, but rather how valuable they are to the affected end-users or organisations and their appetite to losing the encrypted data.
It is therefore important that manufacturers of these devices stop seeing security as a burden to their development, but rather as a value that can benefit their customers. Given the likely PR nightmare that some manufacturers will face following ransomware attacks, it will be the companies that take security seriously that will gain the advantage in this competitive new market. Manufacturers should realise the value of using customer data security as a selling point.
In the meantime, customers will need to seek out signs that a manufacturer is taking security seriously. Does the product guarantee updates when security issues are found? Is there a place on their website to report security incidents? Do they offer a bug bounty program to promote security research? In lieu of a stamp of approval for IoT security, consumers will have to look for these indicators of maturity if they wish to avoid this new line of cyber-attack.”
Peter Carlisle, VP EMEA at Thales e-Security:
“Connected devices will play an increasingly crucial role in data sharing for the delivery of digital public services in organisations like the NHS.
Our recent research found that one third of healthcare organisations now use IoT devices to store patient data, so it’s no surprise that hackers see this as an opportunity to breach security to steal patient data. This threat cannot be underestimated, leading to life-threatening consequences if medical devices are hacked and shutdown.
To tackle this threat before it takes hold, organisations must train employees to improve their cyber security skills whilst implementing a robust encryption policy to protect critical data from malicious attacks.”
Ian Parker, Professional Services Consultant at Axians UK:
“The news that the rise of internet-connected devices will provide opportunities for ransomware demonstrates that security has never been so important, and whilst it’s great to see that the government is increasing its abilities to guard against attacks with the opening of the National Cyber Security Centre (NCSC), businesses must also take precautions in terms of BYOD.
A notable obstacle to security is that some companies that want to use network-controlled devices are not technology aware.Approximately 50 per cent of employees think that their IT department (if they have one at all) is not aware of all the company’s connected devices, and around 70 per cent perceive their organisation as being at risk from a connected device related security issue. It has been predicted that 20 billion connected devices will be in circulation by 2020, so the problem must be addressed and rectified before it gets out of control and risks global security.
Potentially all these devices, if not secured, are open doors for any malicious organisations or individuals to gain access to internal networks or the device itself. Once a hacker has access to a device, it can be used to attack a targeted company in a DDoS attack, or they may even be able to hack into the internal network devices, leading to full control of your business environment. Or more menacingly, they could be a cybercriminal, part of an organisation whose sole purpose is to obtain money via ransom, credit card theft and identify theft.
In short, IoT is only as secure as you make it. In today’s market, you cannot rely on manufacturers to produce a network-controlled device with security at the forefront. Unless the IoT device is a security device in itself, the manufacturers will want to make it as cost-effective as possible with a quick production cycle. Security, on the other hand, is time consuming, costs money and is not widely understood.
It is therefore up to the business to ensure these devices – which are essentially remote controls for the world to operate – are secure and remain accessible by authorised personnel and devices only. They can do this by seeking advice and expertise from professionals that are aware of the risks and vulnerabilities as well as the mitigation and prevention methods.”
Amichai Shulman, CTO and Co-Founder at Imperva:
“I don’t think that Ransomware is actually going to grow much bigger. I think it is as big as it can be for organizations and individuals alike (which is a lot). IoT devices, while susceptible to compromise are not targets of ransomware as they hold very little data which is mostly backed up automatically to cloud storage. Hence the devices themselves will not be threatened by ransomware.
Having said that, the true limitation for ransomware expansion today is distribution channels. In this domain IoT device do represent a threat to users and enterprises (and a growth opportunity for attackers). By compromising many IoT devices, attackers can (physically) make their way into more home and enterprise networks and use the compromised devices as a jumping board for attacks – including the distribution of ransomware to end stations and servers alike.”
Kyle Wilhoit, Senior Security Researcher at DomainTools:
“Ransomware has been the scourge of Internet Miscreants for a few years. As criminals have continued to innovate, they are realizing the potential of holding victim computers hostage. While this is a big problem, the likelihood of this issue becoming bigger is almost a guaranteed. NCSC and NCA are correct in assuming and talking about this attack vector continuing to gain notoriety. Bringing awareness to such a large problem will ideally help the defensive posture of any organization.
