Security experts fear there may soon be a wave of ransomware that infects the Internet of Things, resulting in smart cars, smart homes, smart medical devices and even smart transport systems being held hostage by cybercriminals.
"If ransomware were to encrypt or alter the control systems of Internet of Things devices, we'd have a big problem,' said Ed Skoudis, a security-training instructor at the SANS Institute in Bethesda, Maryland, during a panel discussion at the RSA Conference in San Francisco last week.
"What would you pay to turn your lights back on?" he asked. "What would you pay to turn your heat back on? Or your car? You want to drive your car to work today? You're going to have to pay ransomware for that."
MORE: Best Smart Home Devices
The participants in another panel discussion at RSA pointed out that ransomware wouldn't even need to seize control of a system. It would only have to convincingly pretend it had.
"Say you're driving a car and a text pops up on the entertainment system and says, 'Pay up, or you're gonna crash,'" said Gib Sporebo, chief cybersecurity strategist at Leidos, a defense contractor in Reston, Virginia. "What will it take to know that [the car] has not been infected, that the significant life-saving safety controls haven't been taken over?"
The only solution, for now, all panelists agreed, was to make sure that humans are available and trained to take control if a smart system fails.
Making sure your smart home doesn't have dumb security
Ransomware scenarios threaten smart homes as well as smart cars, Aaron Guzman, a penetration tester at SecureWorks in southern California, noted in the second panel discussion.
"Think about smart locks and being locked out of your house," Guzman said. "Many of the smart electric meters have a disconnect switch on them to make it easy to disconnect the power when people move. You can imagine a scenario where malware is able to shut all those down, and, to add insult to injury, shut it down and then brick the device."
"It was demonstrated at the DEF CON [hacker conference] IoT Village last year that ransomware could be loaded on a [smart] thermostat while they basically spiked up the temperature to the 90s," he added. "Think about grandmothers and grandfathers in Arizona in the summer having this ransomware on the thermostat. Who you gonna call? What you gonna do?"
Smart-home devices can be protected, at least in theory, by the Bitdefender Box and similar home network-security appliances, such as the upcoming Norton Core and F-Secure Sense, that screen traffic going into and out of the local network.
"The antimalware scanning technology blocks malware and phishing pages in traffic, ensuring that they don't reach the target device," Bitdefender's Bogdan Botezatu explained about the Box. "The Vulnerability Assessment module ... regularly probes the devices connected to your network for outdated, vulnerable firmware, as well as for misconfiguration."
When ransomware leaves home
Sporebo, however, downplayed the significance of smart homes being held hostage, and instead said the greater impact of ransomware upon smart systems would be felt in science and industry.
"The example that Aaron gave of the house — yeah, that's sort of annoying," he said. "I guess it's sort of the equivalent of camping. You have to go outside for a while if your house is too hot."
"But in lots of other areas," Sporebo added, "like labs, they're doing experiments. If they're out for even a few seconds or a few minutes, that's years of research that's wiped out because you need to keep the temperature at a particular level. What seems like a minor annoyance for a lot of consumers — being locked of your house or your car — can be very serious when you get into specific other areas."
Ed Fok, a transportation technologies specialist with the Federal Highway Administration, agreed with Sporebo that the greater ransomware danger was to industry. He said, for example, that the trucking industry would likely be an early adopter of completely autonomous vehicles — self-driving trucks — and that if so, it would be especially vulnerable to cyberattack.
"If I own your [smart-truck] system, I'll probably have some idea what your cargo manifest is," Fok said. "I don't need to encrypt anything. I don't need to attack anything. I just need to let you know I can make that cargo load disappear. That in itself is ransom. What's that worth to a company?"
However, Fok was concerned about the impact of ransomware upon completely autonomous passenger vehicles.
"I think the fire department is going to need a crowbar to open that self-driving car door, because it's fully encrypted and you can't open the door," he said. "You get hit with ransomware in a fully self-driving car without a steering wheel, and we're so in trouble."
Maintain the human factor
The solution, Fok said, was to keep humans in the equation. He pointed that a potentially devastating ransomware attack on a major city had already taken place, and that disaster had been averted by preparation and by cool heads prevailing.
"How many of you guys were here last Thanksgiving for the Black Friday miracle, when MUNI [the San Francisco bus and tram system] got hit with ransomware?" he asked the audience. "In that particular instance, they did a bang-up job in responding, because they had backups."
Last November, MUNI's fare-collecting system was attacked by encrypting ransomware. Instead of shutting down the system, or paying the ransom, the transport network's managers decided to keep the buses and trains running and make all rides free while they restored the fare-collection system from backups.
"San Francisco showed how it can be managed and communicated," Fok said, before turning to the audience to ask a question.
"Show of hands: How many of you know what to do if you come up to the traffic light and the traffic light goes dark? Raise your hands," he said, as a fair number of people did.
"That's our backup plan," Fok said. "Now, you may not be able to get from Point A to Point B, but the odds of your getting T-boned when you are going through that intersection, as long as you are paying attention, are probably very low."