Ransomwear – An IoT Shakedown by Indy Dhami

In 2018, as many people have predicted, we have seen explosive  commercial growth of the Internet of Things (IoT) and wearable technologies.  This has created an opportunity for cyber attackers to ply their trade and a new term – ‘Ransomwear’ – has been coined (see recent Symantec research on this). This can be understood as malware delivered through social engineering or pushed directly onto a wearable device. This malware may then infect and restrict access to files, websites, storage drives/memory, and may even prevent users from accessing core functions. The malware creators can then extort the wearer into paying a ransom to unlock the data or potentially, in the case of medical devices, threaten lives.

Unfortunately, strong encryption, anti-virus or anti-malware security software is almost non-existent for these technologies. Their core functionality often relies upon the ability to sync efficiently with other devices; therefore malicious files can be transferred between them quickly.

Ultimately, the technology manufacturers must place a strong emphasis on understanding risks and their responsibilities in protecting both corporate and personal data and functionality. This should include adopting the strongest possible encryption.

In recent years I authored research papers highlighting the benefits and opportunities for mobile devices, but the security and privacy implications did (and still do) concern me. This includes potential threats such as the ability to remotely view and record what a wearer sees and does, track global movements, or even make changes to the device settings.  

The predictions I made (some of which have been frighteningly correct) included attacks on:

  • medical devices – unauthorised access to configuration settings as well as data on location, blood pressure/sugar levels and other bodily functions
  • buildings and critical infrastructure – malicious damage to power/ production/ generation/distribution, manufacturing and transportation
  • automobiles – in-car Wi-Fi, remote access, tampering of engine control and braking systems (The recent JeepTeslaVW and OnStar revelations have gained media attention of these risks)
  • commercial and personal drones – collection of significant  personal data by drones; or compromised or personal drones used for kamikaze attacks
  • home appliances – denial-of-service attacks using unsecured connected devices, such as home entertainment systems and compromised smartphone apps.

However, in some cases no malware is even required to expose potentially sensitive data. A recent incident relating to the Strava fitness tracker app highlighted the disclosure of geolocation data of US military personnel. 

Three key considerations to take note of to protect security and privacy include:

1. Check the default settings on apps and devices taking the assumption that the default settings are not there to protect your data or privacy rather they are developed to maximise data collection for the application or device developer or manufacturer. 

2. Review privacy settings on the device itself, any application connected to the device, and any internet connectivity and social media interactions that may be associated with service.

3. Understand what data is being stored and shared on the device. As with any technology it is only as secure as the human being who uses it. Awareness and education of risks is therefore critical.

In summary the best approaches to mitigate these risks are to understand how the technology functions, use all available security controls, avoid dubious apps that request unnecessary permissions, back up data regularly, update software when prompted, and be very hesitant in quickly accepting incoming files (from both known and unknown sources).  

----------------------------------

Indy Dhami possesses over 14 years’ experience, having worked in both operational and consulting positions at FTSE100 and Fortune 500 organisations including IBM, AXA, Deutsche Bank, PwC, Accenture, Mercedes-Benz, Jaguar Land Rover and many other world-leading organisations. 

His experience includes leadership positions in information/ cybersecurity transformation, risk assurance, crisis management (pre and post incident), assurance, audit, governance, risk and compliance programmes.