[BreachExchange] The next ransomware attack will be worse than WannaCry

Audrey McNeil audrey at riskbasedsecurity.com
Tue May 16 20:44:57 EDT 2017


Ransomware isn’t new, but it’s increasingly popular and profitable.

The concept is simple: Your computer gets infected with a virus that
encrypts your files until you pay a ransom. It’s extortion taken to its
networked extreme. The criminals provide step-by-step instructions on how
to pay, sometimes even offering a help line for victims unsure how to buy
bitcoin. The price is designed to be cheap enough for people to pay instead
of giving up: a few hundred dollars in many cases. Those who design these
systems know their market, and it’s a profitable one.

The ransomware that has affected systems in more than 150 countries
recently, WannaCry, made headlines, but it doesn’t seem to be more virulent
or more expensive than other ransomware. This one has a particularly
interesting pedigree: It’s based on a vulnerability developed by the
National Security Agency that can be used against many versions of the
Windows operating system. The NSA’s code was, in turn, stolen by an unknown
hacker group called Shadow Brokers — widely believed by the security
community to be the Russians — in 2014 and released to the public in April.

Microsoft patched the vulnerability a month earlier, presumably after being
alerted by the NSA that the leak was imminent. But the vulnerability
affected older versions of Windows that Microsoft no longer supports, and
there are still many people and organizations that don’t regularly patch
their systems. This allowed whoever wrote WannaCry — it could be anyone
from a lone individual to an organized crime syndicate — to use it to
infect computers and extort users.

The lessons for users are obvious: Keep your system patches up to date and
back up your data regularly. This isn’t just good advice to defend against
ransomware, but good advice in general. But it’s becoming obsolete.

Everything is becoming a computer. Your microwave is a computer that makes
things hot. Your refrigerator is a computer that keeps things cold. Your
car and television, the traffic lights and signals in your city and our
national power grid are all computers. This is the much-hyped internet of
things. It’s coming, and faster than you might think. And as these devices
connect to the internet, they become vulnerable to ransomware and other
computer threats.

It’s only a matter of time before people get messages on their car screens
saying that the engine has been disabled and it will cost $200 in bitcoin
to turn it back on. Or a similar message on their phones about their
internet-enabled door lock: Pay $100 if you want to get into your house
tonight. Or pay far more if they want their embedded heart defibrillator to
keep working.

This isn’t just theoretical. Researchers have already demonstrated a
ransomware attack against smart thermostats, which may sound like a
nuisance at first but can cause serious property damage if it’s cold enough
outside. If the device under attack has no screen, you’ll get the message
on the smartphone app you control it from.

Hackers don’t even have to come up with these ideas on their own; the
government agencies whose code was stolen were already doing it. One of the
leaked CIA attack tools targets internet-enabled Samsung smart televisions.

Even worse, the usual solutions won’t work with these embedded systems. You
have no way to back up your refrigerator’s software, and it’s unclear
whether that solution would even work if an attack targets the
functionality of the device rather than its stored data.

These devices will be around for a long time. Unlike our phones and
computers, which we replace every few years, cars are expected to last at
least a decade. We want our appliances to run for 20 years or more, our
thermostats even longer.

What happens when the company that made our smart washing machine — or just
the computer part — goes out of business, or otherwise decides that they
can no longer support older models? WannaCry affected Windows versions as
far back as XP, a version that Microsoft no longer supports. The company
broke with policy and released a patch for those older systems, but it has
both the engineering talent and the money to do so.

That won’t happen with low-cost internet-of-things devices.

Those devices are built on the cheap, and the companies that make them
don’t have the dedicated teams of security engineers ready to craft and
distribute security patches. The economics doesn’t allow for it. Even
worse, many of these devices aren’t patchable. Remember last fall when the
Murai botnet infected hundreds of thousands of internet-enabled digital
video recorders, webcams and other devices and launched a massive
denial-of-service attack that resulted in a host of popular websites
dropping off the internet? Most of those devices couldn’t be fixed with new
software once they were attacked. The way you update your DVR is to throw
it away and buy a new one.

Solutions aren’t easy and they’re not pretty. The market is not going to
fix this unaided. Security is a hard-to-evaluate feature against a possible
future threat, and consumers have long rewarded companies that provide
easy-to-compare features and a quick time-to-market at its expense. We need
to assign liabilities to companies that write insecure software that harms
people, and possibly even issue and enforce regulations that require
companies to maintain software systems throughout their life cycle. We may
need minimum security standards for critical internet-of-things devices.
And it would help if the NSA got more involved in securing our information
infrastructure and less in keeping it vulnerable so the government can

I know this all sounds politically impossible right now, but we simply
cannot live in a future where everything — from the things we own to our
nation’s infrastructure — can be held for ransom by criminals again and
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170516/8dd5c4fe/attachment.html>

More information about the BreachExchange mailing list