How Does Ransomware Affect IOT Applications?

How does ransomware affect IOT applications? originally appeared on Quora: the place to gain and share knowledge, empowering people to learn from others and better understand the world.

Answer by Stan Hanks, CTO of Columbia Ventures Corp, on Quora:

I actively worry about how malware and ransomware will affect Internet of Things (IoT) applications.

The one thing we know about IoT - largely based on other embedded systems like WiFi access points and cable modems - is that once the system is shipped, there’s nearly zero chance that it will be updated.

That’s probably a good thing, because if you make it possible to remotely update the core software of an embedded system, and you get the security mechanisms wrong (which is easy to do, particularly if you’re trying to do it cheaply because it’s all about per-unit cost in consumer devices), then having a vector by which someone can upload an “update” that’s really a security compromise and is a really, really bad thing.

Which creates a conundrum: you can’t update it once it’s shipped, and you can’t realistically create an ecosystem in which trusted updates flow natively at IoT price points. (Because someone is going to mention this, I’ll point out that it’s a really big difference in pushing updates for Windows computers, or smartphones, versus for devices that need to have a bill-of-materials cost under $20; you don’t have the financial headroom to use bigger processors, more memory, more storage, or more importantly, more headcount to make it possible do to it the same way it happens for your laptop or phone.)

As I see it, this is really problematic. Odds are pretty good that the developer didn’t spend the time to patch and harden the OS that’s running the IoT device - particularly if they’re just embedding some else’s system-on-a-chip solution. That means that a determined hacker can figure out how to penetrate the attack surface and re-purpose the device. And if you can do it for one, you can do it for, well, all of them.

Case in point: remember the DDOS attack on Dyn, back in October 2016? Well, hacked cameras and DVRs powered it. That’s the first time we’ve seen this, but trust me, it won’t be the last.

So how does ransomware play into this? How about a scenario? Let’s say that you manage the Trump World Tower, 72 floors of luxury high-rise living. And let’s say that you decide that if you use super-smart IoT controls for the building, that you can save a huge amount of money every year on energy costs (which is true). And let’s say that you want to promote this as an extra-luxe feature, and allow things like your smart phone telling your apartment that you’re almost home to change the settings as part of this (hey, that’s a thing…)

So you bite down and replace all the controls with this spiffy new fully interconnected Internet-accessible stuff. Costs millions to install and get working right. Takes months and months to do, probably over a year.

And there’s a problem, and it gets hacked.

And I’m now going to screw with everyone who lives there. Turn the heat on full in the middle of the night in July, turn off the hot water, run the AC in January, whatever. I’m just going to make everyone’s life miserable, randomly.

Or you can pay me to “manage your facility” for just a modest fee: only a million bucks. A month. Forever.

Or until you replace it. And hope that whatever you replaced the compromised control systems with doesn’t let me do it again.

Scale that horizontally, it’s less compelling: if you hack my Nest thermostat, it will be painful for me to replace (hey that’s like what, $200 or so?) but it’s manageable, for me as an individual. Less opportunity there, even times a million homes. I’m not going to bother to hold you hostage on ransomware with it, because the cost to replace is too low.

But vertically scaled infrastructure? That’s a different thing. Much more expensive to nuke-and-repave your world, much more painful while you’re doing it because it takes a lot of time.

At the “in your home” scale, the opportunity is different. That’s using the IoT device as a foothold to explore and penetrate the rest of your home. So I can possibly create a ransomware vector by using your thermostat to hack your router and send your computer to places you wouldn’t otherwise go so I can give you a big fat malware payload to do whatever I want with.

The more connected the world gets, more you have to think about this stuff. Unfortunately the number of people who are thinking about it, and who are in the position to get executive management to take the right action, is vanishingly small.