The Future of Ransomware

Ransomware isn't new, but it's increasingly popular and profitable.

The concept is simple: Your computer gets infected with a virus that encrypts your files until you pay a ransom. It's extortion taken to its networked extreme. The criminals provide step-by-step instructions on how to pay, sometimes even offering a help line for victims unsure how to buy bitcoin. The price is designed to be cheap enough for people to pay instead of giving up: a few hundred dollars in many cases. Those who design these systems know their market, and it's a profitable one.

The ransomware that has affected systems in more than 150 countries recently, WannaCry, made press headlines last week, but it doesn't seem to be more virulent or more expensive than other ransomware. This one has a particularly interesting pedigree: It's based on a vulnerability developed by the National Security Agency that can be used against many versions of the Windows operating system. The NSA's code was, in turn, stolen by an unknown hacker group called Shadow Brokers ­ widely believed by the security community to be the Russians ­ in 2014 and released to the public in April.

Microsoft patched the vulnerability a month earlier, presumably after being alerted by the NSA that the leak was imminent. But the vulnerability affected older versions of Windows that Microsoft no longer supports, and there are still many people and organizations that don't regularly patch their systems. This allowed whoever wrote WannaCry ­-- it could be anyone from a lone individual to an organized crime syndicate -- to use it to infect computers and extort users.

The lessons for users are obvious: Keep your system patches up to date and regularly backup your data. This isn't just good advice to defend against ransomware, but good advice in general. But it's becoming obsolete.

Everything is becoming a computer. Your microwave is a computer that makes things hot. Your refrigerator is a computer that keeps things cold. Your car and television, the traffic lights and signals in your city and our national power grid are all computers. This is the much-hyped Internet of Things (IoT). It's coming, and it's coming faster than you might think. And as these devices connect to the Internet, they become vulnerable to ransomware and other computer threats.

It's only a matter of time before people get messages on their car screens saying that the engine has been disabled and it will cost $200 in bitcoin to turn it back on. Or a similar message on their phones about their Internet-enabled door lock: Pay $100 if you want to get into your house tonight. Or pay far more if they want their embedded heart defibrillator to keep working.

This isn't just theoretical. Researchers have already demonstrated a ransomware attack against smart thermostats, which may sound like a nuisance at first but can cause serious property damage if it's cold enough outside. If the device under attack has no screen, you'll get the message on the smartphone app you control it from.

Hackers don't even have to come up with these ideas on their own; the government agencies whose code was stolen were already doing it. One of the leaked CIA attack tools targets Internet-enabled Samsung smart televisions.

Even worse, the usual solutions won't work with these embedded systems. You have no way to back up your refrigerator's software, and it's unclear whether that solution would even work if an attack targets the functionality of the device rather than its stored data.

These devices will be around for a long time. Unlike our phones and computers, which we replace every few years, cars are expected to last at least a decade. We want our appliances to run for 20 years or more, our thermostats even longer.

What happens when the company that made our smart washing machine -- or just the computer part -- goes out of business, or otherwise decides that they can no longer support older models? WannaCry affected Windows versions as far back as XP, a version that Microsoft no longer supports. The company broke with policy and released a patch for those older systems, but it has both the engineering talent and the money to do so.

That won't happen with low-cost IoT devices.

Those devices are built on the cheap, and the companies that make them don't have the dedicated teams of security engineers ready to craft and distribute security patches. The economics of the IoT doesn't allow for it. Even worse, many of these devices aren't patchable. Remember last fall when the Mirai botnet infected hundreds of thousands of Internet-enabled digital video recorders, webcams and other devices and launched a massive denial-of-service attack that resulted in a host of popular websites dropping off the Internet? Most of those devices couldn't be fixed with new software once they were attacked. The way you update your DVR is to throw it away and buy a new one.

Solutions aren't easy and they're not pretty. The market is not going to fix this unaided. Security is a hard-to-evaluate feature against a possible future threat, and consumers have long rewarded companies that provide easy-to-compare features and a quick time-to-market at its expense. We need to assign liabilities to companies that write insecure software that harms people, and possibly even issue and enforce regulations that require companies to maintain software systems throughout their life cycle. We may need minimum security standards for critical IoT devices. And it would help if the NSA got more involved in securing our information infrastructure and less in keeping it vulnerable so the government can eavesdrop.

I know this all sounds politically impossible right now, but we simply cannot live in a future where everything -- from the things we own to our nation's infrastructure ­-- can be held for ransom by criminals again and again.

This essay previously appeared in the Washington Post.

Posted on May 23, 2017 at 5:55 AM • 55 Comments

Comments

Peter GalbavyMay 23, 2017 7:30 AM

The prevalence of these attacks and their perceived success may also spur some vendors to look at the profit opportunities that remotely crippling their own products can bring. This would of course be framed in suitable marketing language about the advantages of paying up and how it will improve your overall experience of the product. You think inkjet cartridges that cry "empty" when they are still visibly working are bad? Like they say, you ain't seen nothing yet.

See, as an example, the steps that DJI (the world's largest consumer drone maker) is taking in a week or less that put them in the place of self-appointed law enforcement, requiring users to get prior approval though a sign-in process before using products that they (we) have already purchased. Perhaps the next step will be to require an "admin fee" for processing the approval for a new country if you decide to go play tourist and so on.

