Defending Against Ransomware Attacks is Essential IoT Security
In early June, Forescout Technologies’ Vedere Labs released a report on R4IoT, a ransomware deployment that specifically targets IoT devices. The proof-of-concept attack tested during this first-of-its-kind research into this aspect of IoT security used network-connected security cameras to gain access to an enterprise network.
The attack itself used IoT devices – security cameras in the simulation – to enter a hospital IT server. It then moved laterally to affect both the corporate and operational network, where the hackers were able to install a crypto miner and malware that interrupted the HVAC system.
There are more than 1000 forms of ransomware in circulation as of this writing, and a ransomware attack happens somewhere in the world approximately every 11 seconds. This malware has allowed hackers to exploit IoT devices for at least the past six years. For example, FLocker, ransomware originally released in 2016, targets Android OS-powered smart TVs. Though the original vector for this particular exploit was mobile devices, the use of a common operating system opened up vulnerabilities in consumers’ home entertainment systems. It’s an example of why it is critical to stay on top of IoT security.
Unsecured IoT Devices Are Vulnerable
IoT devices are particularly vulnerable to attack because they are often left unsecured. Hackers can exploit those vulnerabilities, and, in the case of enterprise attacks, disrupt business operations. An incursion might cripple a manufacturing line, for example, or cause businesses to have to shut down some critical function to prevent further damage when an attack is underway.
Ransomware gangs have mostly targeted IT equipment in the past, but as IoT devices proliferate, their value as an attack vector is increasing. Vedere Labs’ Head of Security Research, Daniel dos Santos, told The Register he thinks it is only another year or two before IoT devices comprise more than 50 percent of the total devices in enterprise networks and become a primary target.
In the early days of ransomware, bad actors generally tried a scattershot approach in which they either distributed physical media that would infect machines when inserted or installed, or sent out emails hoping to distribute ransomware through a phishing attack. As these attacks have become more sophisticated, hackers have gotten better at targeting specific vulnerabilities in enterprise systems. If administrators do not ensure IoT networks and the devices they deploy are up to date, their vulnerabilities can open a backdoor that invites incursion.
How Ransomware Is Evolving
When ransomware attacks first emerged, they tended to follow a simple set of steps. The hacker would breach the targeted system, encrypt all the files so the system administrator could no longer access them, and then demand to be paid to restore everything back to its original state. When these attacks first surfaced in 1989, they were generally spread manually – people literally had to insert a floppy disk that carried ransomware code into the computer to infect the system.
By 2005, hackers began using email to spread ransomware attacks. As more systems and devices connected through the Internet, however, attacks have evolved to utilize other avenues, including through mobile and IoT devices.
As this form of hacking has become more widespread and sophisticated, however, ransomware attacks are turning into a multiple-layer extortion process. It may still begin with encrypted files, but now ransomware gangs are going beyond that first layer of encryption and threatening to leak data – including private information from clients or customers – from the compromised system. In some cases, they even threaten to harass customers or other stakeholders of the organization under attack.
Companies in the U.S. are the most frequently attacked – with 29 percent of ransomware attacks affecting American organizations – while Japan is the second most frequently attacked country (representing roughly 9 percent of attacks). These hacks have very real economic costs to affected companies: with Cybercrime expected to cost companies $6 trillion per year globally by 2021.
Why IoT Ransomware Can Be Particularly Dangerous
In 2015, Symantec released a report warning that their researchers expected IoT ransomware to be the next place hackers would focus. They raised alarms about exactly the kind of issues the Forescout proof-of-concept attack bore out: That poorly-secured IoT devices could be hijacked and used to control anything from a smart lock or thermostat in someone’s home to medical IoT devices or devices that are part of smart-city infrastructure. In the latter case, an attack could affect public transportation networks, public safety monitors, or gas and electric distribution throughout an urban area.
Unfortunately, those concerns have proved to be well-founded. In May 2021, a ransomware attack on Colonial Pipeline forced the company to shut down a major East Coast fuel pipeline until the company paid about $4.4 million USD to regain control over its infrastructure. The attack highlighted the vulnerability of critical infrastructure, which often run complex, legacy systems that may not be receiving necessary updates in a timely manner.
Because IoT devices are now involved in the control of electrical grids, manufacturing operations, and other large-scale infrastructure, they are a more compelling target for hackers trying to make a publicly-visible impact. With ransomware-as-a-service (RaaS) platforms proliferating, attackers can leverage decentralized tools to inflict damage with even less effort. Having a mitigation plan for these attacks is critical for companies working within the IoT.
Steps to Prevent and Mitigate IoT Ransomware Attacks
Leveling up your IoT security can help prevent ransomware attacks before they happen, and mitigate the damage should one get through to your system. Good IoT security can protect against not just ransomware attacks, but other malware attacks, as well.
Attacks on IoT devices often exploit known vulnerabilities that have not been patched or addressed. The simplest way that you can protect your systems from malware, including ransomware, is by ensuring all IoT devices, software, and other hardware on your networks are fully updated. Monitoring IoT device traffic is another way to protect your assets. If you notice unusual traffic or bandwidth consumption, you’ll be able to address it quickly, potentially stopping an attack before it happens.
IoT devices are also often installed with default passwords still in place, which can leave them vulnerable to attack. Updating those passwords as part of a standard operating procedure is one easy way to protect the broader network.
A tightly-managed password control policy for everyone with access to the system is another way to keep security high once default passwords are changed. Symantec security experts report that only 3% of malware exploits technical flaws, and 97% uses social engineering schemes to enter systems using information that people inadvertently hand over to bad actors. Humans are easily socially engineered, and creating structures that reduce that risk can be helpful.
One mitigation option is to have secondary protocols in place in case primary systems are compromised and have to be taken offline. This is particularly important with critical infrastructure, like utilities or transportation networks, but can be equally key in, for example, a large manufacturing operation where even a brief shutdown will increase costs and delay shipments to customers.
In this rapidly-shifting security landscape, having a plan to detect, address, and shut down an IoT ransomware attack is no longer optional – it’s a necessity. Soracom’s IoT platform offers a number of options to help secure your IoT network from malware and bad actors. From private networking tools like Soracom Canal and Soracom Door, to secure provisioning tools like Soracom Krypton, Soracom can help design a secure solution that fits your deployment.
Do you want some help creating a security strategy for your network of IoT devices? Contact one of Soracom’s experts to learn more about how we can support you as you deploy, scale, and secure your IoT project.