IT pros have a lot to worry about--especially these days. Do they need to add ransomware attacks on IoT in the enterprise to their list? Such threats should not top the priority list today, but they should definitely be on the radar--especially as the use of IoT in the enterprise expands.
One of the biggest reasons to consider this risk now is that nothing is sacred to scammers. For example, a few short days into the massive lockdowns stemming from the COVID-19 pandemic, I received an obvious scam call. The caller claimed to be from “an American pharmacy” and told me that I need medicine. (I don’t have any health problems). Indeed, criminals are always quick to exploit anything that’s new. In the social engineering event that I just described, the lockdowns had only just begun, and yet criminals were already hard at work trying to capitalize on a bad situation.
The same basic concept applies to IoT devices--everything from consumer-oriented devices like smart TVs to systems that drive IoT in the enterprise. As IoT devices gain popularity, criminals are moving quickly to exploit them. And while, early on, bad actors most often exploited vulnerabilities in IoT device firmware in an effort to gain a foothold into the network that the device was attached to, IoT devices now are also being targeted by ransomware.
There are actually stories of ransomware attacks against IoT devices that go back as far as 2016 (or possibly even earlier). Back then, though, ransomware infections on IoT devices were mostly a case of bad luck. For example, in late-2016 there was an incident where someone downloaded an app on a smart TV that then became infected with malware. The app was actually designed to attack Android phones, but because the smart TV was equipped with an Android operating system, the ransomware was able to compromise the TV.
Today, bad actors are explicitly targeting IoT devices.
Click here for an IoT in the enterprise salary survey report.
This, of course, raises the question of what happens when an IoT device becomes infected? Generally speaking, if a ransom is not paid, then IoT ransomware will attempt to physically destroy the device, making it unusable. To put it another way, the device is bricked.
Although not technically ransomware, one of the best examples of this type of behavior was the Silex Brickerbot that destroyed thousands of connected devices last summer. Silex Brickerbot targeted devices’ storage, and also overwrote their firmware, effectively “bricking” the devices. The only way to repair the devices would have been to install new firmware.
The Screen Factor
While any IoT device could conceivably be infected by ransomware, most IoT devices are not equipped with a monitor, and therefore have no means for displaying a ransom message. If such a device were to become infected, the infection would likely go undetected until the payment period expired, at which time the device would simply stop working. This is a problem not only for the victim, but also for the ransomware author who wants to get paid.
In fact, the risk of infection of IoT devices--including enterprise IoT devices--not equipped with a screen is relatively low--for now. Because such devices do not contain a user interface, people likely are not installing apps on them or using them to browse the Web. Even so, the devices are Internet-connected, and infections can occur.
In the future, I expect to see situations in which ransomware initially infects a PC and then propagates to IoT devices. The ransomware would likely use port scans and device fingerprinting techniques to seek out targeted IoT devices on the victim’s network. Once such devices have been identified, victims would likely see a message on their PCs indicating that the devices are about to be destroyed if a ransom is not paid.
For now, the best defense against ransomware infections--of IoT devices in general but specifically enterprise IoT devices--is to keep devices patched and avoid running apps on any devices that support them. Going forward, it may be beneficial from a security standpoint to place enterprise IoT devices on isolated network segments where they can be shielded from general-purpose network traffic.