Jeff MartinMay 23, 2017 7:42 AM

"the usual solutions won't work" Well, one of the usual solutions will work, which is don't have the thing in the first place. Cars are more problematic, but an Internet enabled thermostat is hardly a necessity. I think we will find there is a natural limit to the use of automation and interconnection, because we are incapable of making such systems secure enough. Eventually people will stop connecting things when it becomes too dangerous, and an equilibrium will be reached. At least until the next shiny thing comes along.

Make Open Houses IllegalMay 23, 2017 7:50 AM

Finally, from example after daily example, the Internet is viewed as a hostile, lawless virtual world.

The simple here solution is to follow basic security procedures and keep your personal data loop as small as possible. This in spite of corporate claims ‘we take your privacy seriously’.

Who really requires defenseless microphones, camera, thermostats connected to the Internet? (only those who sell your personal data).

Why can’t raw sensor data be processed locally on a NAS? Then only the alerts require firewall Internet access.

The output from these intrusive Internet sensors has found its way into social sites:
Facebook flooded with 54,000 cases/month of sextortion and revenge porn:
https://www.theguardian.com/news/2017/may/22/facebook-flooded-with-sextortion-and-revenge-porn-files-reveal
The solution begins by educating our children. We must stop the practice of allowing Big-Data advertisers to control the classroom. The root-cause-issue rests with ill-equipped educators.
As a start, security experts and researchers should give unclassified presentations to students and teachers in their school auditoriums.
We’ve got to come out of this tailspin. God help America regain some common sense by freeing us from the addicting clutches of Big-Data advertisers.

Vesselin BontchevMay 23, 2017 7:56 AM

Sigh... It has always amazed me how otherwise brilliant infosec people are so amazingly ignorant when it comes to viruses, malware in general, and anti-virus techniques. Let's see how many errors I can find in this article:

  1. WannaCry is way more "virulent" than any other ransomware. It is being distributed by a goddamn virus, ferkrissake! Normally, ransomware isn't viral. I know of only one other which self-replicates, and it does it by copying itself to USB drives (and, since auto run from USB drives no longer works, uses an icon for its executable that looks like a directory, trying to trick the victim to click it) and spreads much less successfully than this automatic worm.
  2. Microsoft patched the vulnerability two months earlier, not one. It was patched in March.
  3. The vulnerability exists in many versions of Windows, including some that Microsoft no longer supports (e.g., WinXP), but the worm infects only Windows 7 (and its server equivalent). So, the only reason why the worm was successful was because people have failed to patch their systems for two goddamn months!
  4. Supported or not, Microsoft released a patch for Windows XP too.
  5. Unlike your computer, the "things" connected to Internet (or even your phone) cannot be encrypted. They don't have user-writable files and on your phone an app can modify only its own files; not the other files on the phone (the SD card being an exception). So, on such "computers" ransomware does not encrypt, it locks. And recovering from that is trivial - you just reset the device to factory settings.
  6. WannaCry does not infect Windows XP; stop spreading misinformation. The ransomware it drops does work on WinXP - but you'd have to copy and run it there manually and the presence or absence of vulnerability is irrelevant.

Buzz WindripMay 23, 2017 8:11 AM

"The market is not going to fix this unaided."

This guy is a Socialist. Of COURSE the markets can fix this. The markets are MAGIC! They are the answer to ALL of our problems if only the liberals would get out of the way with their smarty pants education and high falooten ideas.

J. StetsonMay 23, 2017 8:16 AM

@Jeff Martin. The problem is that as time goes it will be harder and harder to find non internet enabled IoT type of devices. Like TVs they are mostly "smart" nowadays. I worry that we won't have a choice to connect or not connect. What if my power company decided to install smart meters? Do I get to change it or would they refuse because it's not what they run?

TheDoctorMay 23, 2017 8:36 AM

Cited:
"Those devices are built on the cheap, and the companies that make them don't have the dedicated teams of security engineers ready to craft and distribute security patches."

Could be as well:

"This soft drink is produced on the cheap, and the companies that make them don't have the employees to make shure that no rat crap or cyanide get into the bottles"

The first is considered resonable by allmost everyone.
The second is, at least in a develloped country, inacceptable.

- regulate it
- control it
- fine the crap out of them if they dont comply

jdgaltMay 23, 2017 8:51 AM

The advice to regularly patch our systems is no longer valid for Windows users, because Windows 10 itself is now ransomware. (Its seller has already demonstrated a willingness to delete software you have paid for from your computer, and even to distribute patches that prevent you from restoring it. And if you don't keep paying them monthly, your computer stops working. In effect you no longer own your computer or anything on it.)

But the market has already produced a solution: Linux.

Anyone who gets infected with this should treat it as a sign from God. Abandon Microsoft.

TerryMay 23, 2017 9:02 AM

Oh..I thought ransomware was when the NSA demanded your source code. Read about it on Ars Technical. So, what do they call that?

chuckMay 23, 2017 9:47 AM

Profitable - you're kidding, right? It earned a measly $10k! Also, the main culprit turned out to be fully supported Windows 7, and not (unsupported) Windows XP. So, again, it's not Microsoft, but idiots who leave their systems un-patched.

