Why the Internet of Things is the next target for ransomware

Devices from pacemakers to cars could be rendered useless by ransomware infections, warns a think tank.
Written by Danny Palmer, Senior Writer
car steering wheel

Could hackers soon hijack your car?

Image: Shayne

It's inevitable cybercriminals will target the Internet of Things (IoT) with ransomware, because connected devices provide a huge opportunity for criminals to launch attacks, a cybersecurity think tank has warned.

The Institute for Critical Infrastructure Technology (ICIT) describes the rise of malware as an "epidemic", and says the IoT is at particular risk. The think tank believes it is not inconceivable that malware, and ransomware in particular, will eventually target IoT devices -- which means a huge range of potential targets.

The major risk surrounding the IoT, according to report authors -- James Scott, senior fellow at the Institute for Critical Infrastructure Technology, and Drew Spaniel, ICIT visiting scholar at Carnegie Mellon University -- is that it represents "practically an infinite attack surface" for cybercriminals to take advantage of.

The report argues that crooks would have to be "extremely risk averse" to not develop malware to target the IoT, given that many IoT devices "pointedly lack any form of security". This offers a huge potential growth bed to ransomware operations by hackers and extortionists.

Perhaps most worryingly, the ICIT says it could be possible for cybercriminals to infect internet-connected medical devices, such as pacemakers, with ransomware.

"The scenario is not too far-fetched; in fact, it is much more deadly. Many medical devices, such as pacemakers, insulin pumps, and other medication dispersion systems are internet or Bluetooth enabled. Ransomware could utilize that open connection to infect the IoT device," the report said.

The danger, the report warns, is that cybercriminals could hack into and decrease the battery life of such devices, even to such an extent that "the ransom window might be less than the wait time before a medical team could schedule a surgery to reset or replace the device".

However, there's also some reassurance that it would be difficult for cybercriminals to exploit IoT devices in this way because there wouldn't be any direct means to deliver a ransom demand to the victim, or a method of collecting payment.

"Email, text message, or other digital vectors seem most probable since the attacker would want to maintain anonymity," Scott and Spaniel said.

Along with targeting medical devices, the report cites another area where ransomware could have a wide-ranging impact: cars, which are becoming evermore connected to the internet.

While the report doesn't go so far as to claim that cybercriminals could run a car off the road, it suggests that cybercriminals could prevent a vehicle from being driven until they've extorted payment from a victim.

"When the victim attempts to use their vehicle for work or travel, the console display could provide them the ransom note and a method of paying ransom, such as via SMS message," the report said.

According to Scott and Spaniel, the main method of preventing this is endpoint security, because "the attack surface of ransomware and malware against software driven vehicles will only increase in the years to come". Manufacturers therefore need to act sooner rather than later to deploy proper cybersecurity, because a delay could mean "the costs of their inaction could be dire".

The report notes: "The only defense is a layered defense, of which endpoint security is an essential layer and can offer a potent ingredient for nextgen cyber fortification".

Read more on cybersecurity

Editorial standards