Ransomware's next target: Your car and your home

Cybersecurity researchers have demonstrated how vulnerabilities in everyday connected devices can allow hackers to hold whole areas of your life to ransom.
Written by Danny Palmer, Senior Writer

Now it's not just your data that's at risk from ransomware.

Image: iStock

Ransomware is perhaps the biggest cybersecurity scourge of 2016, becoming increasingly problematic both for individuals and businesses of all sizes.

The concept is simple: the cybercriminal will trick a victim into opening a malicious file or a clicking on a link which causes their computer, tablet, or smartphone to be infected with malware that encrypts the data stored on the device. The cybercriminal then demands the victim pay a ransom -- often in Bitcoin -- in order to get their systems unlocked.

While the ransomware installs data-stealing malware on your system, getting infected with ransomware is more an annoyance more than anything. Yes, a business will lose money while its networks are locked down, but most cases it doesn't have any further 'real world' consequences, as the theft of personal data or banking information might.

However, with more and more connected objects joining the Internet of Things, there's the potential that cybercriminals could also seek to install ransomware on these additional devices, with consequences ranging from the annoying to the potentially dangerous.

Researchers at Intel Security recently discovered a vulnerability in the infotainment system of a connected car from one manufacturer, which could allow criminals to install malware on the vehicles' systems by putting it on an SD card and loading that into the infotainment system, said Raj Samani, CTO EMEA at Intel Security.

Researchers demonstrated that the device had been infected by having the sound system play a single song over and over. But what if instead of just being annoying, cybercriminals could go on to disable a vehicle with ransomware too?

It's possible, especially as vehicles' systems become more interconnected on the inside --something like a sound system vulnerability could be potentially be used to access other in-car systems if vehicle manufacturers don't take security seriously enough.

Unless there is clear separation between the engine control units and other systems, hackers could block out the entire car "so you're not even going to get out of your driveway unless you pay," says Samani. This could be a lucrative option for cybercriminals because, while people might be OK with losing some files if they don't pay the ransom, when it comes to a car, they're going to give in, he added.

"Quite frankly, if you're sitting in your driveway in 2021 in a self-driving car, if you have to pay two Bitcoins to get to work, what are you going to do? Are you going to pay? Of course you will. If you've got a $60,000 connected car to drive you work and you're being charged $200 to move? You'll pay," he says.


Ransomware in a connected car would render the vehicle useless until a ransom is a paid in this scenario mocked up by Intel.

Image: Intel Security

Researchers have also demonstrated how it can be relatively simple for malicious hackers to infect a home router with ransomware -- the one used during the research is available to buy from Amazon and over 100,000 have been sold.

The devices are shipped with some rather basic default login credentials, making it easy for cybercriminals to hack the system, simply by entering the default login and password. Anyone who wanted to try to infect this particular router could do so by searching for it on Shodan, the search engine for connected IoT devices.

"A search finds tens of thousands of home routers which basically have fundamental security issues," he said. If a hacker were able to exploit the flaw, the victim would need to pay the ransom in order to regain control of every internet-connected device in their home -- and it's likely they'd pay up in order to regain control of their systems from the hackers.


Security researchers managed to infect a router with ransomware.

Image: Intel Security

So how do organisations feel when outside researchers inform them that there are potentially huge holes in their devices that could be taken advantage of by criminals?

"We get a very mixed bag of responses from companies," says Samani. "In some cases they say 'great, let's fix it,' but in other cases we just get complete silence."

Given the sheer number of devices being connected to the internet, it's somewhat worrying to hear that there are device manufacturers out there who are taking a blasé attitude to cybersecurity of their products.

"The concept of today's ransomware is to lock your data to ransom. But what we're showing here is that the data is almost irrelevant -- it's the device we're locking up: connected medical devices, home routers, cars; it's the device," Samani says.


Editorial standards