J ThorntonMay 23, 2017 9:48 AM

Why must people bash others for things they believe? That is part of the reason I hates these dam things (Computers). Something has to give and we must stop putting everything online I have purchased ten Computers (10) over the last three years. Do you know how many I own? ZERO! Why you ask, because I found something in my Family's Computer, that I didn't like. A program that allowed remote activation of Cameras and Microphones. I attempted to remove it, to protect my Family. It was part of a larger package that I was unaware of. Now I'm marked, I still have all those Computers, but have total control of none. I spent Thousands of dollars to get back Administer rights and control. For all my hard work, what did I get, a few Thousands of dollars poorer. I have a surprise for ALL of you! That program is hiding in YOUR Computer right now, just waiting. If the controls to that program get thrown out in the wild, WE ARE ALL SCREWED. Please let me help the critics out here, You are way smarter than I am. Your highly Educated, I'm just a dumbass. My English is beyond horrible and I should just stay quite in my Trailer. I have heard it all from the Computer Experts. Funny thing is I found the nastiness Computer Experts, to repair my electronics. They now sit, eating Their Humble Pie as they wade through Their pile of electronic JUNK. Thank You Mr. Bruce for this site, one of the very few I can post to. Not everyone takes You for granted.

SataiMay 23, 2017 9:49 AM

The risks of ransomware for "microwaves" -> make such a devices as stateless as possible and if not possible make the reset to a default as simple as possible.

Windows ExpertMay 23, 2017 10:03 AM

So, the only reason why the worm was successful was because people have failed to patch their systems for two goddamn months!

Now let's enter the real world. I haven't updated my Windows 7 install for about three years. Why? Because Windows update is broken for god alone knows what reason. I spent an hour trying to fix and I could not so I gave up. I came to the conclusion that the only way to fix the problem was to reinstall Windows. However, I don't have a Windows 7 disk because I never got one when I purchased the computer--it came with a recovery partition. However, I deleted that partition to gain extra space on my SSD. I tried to figure out how to get a clean version of Windows 7 for download but that doesn't seem possible.

Windows is a great ecosystem if one has the ability to throw gobs of money and time at problems. I don't. Most individual non-corporate users don't. It is easier and far cheaper to pray.

Slime Mold with MustardMay 23, 2017 10:20 AM

A lot of people stopped updating their Windows 7 and 8 when Microsoft started sending telemetry and God knows what else with their updates during their great WIN 10 Spyware campaign.

BRMay 23, 2017 10:21 AM

This is exactly what Rob Graham always criticizes Bruce for: blurring unrelated problems to argue for regulation that won't work or be worth the cost. Most IoT devices are firewalled. That protects them from attacks like Mirai. They aren't going to get Trojan'd either. And the damage potential on most IoT devices is limited too. No one is going to pay a ransom on a cheap IoT device that is easier to replace, and so no one is going to bother to infect them with ransomware.

Cars aren't a good target for ransomware either. It's hard to imagine the attackers could make the payment process so completely fluid that victims can pay immediately if they need their car immediately. And unlike ransoming someone's personal data, there's nothing irreplacable here. So victims will just get their car serviced. Few would pay.

Ransomware is only effective when it targets personal data. For individuals, the answer is patching, which is easy for them. There's no need for regulation because regulation can't force every end user to patch, and vendors are already doing a good job staying ahead of problems for users who are patching.

It can be hard for businesses to patch, but they have a business decision to make about whether to put money into security personal and downtime or to pay ransoms. For many, the ransom will be cheaper. And again regulation doesn't help, major OS vendors are on top of it and it's business's choice if they aren't going to help themselves.

The only area left is critical systems like in hospitals. If any regulation is called for, it should be on them to require devices with minimized attack surfaces. It's not Microsoft's fault if they stupidly put Windows in a life support system when Windows was never meant for that.

William EhrichMay 23, 2017 10:33 AM

Most of those IoT devices don't really use or need internet access. They should all make it easy to disable such access, perhaps sell them only with the access disabled by default.

TimHMay 23, 2017 10:57 AM

@William Ehrich
The internet access is often there mandatorily so that the manufacturer reaps recurring revenue from the end user, and/or user monitoring

parabarbarianMay 23, 2017 11:15 AM

Wannacry had three bitcoin accounts hardcoded into it. As of today they have collected about 49 bitcoins in ransom payments. At the current rate of exchange (~$2,200 or so) that comes to about $108,000. I'll leave it to the reader to decide if that is profitable or not.

You can see the transactions here:

https://blockchain.info/address/13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94
https://blockchain.info/address/12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw
https://blockchain.info/address/115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

Mr.ImpatientMay 23, 2017 11:59 AM

"...It's based on a vulnerability developed by the National Security Agency..."

Correction; It's based on a vulnerability developed by Microsoft for the National Security Agency.

parabarbarianMay 23, 2017 12:12 PM

I am not so sure that EternalBlue is a deliberate backdoor. It looks like an "honest" mistake to me. I am more suspicious of the feature in the CryptoAPI that lets a decryptor recover the RSA primes and generate the private key.

neillMay 23, 2017 12:20 PM

maybe A.I. can save us by detecting and preventing unusual access patterns

you could have many insecure devices even w/o a password inside your network, IF the firewall 'thinks' about ingress/egress traffic

Ross SniderMay 23, 2017 12:56 PM

@Bruce

"widely believed by the security community to be the Russians"

Wherein you link only to your own opinion article?

I'm part of the security community. Me and my colleagues do not believe that the Shadow Brokers are "the Russians."

Otherwise an interesting article. I would suggest that if smart devices become commoditized enough then either:
1. There's a button to hit a firmware reset on the device (think using pens to reset your router firmware)
2. The devices are cheap enough that they can just be replaced.

For IoT, these devices aren't likely to have your work projects, your communications, your saved files, your family pictures.

So paying the ransom for them is going to follow these basic guidelines:
1. People are not going to pay more than what the device is worth. They aren't likely to pay a high percentage of what the device is worth. This means most randomsware on IoT will pull in tens of dollar a person today and may pull in single digit incomes if the prices drop low enough.
2. People will disable their convenience machines if they become inconvenient for any reason and revert to "dumb thermostats" etc. This makes the likelihood for payouts smaller than for computer systems that are single points of failure.
3. While security is not likely to be built into the devices, factory resets are. This means that a person can wait for the worm to finish spreading and reenable their device.
4. It is more difficult to communicate from IoT devices that there is a random to be paid due to the limited capabilites and interfaces of the devices, leading to fewer payouts.

Therefore, because of both the lower payouts and the recoverability, randomware authors are likely to have longer running campaigns that trickle in money over time - rather than flash-and-bang campaigns that make a lot of money faster. This has implications for the sorts of threat actors who would attempt to create that kind of randomware, how the law might approach it, and the technical chops required to keep a C2C alive long enough to make a low-payout long-timeframe randsomware campaign function.

Rabbit 0 1 1 2 3 5 8 13May 23, 2017 12:58 PM

@Mr. Schneier

I think we've all been around the block on this one, and we're definitely not in Kansas anymore.

... affected Windows versions as far back as XP, a version that Microsoft no longer supports. The company broke with policy and released a patch for those older systems,

... won't happen with low-cost IoT devices. — Those devices are built on the cheap, and the companies that make them don't have the dedicated teams of security engineers ready to craft and distribute security patches.

I hate to break it to you, but these dot-com folks are not businessmen. They're pimps. They're running a district, not a business. Over half of all internet searches are for what normal people (i.e. no registered sex offenders) euphemistically call "smut."

I can't even log into my bank account without offending the "smut" filter, and yet my e-mail inbox is constantly full of Viagra, Cialis, and weight-loss drug ads, wealthy older men, and poor young women.

Any I(di)oT thing that needs interminably urgent security "patches" just to maintain its basic purported functionality is already broken by design. In other words, they never had the dedicated teams of security engineers to build it right in the first place.

GeorgeMay 23, 2017 1:39 PM

Nice write-up Bruce. We can't even secure our TVs against hackers, yet we're close to unleashing millions of self-driving cars on the road and putting our lives in their hands. The future will be interesting.

CallMeLateForSupperMay 23, 2017 2:00 PM

Seems like a good time to mention the Twitter account I discovered only very recently and find entertaining: The Internet of S*it
https://twitter.com/internetofshit

Example:
"The Cowler. Smart neck collar for dairy cows. Streamline your business."
(The account owner calls it "Fitbit for cows")

Another example:
Lennart Koopmann‏ @_lennart May 8
Is this a good moment to ask myself why my lightbulb started talking to a TOR exit node on UDP port 123 this morning?

----------------------------------------------
@Rabbit 0.....
"I think we've all been around the block on this one, and we're definitely not in Kansas anymore."

On the bright side though, tired metaphors still abound.

albertMay 23, 2017 4:17 PM

@CallMeLateForSupper,
Monitoring the health of cows (esp. dairy cows) is important (Cowler notwithstanding). Such devices might be useful for dairy farmers. Check out some fascinating automation here:

https://en.wikipedia.org/wiki/Automatic_milking

Cows quickly learn to enter the machine when they need to be milked. Remarkable.

@Mr. Fibonacci,
When something -can- be monetized, it -will- be monetized, and in the shortest possible time.

Nothing illustrated this better than the Internet of BS (IoBS)

. .. . .. --- ....

Clive RobinsonMay 23, 2017 4:29 PM

@ BR,

Most IoT devices are firewalled. That protects them from attacks like Mirai. They aren't going to get Trojan'd either. And the damage potential on most IoT devices is limited too. No one is going to pay a ransom on a cheap IoT device that is easier to replace, and so no one is going to bother to infect them with ransomware.

I think from that, that everyone can see you lack the ability to "think hinky", which is unfortunate.

Firstly you say "Most IoT devices are firewalled" but contray to what you appear to think that is neither true nor sufficient. Firewalls are usually incorrectly configured. I know that even supposadly firewalled IoT devices got recruted by Mirai. Because for the majority of low cost IoT devices to be sufficiently secure takes a lot of effort and invariably these days reduces their utility or functionality. This is because the price you pay is two part, the first is what you might call the price of delivery, on which the manufacturer makes little or no profit. They make up for this by collecting personal data which goes back to servers they may not even control in return for a revenue stream. To stop you blocking this revenue stream they make chunks of the device functionality dependent on the IoT device having access to those servers, hence the firewall gets the swiss cheese treatment.

But anyone who cares to think a bit will realise the problem is going to get a whole lot worse. The demands of big data and the illusion of long term revenue are going to make future IoT devices be in effect bricked on arrival. You will have to give them unfettered access to the Internet for them to start working at a minimal level. As part of that you will then be given a very limited free upgrade to the functionality the "review" you read raved about. Then you will have to pay a few dollars a month to keep the functionality or the device will become a brick again. This will become a standard marketing model as we have already seen with some devices from major organisations. Of course two things will happen, the manufacturer or the agent will in effect have a "kill switch" so even if you are paying, if they are not making sufficient revenue they will turn off the servers and you will have a brick again. Secondly everything will be done on the cheap and due to various bits of legislation etc will be at best only marginally secure or backdoored. Thus someone will reverse engineer etc and they will be "Trojan'd" and another Mirai or equivalent will be spawned.

