There’s no question that ransomware has become one of the most feared (and loathed) cybersecurity attack types. The idea of your critical data sitting on your hard drives yet inaccessible is, frankly, terrifying. And a new study shows it could get much, much worse.
You know that cup of coffee that’s pretty much the only thing that can get you out of bed most mornings? Well, some eye-opening ransomware research came out with the announcement of a proof-of-concept ransomware attack on a coffee maker. Losing access to critical data is one thing. Losing access to coffee is, as Vizzini said in “Princess Bride,” “Inconceivable!”
But coffee makers may only be the tip of the inconceivable ransomware iceberg.
“I think the important thing to remember is that these issues are not new, but there are new tools to access these issues and to leverage them and to exploit them,” says Kiersten Todt, managing director of the Cyber Readiness Institute.
She points out that giving yourself the ability to control Internet of Things (IoT) systems from 3,000 miles away gives others the same ability. And those IoT systems can extend far beyond caffeine delivery. While the infamous Target attack of 2013 took criminals from an HVAC contractor to Target’s customer database, modern converged IT/OT systems can easily see lateral movement in the other direction.
And, as Terence Jackson, CISO at Thycotic, says, “I would say you wouldn’t want to see your connected refrigerator or HVAC system ‘ransomwared.’ That would be a disaster.”
While the idea of lateral movement between IT and OT systems in the enterprise could be disastrous, the current work-from-home environment means that attacks against residential IoT systems could have a significant impact on productivity — or even become entry points for attacks against enterprise assets.
Some employees may not be a good understanding of precisely how great the risk might be.
“Going through our daily lives where we buy connected devices and don’t even know [it], it can certainly create some risk and more than some inconvenience in a scenarios like ransomware hitting them,” explains Brandon Hoffman, CISO at Netenrich.
Those connected systems can extend from coffee makers and refrigerators to physical security systems and environmental controls. And as the weather changes with the seasons, “I can’t really work around my home thermostat as there is no way to manually run the heat or air conditioner,” says Oliver Tavakoli, CTO at Vectra.
As connected technology moves into more aspects of employees’ lives, the possibility grows for ransomware attacks that no consumer wants to experience and (to be honest) no enterprise security team wants to hear about. The recent proof-of-concept attack on the servers for an Internet-enabled “male chastity device” provides all the evidence most will find necessary that this is true.
There are multiple issues around these potential ransomware attacks against consumer systems, including nontech people “negotiating with malicious actors,” Todt says.
Those negotiations are more likely because consumer devices aren’t protected by the sort of sophisticated security systems that are routine in the enterprise.
“It’s no longer about protecting the critical infrastructure. You have to protect the entire infrastructure because of IoT,” she adds.
And that protection will not simply be for the sake of employees’ morning cup of happiness, but for the security of the entire enterprise for which they work.
Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio