Could IoT devices really be the next victims for ransomware?

They cited the scenario of someone paying to remove ransomware from a pacemaker, which could ultimately drain the battery. Cesare Garlati, Chief Security Strategist for the prpl Foundation explains.

While it’s true that connected devices represent a major threat to consumers and the public at large due to poor or non-existent security in place to help protect them. Ransomware, however, is traditionally used for criminals to prevent users from accessing important data or files. This is an important distinction to make, as connected devices generally do not store any valuable information or personal content.

Having said that, connected devices, such as the home router do represent critical ways in for attackers. While there is no information to encrypt, it does sit at the edge of the home network and in that way it will be attractive to attackers who may be able to penetrate it to pursue the home network.

The distinction here is between actually placing ransomware on a connected device, which is unlikely since connected devices themselves tend not to contain data, or using that connected device as a gateway to users’ critical information, which is highly more likely. Indeed when manufacturers create devices that are ‘always connected’ via the internet or have to communicate through the cloud, it opens up customers to being unnecessarily exposed to data theft.

For critical areas of embedded computing, like healthcare, transport and automotive and home gateways for example, the industry needs to start addressing this at the most basic level - the hardware. Securing devices at the chip or hardware level can solve much of the IoT security problem by engineering security into connected and embedded devices from the ground up. Vendor-led initiatives can be incredibly time consuming and costly, yet the results are usually non-portable across homogeneous platforms. However, if vendors could come together on a common platform, architecture, APIs and standards, they could benefit from a common and more secure open source approach.

The journey to a secure Internet of things will be built on the following principals:

Open source: an end to proprietary security by obscurity and instead a 100% ‘Darwinist’ focus on quality, usability and robustness. Code is becoming increasingly complex so let’s get as many eyes on it as possible. And open standards could overcome the dearth of connectivity expertise in the industry.

Secure boot: ensure IoT systems will only boot-up if the first piece of software to execute is cryptographically signed by a trusted entity. It needs to match on the other side with a public key or certificate which is hard coded into the device, anchoring the ‘Root of Trust’ into the hardware to make it tamper-proof.

Hardware assisted virtualisation: this will containerise each software element, keeping critical components safe, secure and isolated from the rest and preventing lateral movement. Secure inter-process communication will allow instructions to travel across this secure separation in a strictly controlled mode. This approach improves on current binary approaches where applications are either trusted or untrusted at a processor level, allowing for as many independent, secure guests as possible.

So, while something like ransomware appearing on your connected devices may not be such a worry, we still can’t ignore the fact that IoT is already seeping into every aspect of our lives and yet it remains unsecured. As an industry, we must start taking steps now to address security measures in connected devices before the problems grow exponentially.