The only question is what the payload will be and this brings us to your other points,

The "damage potential" on most IoT devices although limited compared to modern PC's is above that of PC's of less than a decade ago, so the potential to act as a relay to do an insider attack etc is more than definitely there.

So whilst few would pay a ransom on a cheap IoT device, the same is not true of their PC's, laptops, pads and NAS devices that are now infected because the IoT device has punch a whole through the firewall that Hannibal could drive a dozen herds of elephants through into your house SoHo or franchise etc. So whilst it is less likely they will put "ransomware" on an IoT device, I would think it highly likely they will use IoT devices as a bridgehead to get ransomware or worse onto the other more valuable items that the owners incorrectly thought were safe behind the firewall...

In all I would expect the likes of the National SigInt Agencies to already be investigating IoT devices for the purpose of bridgeheading firewalls, in exactly the same way the NSA/GCHQ got into by far the majority of routers etc.

In turn I would expect others to find such zero-days and sell them as cyber-weapons to less capable National Agencies in all countries. Others to use them for criminal activities and as usuall the SigInt Agencies like the NSA etc will make a mistake or someone will get a fit of morals and divulge them publically as we are currently seeing happen.

If you don't think any of the above are possible or will happen, they already have in one form or another and it will only get worse till people "wise up". As things currently are the idea of IoT is actually dead of a cancer growing within it. There are two choices, either excercise the cancer that is the altetnative revenue streams or watch the cancer kill the host market. Because corporate managment can not think beyond their next bonus they will not volunteraly quit the alternative revenue streams because non of the competition will. Thus the only way to stop the race for the bottom / mutual suicide pact of short term free market behaviour is by effective legislation. However with the dual preasures on legislators of the IC and lobbyists, the chanced of legislation being effective is actually minimal. As one famous SiFi author put it "Welcome to the world of the goldfish bowl".

Some GuyMay 23, 2017 10:07 PM

Yes the patches have been out for two months patching end user workstations is generally easy enough. But Windows is so complex that it can take weeks to perform adequate testing to put out a patch for mission critical business apps. Until we mandate installing patches on businesses or taking alternative security measures, businesses won't be secure.

The labor for a small to medium size business to track, test, and install patches within a month on a hundred apps and tools for a couple hundred servers and a thousand workstations kills patch compliance. It's a systemic weakness. We've designed and optimized a house of cards built on a sandy beach with an incoming tide.

The latest functionality sells, but I can better support reliable unitasking simplicity that doesn't need all of the complex software noise. I want:

Simple plug in virtualized appliances with a documented yet minimal threat surface

One source for all of the supported patches that I choose when to install

No unneeded inbound or outbound ports - document what is open and why

Whitelisted vendor supplied and supported software

Signed apps with hashes to authenticate the source

No hidden accounts

Standards compliant logs.

In other words, engineer me a drop in supported simple, reliable, and maintainable system and I'll pay for it. Don't give me a generic app dependent on 10 other apps running on a Windows OS with a terabyte of software I don't need but have to maintain.

SpookyMay 23, 2017 10:31 PM

@ k15,

I suppose it depends on what you mean by unhackable. Computerized fuel injection started showing up in the late 60s; the venerable Intel 8051 microcontroller was already present in consumer vehicles selling in the early 1980s. Modern cars today are packed with MCUs. So, if by unhackable you meant totally without computerization, you'd have to aim for something produced in the 50s thru the mid-60s (a fantastic period btw, with lots of great cars).

If you were shooting for something of fairly recent manufacture that cannot be remotely hacked, you would probaly want to steer clear of anything with cellular, bluetooth or satellite connectivity, for starters. Crooks have already built devices capable of doing replay attacks on the wireless key system, so you'll want to opt for a manually keyed lock (that will not slow them down much, but bypassing it is slower and requires them to make contact with the vehicle, where they could be recorded or spotted). And finally, note that anyone with physical access to the vehicle while you're away can, potentially, hack it. In general, cars are not designed with security in mind (because it would add cost and most mitigations fall short, resulting in additional liability).


Cheers,
Spooky

DarrenMay 24, 2017 12:20 AM

"It's only a matter of time before people get messages on their car screens saying that the engine has been disabled and it will cost $200 in bitcoin to turn it back on."

If you want to get inventive how about bricking all Uber, Lyft, and other self-driving taxis and then promising to release those of the company that pays the highest ransom.

I would hope that there would be a way to "factory reset" these systems and not need to pay the ransom ... but then it doesn't need to be about ransoms: an enviromentatist group might bricking all 4x4s but leave electric cars untouched to make a point for their cause.

CroftMay 24, 2017 12:45 AM

The problem here really boils down to one thing - doing these things can make you enormous sums of money. Now, especially, with things like cryptocurrency, avoiding the long arm of the law is also vastly easier than it was. Bitcoin and the like isn't a net good, it's a net evil, in my opinion - it makes converting illegality into money easier than ever.

At some point we have to start asking ourselves seriously what in our society is causing all this behavior, and when you do, you realize it's competition and capitalism that's to blame Not just capitalism, mind you, every competition based societal form with money (ie, every major human society to date) will have this kind of behavior, and much more - including war, most other crime, pollution and so on, it's all driven by a profit motive at the end of the day.

At some point, we're going to have to stop thinking about how we can find more ways to react to all these miscreants, and instead start thinking of how we can change society so that people no longer can gain from this kind of extortion. It's doable - it just takes more radical solutions. Like retiring competition as our most basic paradigm, and moving to a system where we leverage our technological efficiency and create a world where we stop keeping score by using money, and instead just distribute the things people need to the people who need them, no questions asked. A resource-based economy is one concept that has been suggested.

Just reacting to yet another criminal doing yet another thing to make money the most logical way there is - by taking it from someone else - isn't going to get the job done, and that approach won't save us from global warming either.

RachelMay 24, 2017 1:56 AM

Croft

'At some point, we're going to have to stop thinking about how we can find more ways to react to all these miscreants, and instead start thinking of how we can change society so that people no longer can gain from this kind of extortion. It's doable - it just takes more radical solutions. Like retiring competition as our most basic paradigm'

Nice to see someone think a little bigger
One can go further and consider selfishness as the essence of all problems, and work harder for a world not motivated by it


SpookyMay 24, 2017 2:18 AM

@ Bruce's essay,

One of the final points in the essay seems to overshadow the rest: consumers reliably provide financial incentives to manufacturers of inexpensive (and insecure) products. Because global economics favors this outcome, it will persist indefinitely. In a perverse way, perhaps these nasty, sustained waves of malware will eventually sway the economic balance and bring about the desired changes that the market (alone) could not. Expect that it will get far, far worse before it gets better.

Assigning financial liabilities to companies that write insecure software might be well-intentioned and it would serve to focus the attention of manufacturers and consumers where it probably needs to be, but it would certainly open a can of worms (and represent a never-ending payday for law firms). Why? No one writes secure software, or has ever written secure software. And no one builds secure hardware, or has ever built secure hardware. At least, if the narrow interpretation of the word secure is taken to mean: without exploitable flaws, weaknesses or bugs that could potentially harm the user of the product. Now, this is not to say that security cannot be vastly improved above its current abysmal state. But if we hold manufacturers to some Platonic ideal that has never been achieved in reality, the penalties serve no purpose (whereas, we want to encourage tangible improvements, transparency and perhaps a shred of accountability).

When the consequences of rampant insecurity become too painful (for economies and governments) to bear, you can expect the tide to slowly turn the other way...


Cheers,
Spooky

Clive RobinsonMay 24, 2017 3:58 AM

@ K15, Spooky,

How old does your car have to be, to be unhackable?

It's a bit more complex than just "how old". You also need to ask "how expensive" it was when it was made "who designed it" and "where it was made".

You can actually buy new niche market cars that don't have all the electronic junk or the places to hide it.

However if you can forego air-con you can go for the European Clasic like a VW Beatle or a number of Citroens, but perhaps not the 2CV. The thing is "clasic cars" if they are more than 25years old they will give you "Green Credibility" that a "hybrid" or "electric" car will not ever give you (batteries have a very limited life time and take a big chunk of energy to make or recycle currently so anything older than five years is going to be expensive and have a large carbon footprint).

Also the insurance on Classic Cars is likely to be cheaper if the are popular due to after market parts, and they tend not to devalue at the rate ordinary cars do.

Another area to look at is light commercial vehicles, with few exceptions they were always well behind on the luxury technology curve.

As for "designed" the auto industry has a dirty little secret, many well known auto manufacturers buy-in much of the internals you don't see such as drive chains/trains, suspension systems, safety systems etc etc which is where the bulk of the electronics that would be targets for ransomware or much worse malware are going to be. A little investigation as to which use the least technology due to good design may pay you dividends. It often supprises people when they find out the actual research development and design of these unseen parts when the various "badge labels" are removed comes from the UK or Europe.

However American cars unless true classics are best avoided due to protective legislation brought in since the 80's to try and protect the US auto manufacturers from foreign imports. It's one of the reasons you realy want to avoide SUV cars and similar.

Also there is an increasing "John Deere" attitude[1] where you are forced by the electronics to use only their "approved" service techs at a price and time delay that will make you weep. Such after sales lock-in has not been seen since the very bad old days of the Big Iron computer manufactures where IBM got a very bad attitude of "Buy IBM or they will make sure you get fired".

Thus the real ransomware courtesy of the DMCA will be the manufacturer lock-in very much similar to the "walled garden" and "Pre-installed App" behaviour we see on Apple and Android systems.

[1] https://www.wired.com/2015/04/dmca-ownership-john-deere/

Werner AlmesbergerMay 24, 2017 4:01 AM

The cheapness of (many) IoT devices may not be that much of a protection. E.g., while one device may be cheap, it could still be expensive to replace, especially if it is integrated with other devices.

Also, some IoT devices come in large quantities, e.g., "smart" lamps, "smart" light switches, and so on, and an attack could try to extort a ransom for a group of such devices.

This brings us to what makes people more likely to pay. Reasons I could think of for people not paying are:
1) they don't pay ransom on general principles,
2) the don't care (maybe don't even know) about the damage,
3) they would pay, but they think the demand is too high,
4) they would pay, but can't afford it,
5) they would pay, but expect to fail somewhere along the process,
6) they try to pay, but fail somewhere along the process,
7) they don't trust the criminals to do the unlocking (after payment).

There's little the criminals can do about 1 and 2. 3 and 4 are easy to fix. If an on-going lock-out causes great discomfort, they could even remove it automatically after a while, or gradually lower the price.

We can see that 5 and 6 are already being addressed. Randomware has every reason to be as "user friendly" as humanly possible.

I would expect that 7 is a major factor in whether victims decide to pay or not. If ransomware could somehow make the act of paying itself part of the unlocking key, and that act of payment sufficiently irreversible, the criminals could probably greatly increase their trustworthiness.

For example, they could offer partial unlocking for a very small amount. That would allow victims to give it a try without having to worry too much about 3, 4, 5, and 7. Once that small extortion has been successfully performed, victims would know that the process works, and thus be more willing to trust that unlocking the rest would work, too.

I wonder if we'll see some developments in this direction.

- Werner

RachelMay 24, 2017 5:46 AM

Clive

really appreciate the valuable insights about cars without modern tech. It's just as relevant for those wishing to hire a car. People also wish to avoid bluetooth and wifi for health and sensitivty reasons.
From a vulnerability perspective many will have had the experience of turning on wifi on the phone when on the Kings (or was it Queens) Highway, and discovering the wifi names of various cars simaltaneously on the road - and being able to identify exactly which car is which because the signls all have names like 'alfa3321'. didn't quite check the number plates to see if they matched however.
of course some of the famous Def Con / Blackhat videos have demonstrated this

There is a fiction book by Ranulph Fiennes - he of Arctic/Antarctic crossings fame. I wouldn't be surprised if you have shared a dinner table with him Clive. In it , old school IC methods for tampering with (old) vehicles to enable radio control accidents are explained.

Dirk PraetMay 24, 2017 6:14 AM

@ Windows Expert, @ outadoc

Because Windows update is broken for god alone knows what reason.

It is a common problem that affects all versions of Windows starting with Vista: the Windows Update process just remains stuck on the "searching for updates" screen for ever. It usually happens when you haven't run Windows Update for quite a while. There are several workarounds available that may or may not solve the problem, but the easiest solution that always works is using an off-line updater tool called WSUS Offline Update.

Once all updates are installed, DISABLE automatic updates on your machine and set them to manual. After reboot, start the Windows Update utility manually. Wait for it to complete, which should take 15 minutes or less. When done, re-enable automatic updates. I've run into this problem countless times, and this method has never failed me once.

Optionally, download one of the many free utilities that disable telemetry services and the like. Some of them also get rid of the unwanted KB's that installed them.

AnonMay 24, 2017 6:48 AM

Design an untraceable payment system that makes money laundering easy and people will use it for criminal purposes. Bitcoin and its ilk make ransomware easy to operate, anonymously, and so it spreads. No bitcoin and ransomware becomes far harder.

CroftMay 24, 2017 7:05 AM

@Rachael, I don't think selfishness is a problem, though. I also don't think it's the core issue. This does bring us to more nebulous discussions, like "what is human nature - really?"; a famous anthropologist said it's much more created by our society than it is innate. Competition and the incessant quest for money and advantage literally brings out the worst in people. This isn't human nature, it's learned behavior. But yeah, I don't think we're ever going to solve issues like these when our society implicitly encourages criminality - not without changing society itself.

Clive RobinsonMay 24, 2017 7:07 AM

@ Rachel,

Ranulph Fiennes ... I wouldn't be surprised if you have shared a dinner table with him

No but we once did have a near miss at a venue, he was heading for the little boys room as I was heading out and he had to do the avoidance foxtrot as I had a dodgy undercarriage and was on sticks (and I still am many years later). We exchanged the usuall half jokes about "steam gives way to sail" and apologetic smiles as we manovered, but that was all.

I do have a habit of "bumping into people" in unexpected places at unexpected times. Back when I was much fitter and more mobile I was doing a 16mile charity walk around the Surrey Countryside and popped into a pub (Tanners hatch) for lunch. On finding the order hatch I enquired "excuse me is this the end of the que" to a lady who was effectivly facing away, she turned and said brightly "yes it is" and it was to my surprise the actress Susannah York. As I normaly do when such things happen I treated her as I would anyone else and thanked her and as many britons do we chatted aimiably about the --for once-- nice weather. However as far as actors go the most memorable was Tom Baker who larger than life litterly bounded into me and bounced off comming out of a bookshop in London. As I helped him up we appologised, and he invited me to have a drink by way of an appology, we then disappeared to a select watering hole which few know of and spent the rest of the day drinking and chatting with a crowd of other actors and writers. What few know is that Tom Baker and Douglas Adams who were good friends had a friend in common The Honorable Lalla Ward, who was at a party organised by Douglas --where Tom was "bar tending"-- and met and later married Richard Dawkins FRS FRSL.

de La BoetieMay 24, 2017 7:33 AM

Until the day when "should" becomes law-with-penalties, you're on your own.

I can recommend partitioning your internal/soho network with a multi-port wrt or pfsense firewall, specifically to protect from the guest/iot/smartphone/network printer/voip ata/games machines whatever acting as an attack vehicle on things & systems you do care about and would find it hard to recover.

The other useful control is to run pretty much everything in virtual machines with limited/no access to the local network. Much easier to recover too.

Ransomware's particularly nasty because networked backups can get attacked just the same as live data, so at least have some offline backups available on rotation. I've been hoping for some commercial-based disk-firewall solutions with 2FA to become available, but am not aware of anything to date.

Werner AlmesbergerMay 24, 2017 10:27 AM

I wonder if the overall result of increased liability wouldn't actually be less security.

In traditional industries, cars, medical, plants, etc., a lot of investment into infrastructure and processes is required. These are assets worth defending, and thus it makes sense to try to reduce the risk of major liability claims. Also, since large investments imply concentration, the risks are often spread over many products or sites.

