Ransomware is a familiar plague in the online world – it has existed for more than 25 years and become increasingly common during the past decade.
But, until recently, it has been aimed more at organizations or individual computers than devices. And that is changing. With the explosive growth of the Internet of Things (IoT) – estimates of how many connected devices will be in use by 2020 range all the way up to 200 billion – experts say it is about to get much more common at the consumer level. An attack surface that broad and that vulnerable is irresistible to cybercriminals.
Most of the headlines so far are still about organizational breaches – one of the most recent was at the Hollywood Presbyterian Medical Center in Los Angeles, which paid a $17,000 ransom demanded by hackers who had installed malware that encrypted files on some of its devices.
Even police departments have been among the victims, which usually end up paying a ransom that is not crippling but an ominous reminder that the encryption in such attacks is generally so robust that even experts cannot defeat it.
At the consumer level, the individual ransom demands are not expected to be huge either, since the number of potential victims offers the promise of enormous wealth to savvy criminals.
Some experts have been predicting for more than a year that consumer ransomware will become so common that it could become an annoying but routine part of the cost of living.
They say people could end up paying $20 to $100 or more a month in “rent” to digital mobsters just to make sure their car will start in the morning, their doors and windows won’t get unlocked remotely, their electric bill won’t show twice the actual energy use, their appliances won’t go haywire and their TV won’t turn into a spy camera. There is the realistic possibility that a ransom could be demanded to keep an embedded medical device from turning lethal.
Indeed, connected consumer devices range from TVs to cars, online gaming, toys, guns, wearable fitness trackers, smart appliances, thermostats, lights, wall switches, couches, toothbrushes, motion sensors, garage doors, baby cams, home security systems, utility monitoring, smoke alarms, embedded medical devices – just about anything that could be connected.
As Chris Hadnagy, founder, CEO and chief human hacker at Social-Engineer, put it at the time, “Imagine a world where a whole network can be compromised from a coffee machine – you don't have to imagine it – I have seen it first hand. Network-enabled devices means that someone can alter, adjust, spy, listen and use that device in any way they want if they compromise it.”
Sign up for CIO Asia eNewsletters.