One of the more concerning scenarios would be an ICS or SCADA network getting compromised by ransomware. While this has happened on a few different occasions, the victim was not targeted because of the importance of the connected devices. These were opportunistic infections, ultimately causing outages to PLC’s and SCADA environments, all because ransomware took over several hosts. So, regardless of the ransomware being targeted or not, these infections will cause outages…Possibly severe. ”
Gavin Millard, EMEA Technical Director at Tenable Network Security:
“As the computational power, complexity and value of these devices increases, the probability they’ll be targeted by cyber criminals to monetize security flaws will also rise. Smartphones are a particular weak spot, with cherished photos being stored and rarely backed up. As with traditional IT equipment, it’s important connected devices are kept up to date, applying fixes the vendors release in a timely manner.”
.Chris Doman, Security Researcher at AlienVault:
“These aren’t just theoretical attacks – ransomware attacks against smart TVs have already been seen in the wild. Embedded devices such as ATMs, routers, industrial control systems and printers have been targeted by malware for some time.
So far the only malware for fitness trackers I’ve seen are proof of concepts, and the same with thermostats.
Given many of these devices run standard versions of the Android operating system – they would likely be as susceptible to these attacks as a typical Android phone. However they may be less likely to encounter the attacks if users are rarely accessing the internet with them.
It’s certainly true these devices can record sensitive information. And it’s not only the devices themselves that could be compromised. A central database at a toy company was hacked in 2015, and in the process lost millions of photos taken by kids toys to hackers.”
Javvad Malik, Security Advocate at AlienVault:
“Ransomware will continue to be favoured by criminals looking to easily exploit devices and extort payment from victims.
We’ve seen proof of concept ransomware deployed against thermostats, but haven’t yet seen them myself against smart watches.
One of the key things to bear in mind is how easy IoT devices are to secure, for example, is it easy to change default credentials or disable insecure and unnecessary protocols.
Equally, it’s important to evaluate the recovery process. Something manufacturers can help with by building into their products, so that if it does fall victim to ransomware, it can be restored. Many devices can have factory settings reset with one click, while others may require manufacturer involvement. Worse yet, in some cases, recovery may be impossible, forcing users to pay the ransom as a last resort. It’s up to buyers to understand the recovery process for the devices they own, and to create a contingency plan should one of them be compromised.”
Joep Gommers, CEO at EclecticIQ:
“Today’s report from the NCA and NCSC is a welcome initiative in making the UK a world leader in cyber security. The report stresses the importance of collaboration and the sharing of knowledge if we are to fight against the evolving threat landscape, which is something I’m keen to see more of over the coming months and years. Thankfully, the way we share information is already starting to change. Standards are maturing, technology is maturing, and there is a big push from government to set up collaborative initiatives to ensure the public and private sectors are sharing insight on threats.
“Openness is key to establishing trust. As such, support for open source standards like STIX and TAXII need to sit at the core of the fight for true threat intelligence. However, the use of these standards and the exchange of intelligence often is still very much a conscious effort and not yet a default modus operandi – like recycling, a practice that was once ignored and then slowly adopted, is now commonplace and assumed. One organisation’s reactive, becomes another’s proactive.
“Transparency is vital to success in business and embracing a stance of openness cannot only improve a business’s view of cyber threats, but can also fuel a wider cyber intelligence revolution. Only if organisations and government departments work collaboratively do we stand a chance of getting one step ahead of the bad guys.”
Zach Lanier, Research Director at Cylance:
“While the NCA report highlights a number of threats, perhaps the most notable (but not unsurprising) one is the increase in Internet connected devices. In particular, the Internet of Things and the attack surface that comes with it. We’ve already seen record-breaking DDoS attacks using insecure embedded devices, and with the rapid proliferation of even more IoT devices, it’s likely we’ll see that activity again in the near future. The NCA report also points out the high probability of mobile and IoT devices getting hit with ransomware, which seems like a natural evolution (in fact, in late 2016, some smart TVs were already being infected with ransomware). Between that and all the other threats the NCA report predicts for 2017, consumers and businesses will need to bolster their security and remain steadfastly aware of the risks they may face.”