Early last year, we warned that the Internet of Things (IoT) had major security vulnerabilities, and it was a matter of time until hackers targeted it. And while smart devices have largely evaded ransomware attacks (though some IoT devices were hit as collateral damage in the WannaCry attack in May), it’s not because of improved security. More likely, it’s because hackers haven’t figured out how to make it profitable yet. Unfortunately, that may not be the case for long.
What is the Internet of Things?
The IoT refers to devices — think appliances, cars, and HVAC systems — that connect to the internet. These devices often have “smart” as a prefix and offer convenient and futuristic features like the ability to turn up the heat or AC just before you head home from work.
Smart watches, which display emails, monitor heart rate, and even tell golfers how far they are from the pin, are one of the most popular IoT gadgets. But there plenty of lesser known smart devices as well. Coffee makers, thermostats, and light bulbs are increasingly offering connectivity to the internet as a feature.
Unfortunately, the connectivity that allows consumers to control appliances remotely also exposes devices to malware. And that brings us to the crux of why the IoT will likely become a more frequent target of ransomware attacks.
IoT continues growing, but security is still lax.
The IoT has grown in fits and starts through 2017. For the first time in history, there are more connected devices (approximately 8.4 billion) than humans (approximately 7.6 billion) on the planet. That being said, Cisco estimates that 75 percent of all IoT projects are failing due to problems with security and lack of compatibility.
These security issues will become a major issue as consumers and industry grow accustomed to the benefits of connectivity. The more people rely on connected devices, the more vulnerable to ransomware they become. After all, successful ransomware attacks depend on the victim feeling like they have no choice but to pay the ransom.
IoT ransomware would look different than the attacks we’ve seen lately.
In general, smart devices are highly specialized and quite different from desktop computers. They don’t store family photos or business files, and many don’t have a screen to display a ransom note. Still, enterprising hackers could find a way to freeze or take control of devices and demand a payment.
At the Def Con hacking conference, two researchers demonstrated how they could infect a thermostat with ransomware. If hackers targeted a hospital or nursing home and cranked the heat during summer or AC during winter, victims would have to consider paying the ransom.
If hackers successfully targeted even more critical equipment in a medical facility, the stakes would be even higher. Several researchers have warned that U.S. power grids are vulnerable due to poor IoT security. These are some of the reasons why so many people are urging IoT manufacturers to take security more seriously.
Consumers can take precautions right now to protect IoT devices.
For starters, don’t keep the default password and don’t make the new one “123456” or something else that is easy to guess. Always update your smart devices when a patch becomes available (just like you should with your computer and phone).
Consumers should make sure devices are operating on a secured Wi-Fi router and not an open wireless connection. Buying devices from companies that have a good cybersecurity track record is also helpful. Here’s more information from the FBI on how to protect your devices from hacking. As for industrial and government systems, we hope they listen to Cisco CTO Kevin Bloch when he says, “If you don’t secure it, don’t connect it.”