Locked In Sixty Seconds: Ransomware, Remote Access, and the Brave New Internet of Things
By Saad Gul and Michael E. Slipsky
A few months ago, we analyzed
ransomware incidents and offered some suggestions for handling an episode. Ransomware is a cyberattack in which a hacker uses malware to take control of computer systems. The system owner is denied access to their own system till a payment is made to the attacker. Previous attacks were typically directed at databases or other back-office functions such as payroll or records.
More recently, hackers appear to be escalating to operational systems. The highest profile incident
was the targeting of the San Francisco Municipal Transportation Agency (SFMTA). SFMTA handles the city’s
public transport including San Francisco’s iconic cable cars. Trains continued to run, but SFMTA could not collect fares. Commuters rode for free until the issue was resolved. San Francisco did not
pay the $ 70,000 bitcoin ransom demanded.
The use of ransomware to cripple an operational system is hardly unprecedented, but it does raise the stakes dramatically. For instance, an earlier incident at the Hollywood Presbyterian Medical Center (HPMC) had crippled the hospital’s CT systems. The inability to conduct CT scans cost
HPMC at least $100,000 a day. HPMC’s decision to pay the $17,000 bitcoin demand could be easily justified on business necessity grounds.
These episodes, and others like them, foreshadow a new wrinkle: the Internet of Things means that the meaning of “ransomware” is likely to change. In one high profile instance, a pacemaker manufacturer was compelled to forcefully deny reports
that its units were vulnerable to potentially fatal remote cyberattacks. Older research
had established that pacemakers could be compromised via hacking. The point even served as a plot device
on the TV series Homeland
. At the time however, actual hacks required proximity to the pacemaker unit, much like an assassin of old would have to get close to his target. The new reports suggest a
more ominous menace: the prospect of remote, and potentially fatal, threats.
issue has also emerged with automobiles.
In September, a Chinese team announced
that it could use software vulnerabilities in the Tesla S to control the car from a distance of 12 miles. Taken together, the vulnerabilities enabled the Chinese researchers to remotely
take control of the vehicle, including display, locks – and braking systems. Again, the old James Bond plot involving cut brakes is passe: a modern Goldfinger or Mr. Big can hire a hacker to do it remotely.
These incidents illustrate the prospect that the newer, safer world built by an incipient Internet of Things also brings its own vulnerabilities – vulnerabilities that will be exploited to extort money wherever possible. “Ransomware” will take on a whole new meaning if lives, and not business operations, are hanging in the balance.
There is good news. Ransomware is targeting operational systems precisely because the original targets – back office systems – have been hardened against attacks by the increasing adoption of IT best practices: regular, systemic, backups of data which effectively neutralize much of the menace of a ransomware incident. Early IoT vulnerabilities are similarly prompting remedial measures: Tesla, already considered
a cyber security leader, responded
to the Chinese report by updating software to ensure that any subsequent updates must be verified by a cryptographic key.
Any company making web-enabled or cyber-connected products must factor in the potential for ransomware or other hacker attacks in determining the appropriate level of security. There is evidence that manufacturers are increasingly incorporating security as a fundamental feature of design. This approach overlaps with similar privacy requirements which are about to be mandated
by the European Union: the so-called privacy-by-design
Finally, remote control works both ways, as a Seattle car thief discovered
to his cost. The Seattle Police Department contacted BMW for assistance with a stolen 550i.
BMW tracked the vehicle to an alley, where the police found the suspect asleep behind the wheel.
The police blog
noted that “BMW employees were able to remotely lock the car’s doors, trapping the suspect inside, presumably while hissing something terrifying like ‘I’m not locked in here with you, you‘re locked in here with me
’ into the car’s sound system.”
The suspect also discovered that the vehicle had been disabled, leaving him unable to drive away. Law enforcement, as well as criminals can utilize remote hacks. Ironically, researchers
have detected vulnerabilities
in BMW’s own web portal that permit attacks through browsers.....