Quantcast

Securing our future 3: The Internet of Things

Mikko Hyppönen now shifts the vector of his discourse over to criminal challenges online as well as the dangers of the rapidly progressing Internet of Things.

Alert displayed by ransom Trojan

Alert displayed by ransom Trojan

There are criminal things online as well. When we move from privacy problems to security problems, then we end up with practical things like this (see right-hand image). This is a ransom Trojan, a crypto locker, a Trojan which will infect your system, typically by hitting your browser with an exploit as you surf the web, and then it will encrypt the files on your hard drive. If you are a corporate user, it’s going to encrypt the files in your network shares. And then it’s going to show you this message, where it explains that “Hello, I’m a Trojan, I’ve just encrypted all your files with irreversible encryption unless you have the key; and you can buy the key, please pay me and you will get the key.” And if you actually pay them, they actually will send you a program which actually will decrypt your files. So, at least, they are honest criminals.

The thing that has enabled this particular problem – this crypto ransom Trojans problem – the mega trend which made all of this possible is Bitcoin. Bitcoin, which enabled criminals to actually ask you for a ransom and get the money without getting caught. Now, of course, Bitcoin by itself isn’t bad. It’s neutral. It’s a tool, just like cash. I mean, Bitcoin is the cash of the Internet. Almost all of us have cash in our pockets right now, but do you know who else likes cash? Criminals like cash. It’s very hard to buy cocaine with a credit card, or so I’ve been told. You pretty much have to use cash. And in the online world, exactly for the same reasons, criminals prefer Bitcoin or other virtual currencies.

Affiliate backend of CTB-Locker

Affiliate backend of CTB-Locker

These ransom Trojans are not just coming from one criminal. They are actually coming from gangs. They are competing gangs operating from different countries. Most of them are actually in Russia, but there are also ransom Trojan gangs operating from Romania, from Ukraine, from Japan and so on. And they are competing with each other, trying to reach more of their customers, or victims, as they go and encrypt their files. It has even become an affiliate model. This is the affiliate backend of one of these ransom Trojans (see left-hand image); this is coming from Moscow. So this gang is writing a ransom Trojan, making a product out of it, and selling that to other criminals. So they, basically, outsource the criminal element of ransom Trojans.

They themselves only write the Trojan. They never infect anybody with it. They never encrypt anybody’s files, which means they do no crime, which means they can’t be caught for anything because they haven’t done anything illegal. Their customers are the ones that actually infect end users and actually demand a payment. And this means that we are seeing an age where our enemy is becoming more and more professional. They can now afford to invest into their development. We are seeing more malware, more online attacks now than ever before.

And one particular problem that we are all a little bit worried about in the near future is IoT, the Internet of Things. Can’t spell “idiot” without “IoT” – that’s how you remember it. The Internet of Things has been in the headlines a lot regarding the potential security problems we are going to face with IoT and with connected devices. However, most of the risk scenarios you read about are completely blown out of proportion. The typical risk scenario you might read about would be that, you know, evil hackers can hack your Smart Car. They can hack your car and then they can disable the brakes in your car, and then they can drive you off a cliff, and they can kill you. And you know what, yeah, that’s probably doable. It’s probably possible to do that. However, I don’t think it’s going to happen. Why would they do it? Hackers are not interested in killing random people. It’s also illegal to kill random people. If we can come up with risk models where the attackers actually can somehow benefit from their crime, then that makes much more sense.

Sometimes it feels like we’re building a monster by connecting all these devices in the online world.

So, how about someone hacking your Smart Car not to kill you but to open the doors, to start the engine and to steal your car? How is that? Well, that makes much more sense, because we already have a problem with car theft, and if they could steal the car without breaking the windows, they would probably prefer that. Or how about a ransom Trojan for a Smart Car? You get your car to pick up the kids from school, and the car won’t start because there’s a message asking for a payment if you want to get to the school in time. We haven’t actually seen that, but that could easily happen. So, the thing to remember about smart devices is that when someone tells you that something is smart, what you should be thinking about is that it’s exploitable. So, a smart car is an exploitable car. A smart watch, like my Pebble – well, that’s an exploitable watch. Or a smart phone – that’s an exploitable phone.

LIFX smart light bulb

LIFX smart light bulb

Sometimes it feels like we’re building a monster by connecting all these devices in the online world. You can even go and buy yourself a connected smart light bulb (see left-hand image). That’s a light bulb from a company called LIFX. You can take that and screw it into any normal, standard light bulb place, and then you can control your lights with an app from your smartphone. Pretty neat – connected device, IoT. And obviously, you can imagine that that’s hackable. If there’s a vulnerability, somebody probably could hack that light bulb. But why would anybody ever hack a light bulb? Obviously, this is not going to happen. Obviously, we don’t have to worry about light bulbs getting hacked, except that we do. There actually is a vulnerability in this light bulb, and there’s a perfectly good reason why attackers might want to hack this particular light bulb. And the reason is that the vulnerability in these light bulbs enables the attacker to gain access to the light bulb and then steal the credentials to your wireless network. So, if this light bulb is in your office and you connect it to your WiFi, to your corporate WiFi, somebody can hack the light bulb and get into your internal network. It becomes a vector inside your organization. So, this actually makes perfect sense. It feels like nobody would ever hack a light bulb, but if it works as a vector inside of your organization – sure they will.

Smart light bulb’s vulnerability patch

Smart light bulb’s vulnerability patch

And this company, LIFX, they actually patched this vulnerability, they shipped an update a couple of months ago (see right-hand image). So, if you have one of these light bulbs you can actually update and patch your light bulb to fix it. It does take, roughly, 15 minutes per bulb to fix it, and the whole idea that you have to patch your light bulbs seems a little bit ridiculous, doesn’t it? But IT administrators in companies no longer have to just worry about updating all the computers and all the smartphones – they now have to start worrying about updating the light bulbs and the toasters and the microwave ovens. Yes, sometimes it does feel like we are building a monster by connecting everything we have to the Internet. Yes, we do get great benefits. I’m sure it’s really nice to be able to change the lighting from your phone, but, obviously, security is not the first thing in mind with these companies that develop new IoT devices. It’s not a selling point. A light bulb’s security is not a selling point when it’s being produced by some company somewhere.
 

Read previous: Securing our future 2: Legal infringement of privacy

Read next: Securing our future 4: Governmental malware

Like This Article? Let Others Know!
Related Articles:

Leave a comment:

Your email address will not be published. Required fields are marked *

Comment via Facebook: