Next ransomware cyberattack will be worse than WannaCry
Ransomware is not new, but it is increasingly popular and profitable.
The concept is simple: your computer gets infected with a virus that encrypts your files until you pay a ransom. It’s extortion taken to its networked extreme. The criminals provide step-by-step instructions on how to pay, sometimes even offering a helpline for victims unsure how to buy bitcoin. The price is designed to be cheap enough for people to pay instead of giving up: a few hundred dollars in many cases. Those who design these systems know their market, and it is a profitable one.
The ransomware that has affected systems in more than 150 countries recently, WannaCry, made headlines last week, but it does not seem to be more virulent or more expensive than other ransomware. This one has a particularly interesting pedigree: it is based on a vulnerability developed by the National Security Agency that can be used against many versions of the Windows operating system. The NSA’s code was, in turn, stolen by an unknown hacker group called Shadow Brokers — widely believed by the security community to be the Russians — in 2014 and released to the public in April.
Microsoft patched the vulnerability a month earlier, presumably after being alerted by the NSA that the leak was imminent. But the vulnerability affected older versions of Windows that Microsoft no longer supports, and there are still many people and organisations that do not regularly patch their systems. This allowed whoever wrote WannaCry — it could be anyone from a lone individual to an organised crime syndicate — to use it to infect computers and to extort users.
The lessons for users are obvious: keep your system patches up to date and back up your data regularly. This is not just good advice to defend against ransomware, but good advice in general. But it is becoming obsolete.
Everything is becoming a computer. Your microwave is a computer that makes things hot. Your refrigerator is a computer that keeps things cold. Your car and television, the traffic lights and signals in your city and our national power grid are all computers. This is the much hyped internet of things. It is coming, and faster than you may think. And as these devices connect to the internet, they become vulnerable to ransomware and other computer threats.
It is only a matter of time before people get messages on their car screens saying that the engine has been disabled and it will cost $200 in bitcoin to turn it back on. Or a similar message on their phones about their internet-enabled door lock: pay $100 if you want to get into your house tonight. Or pay far more if they want their embedded heart defibrillator to keep working.
This is not just theoretical. Researchers have already demonstrated a ransomware attack against smart thermostats, which may sound like a nuisance at first but can cause serious property damage if it’s cold enough outside. If the device under attack has no screen, you will get the message on the smartphone app that you control it from.
Hackers do not even have to come up with these ideas on their own; the government agencies whose code was stolen were already doing it. One of the leaked CIA attack tools targets internet-enabled Samsung smart televisions.
Even worse, the usual solutions will not work with these embedded systems. You have no way to back up your refrigerator’s software, and it is unclear whether that solution would even work if an attack targets the functionality of the device rather than its stored data.
These devices will be around for a long time. Unlike our phones and computers, which we replace every few years, cars are expected to last at least a decade. We want our appliances to run for 20 years or more; our thermostats even longer.
What happens when the company that made our smart washing machine — or just the computer part — goes out of business, or otherwise decides that it can no longer support older models? WannaCry affected Windows versions as far back as XP, a version that Microsoft no longer supports. The company broke with policy and released a patch for those older systems, but it has both the engineering talent and the money to do so.
That will not happen with low-cost internet-of-things devices.
Those devices are built on the cheap, and the companies that make them do not have the dedicated teams of security engineers ready to craft and distribute security patches. The economics do not allow for it. Even worse, many of these devices are not patchable. Remember last autumn when the Murai botnet infected hundreds of thousands of internet-enabled digital video recorders, webcams and other devices, and launched a massive denial-of-service attack that resulted in a host of popular websites dropping off the internet? Most of those devices could not be fixed with new software once they were attacked. The way you update your DVR is to throw it away and buy a new one.
Solutions are not easy and they are not pretty. The market is not going to fix this unaided. Security is a hard-to-evaluate feature against a possible future threat, and consumers have long rewarded companies that provide easy-to-compare features and a quick time-to-market at its expense. We need to assign liabilities to companies that write insecure software that harms people, and possibly even issue and enforce regulations that require companies to maintain software systems throughout their life cycle. We may need minimum security standards for critical internet-of-things devices. And it would help if the NSA got more involved in securing our information infrastructure and less in keeping it vulnerable so the Government can eavesdrop.
This all sounds politically impossible right now, but we simply cannot live in a future where everything — from the things we own to the country’s infrastructure — can be held for ransom by criminals again and again.
•Bruce Schneier is a security technologist and a lecturer at the Kennedy School of Government at Harvard University. His latest book is Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World
Windrush-style warning for Bermuda
Confronting the issue
Choice of Hargun as Chief Justice defended
Duffy calls for triathlon ‘wall of noise’
Triathlon trial run to close roads tomorrow
Wells vows to make improvements
Take Our Poll