The IoT device as hostage

Unfortunately, the last few years have seen some inglorious milestones in the development history of the Internet of Things (IoT): At the end of 2016, for example, a large-scale cyber attack in the form of the Mirai malware was successful for the first time, using hundreds of thousands of IoT devices such as routers, cameras, printers and smart TVs to set up a botnet. This caused DDoS attacks worldwide, including on companies such as Twitter, Amazon and Deutsche Telekom. The extent of the security gaps in the IoT was also demonstrated at the Def Con Hacking Conference in Las Vegas, where security researchers showed how an IoT-enabled thermostat can be hacked and blocked with a targeted ransomware attack.

First, it is important to distinguish between traditional ransomware, which usually targets PCs and servers, and attacks on IoT devices. Classic ransomware infects the target computer and encrypts the data on it in order to subsequently extort a ransom for its decryption. Although it is possible to restore the affected data with a backup, some victims are forced to give in to the ransom demand due to poor backups. Thus, this method remains a profitable business for attackers, as the massive ransomware waves of WannaCry and Petya have also impressively demonstrated. With the low security level of IoT devices, we can therefore also expect ransomware attacks tailored to them in the coming years.

IoT ransomware target: taking the device hostage

Data theft is not worthwhile with IoT devices. As a rule, there is little or no sensitive data on them. The attackers' strategy therefore focuses on blocking user access to the device and taking the end device hostage, so to speak.

At first glance, this may seem more like an inconvenience. But even a relatively harmless example like the hack on the computer system of a four-star hotel in Carinthia, which made headlines in 2017, shows the far-reaching consequences such an attack can have: Criminals manipulated the locking system of the rooms, as a result of which they were no longer accessible to guests. The attackers successfully carried out this attack three times in a row in return for a ransom. The same applies to the Def Con hack of the locked thermostat: If we apply this example to thermostats for controlling refrigeration units in a food warehouse or to a data center air conditioning system, the new threat posed by IoT ransomware becomes clear.

The dubious security history of the Internet of Things

Unfortunately, a large number of IoT devices currently in use are extremely vulnerable to IoT ransomware attacks because, in the wake of the IoT popularity wave, many manufacturers have developed and sold millions of IoT devices as quickly as possible in recent years, with device security falling by the wayside. As a result, most IoT devices today have default permissions, use insecure configurations and protocols, and are notoriously difficult to update, making them exceedingly vulnerable to compromise attempts and thus a lucrative target for cybercriminals.

To make matters worse, the emergence of low-level protocol hacks such as Krack (Key Reinstallation Attack) provides attackers with new opportunities to bypass IoT infrastructure and manipulate devices by injecting different code. This has particularly serious consequences when devices need to synchronize or receive control commands from a cloud application.

Three points to evaluate IoT device security

To ensure safe operations, a comprehensive evaluation of device safety from various perspectives is essential when using IoT devices. The evaluation should always cover the following three areas:

Hardware: Physical security should always play an important role when evaluating a new device. Physical switches can be used to tamper-proof the device by ensuring that individual device components cannot be accessed and decoded without permission. For example, a mute button can be used to disable microphones and audio receivers of all devices.

Software: The same applies to IoT devices: the software should always be up to date. When selecting a device manufacturer, care must therefore be taken to ensure that it regularly updates and patches its software.

Network: Data exchange between IoT devices, backend management or storage solutions should be exclusively via secure web protocols such as HTTPS and access should be exclusively via multi-level authentication methods. In addition, care should be taken to immediately change any default credentials supplied with the device to strong alphanumeric strings.

Implementing these basic security principles goes a long way toward defending against many of the emerging threats, such as the new breed of IoT ransomware attacks. However, if the IoT world is to become truly secure, it is time to treat it like any other IT system and ensure that its protection is as robust, effective and future-proof.

Text: Christoph M. Kumpa, Director DACH & EE at Digital Guardian