Locked in Sixty Seconds: Ransomware, Remote Access, and the Brave New Internet of Things

A few months ago, we analyzed ransomware incidents and offered some suggestions for handling an episode. Ransomware is a cyberattack in which a hacker uses malware to take control of computer systems. The system owner is denied access to their own system till a payment is made to the attacker. Previous attacks were typically directed at databases or other back-office functions such as payroll or records.

More recently, hackers appear to be escalating to operational systems. The highest profile incident was the targeting of the San Francisco Municipal Transportation Agency (SFMTA). SFMTA handles the city’s public transport including San Francisco’s iconic cable cars. Trains continued to run, but SFMTA could not collect fares. Commuters rode for free until the issue was resolved. San Francisco did not pay the $ 70,000 bitcoin ransom demanded.

The use of ransomware to cripple an operational system is hardly unprecedented, but it does raise the stakes dramatically. For instance, an earlier incident at the Hollywood Presbyterian Medical Center (HPMC) had crippled the hospital’s CT systems. The inability to conduct CT scans cost HPMC at least $100,000 a day. HPMC’s decision to pay the $17,000 bitcoin demand could be easily justified on business necessity grounds.

These episodes, and others like them, foreshadow a new wrinkle: the Internet of Things (IoT) means that the meaning of “ransomware” is likely to change. In one high profile instance, a pacemaker manufacturer was compelled to forcefully deny reports that its units were vulnerable to potentially fatal remote cyberattacks. Older research had established that pacemakers could be compromised via hacking. The point even served as a plot device on the TV series Homeland. At the time however, actual hacks required proximity to the pacemaker unit, much like an assassin of old would have to get close to his target. The new reports suggest a more ominous menace: the prospect of remote, and potentially fatal, threats.

A corresponding issue has also emerged with automobiles. In September, a Chinese team announced that it could use software vulnerabilities in the Tesla S to control the car from a distance of 12 miles. Taken together, the vulnerabilities enabled the Chinese researchers to remotely take control of the vehicle, including display, locks – and braking systems. Again, the old James Bond plot involving cut brakes is passe: a modern Goldfinger or Mr. Big can hire a hacker to do it remotely.

These incidents illustrate the prospect that the newer, safer world built by an incipient Internet of Things also brings its own vulnerabilities – vulnerabilities that will be exploited to extort money wherever possible. “Ransomware” will take on a whole new meaning if lives, and not business operations, are hanging in the balance.

There is good news. Ransomware is targeting operational systems precisely because the original targets – back office systems – have been hardened against attacks by the increasing adoption of IT best practices: regular, systemic, backups of data which effectively neutralize much of the menace of a ransomware incident. Early IoT vulnerabilities are similarly prompting remedial measures: Tesla, already considered a cyber security leader, responded to the Chinese report by updating software to ensure that any subsequent updates must be verified by a cryptographic key.

Any company making web-enabled or cyber-connected products must factor in the potential for ransomware or other hacker attacks in determining the appropriate level of security. There is evidence that manufacturers are increasingly incorporating security as a fundamental feature of design. This approach overlaps with similar privacy requirements which are about to be mandated by the European Union: the so-called privacy-by-design.

Finally, remote control works both ways, as a Seattle car thief discovered to his cost. The Seattle Police Department contacted BMW for assistance with a stolen 550i. BMW tracked the vehicle to an alley, where the police found the suspect asleep behind the wheel.

The police blog noted that “BMW employees were able to remotely lock the car’s doors, trapping the suspect inside, presumably while hissing something terrifying like ‘I’m not locked in here with you, you‘re locked in here with me’ into the car’s sound system.”

The suspect also discovered that the vehicle had been disabled, leaving him unable to drive away. Law enforcement, as well as criminals can utilize remote hacks. Ironically, researchers have detected vulnerabilities in BMW’s own web portal that permit attacks through browsers….

By Saad Gul & Michael E. Slipsky of Poyner Spruill