In other words, if, say, a major car manufacturer gets into this sort of trouble, they can probably survive the consequences, and liability can work as an incentive to try to avoid further mishaps.

Software is often the total opposite, and manufacturing (which requires tangible assets) is easily outsourced. If such a "lean" company is hit with a major liability case, it will simply fold. This not only means that the victims will not receive the compensation they may expect to get, but it also means that support for all the company's products is likely to stop immediately and for good.

Thus, you end up with even more vulnerable devices.

Attempts to make this more bullet-proof, e.g., by requiring insurance that could cover even major liability claims, would put small companies at a major disadvantage, since they spread the risk over very few products or services, which should drive up the insurance cost over revenue.

Worse, big players who fear abusive lawsuits motivated by their deep pockets may spin off risky endeavours into smaller companies, thus actually making the average small company a higher insurance risk.

- Werner

neillMay 24, 2017 12:07 PM

IoT manufacturers will never pay for security nor updates, since the end user is most likely to pick the cheapest device that does the job. since most devices come nowadays from asian countries you won't be able to collect $ for damages anyways.

hence WE have to protect ourselves, with smart networks.

i don't even want passwords for my cameras, i don't need folks bothering me asking for those, when they want to view the cams.
those need to be viewed from two or three 'outside' IPs, but other than that, three's NO need for my cams trying to connect to anything else.

same for my (yet to be bought) smart fridge. it may want to inquire at 2 or 3 local frequently visited groceries to find the best deal on milk if need would be, but again, no need to connect to anything out-of-state or abroad.

my point is that we CAN have outdated, insecure devices, and happily use those, IF our 'bubble' is protected by either our network, or our ISPs. i'll happily give my ISP the authority to filter my traffic IF that keeps me safe and saves $ for me not setting up my own filters. they know anyways what i do online.

FredMay 24, 2017 6:04 PM

For home users, the biggest design problem with IoT devices (aside from the lack of updates) is that, by default, many of them expose themselves to the internet by using uPnP to tell the consumer router/firewall that they are hosting internet services.
Mirai would have had very few victims if that hadn't been the case.

SpookyMay 24, 2017 9:15 PM

One possible distillation of Internet browsing workstation security, in a nutshell:

1) disable all unused services, esp. those bound to the network; goal: no open ports
2) disable ping replies (dodge simple scans)
3) use your firewall, keep it simple: block all in, pass all out, keep state (or equiv)
4) sandbox your web browser using any means available (VM, VBox, Sandboxie, chroot)
5) check email with a sandboxed browser; never click embedded links; scan files
6) optional vpn + dnscrypt/dnssec, etc.

If you were just going to limit people to 5 or 6 essential rules, I think these might suffice. You could easily add a million others, depending on context. When you have no unfiltered services at all listening on the public network interface, that is a pretty good feeling. Common attacks at that point are mostly limited to smashing the tcp/ip stack and browser vulnerabilities (with the browser sandboxed, locked down and refusing to execute arbitrary javascript). All versions of Windows, from 95 OSR 2.1 up to Windows 7 (prior to the Windows 10 / Telemetry backports) were fairly easy to secure with this methodology (with pre-XPSP2 releases requiring an external firewall, though no network services are bound). Ditto for Linux, BSD and MacOS X.

Not sure whether these rules can ever be made to apply to Window 8 or 10; rules 4-6 should be fine. I think MS has got its hooks in too deep for Windows to ever be considered useable, safe or under the firm control of the person who actually bought the computer. Even if you could bend it to your will by degrees, you'd never be safe from Microsoft itself.

Anyway, just a few random thoughts on a good default approach/config that would have dodged the recent SMB ransomware...


Cheers,
Spooky

aeonMay 24, 2017 9:34 PM

There is a simple fix for the IoT issue: it is that the sheeple learns to think for themselves and stop wasting their money and time on the devices.

Humankind has existed for thousands of years without the garbage. The fact is that not a single one of them provides anything that you cannot easily live without. At the best they are just convenience tools for the ultra-lazy.

At the worst, a dumb "show off" or "conversation piece" for those who cannot think of anything to talk about otherwise.

In fact if people stopped buying IoT devices today, the companies that produce them would be out of money and business by the end of next year.

MarkMay 25, 2017 2:15 AM

Clickbait scare stories.

Embedded devices aren't computers and don't play by the same rules as conventional devices.

Embedded devices are more akin to a Chromebook where the entire OS is digitally signed and read-only at runtime, user preferences and "apps" are stored in secure sandboxes and nothing can modify the readonly runtime.

Nobody has ever made any significant headway into hacking and persisting malware on a Chromebook, let alone encrypting user data via ransomware.

Embedded devices are far closer to this working model, desktop computers are wide open. Let's not pretend everything is the same. Anyone else saying they are, well they either shouldn't be calling themselves a security researcher. Or are just fishing for clickbait.

atsMay 25, 2017 3:17 AM

The reality is the easiest way to prevent ransomware is to remove the payment system. Ransomware only exists because of illicit currency such as bitcoin. Bitcoin serves basically no real viable purpose except for illegal activities which it enables via its anonymous nature and irreversibility and ease of transfer to/from legitimate currency systems. Remove any of those and the payment method for ransomware collapses. The easiest option is to simple remove the ease of transfer via the existing banking systems.

Clive RobinsonMay 25, 2017 4:55 AM

@ Mark,

Embedded devices are more akin to a Chromebook

If only that were true, most embeded systems are still based on MCUs that can not support that model. Further many that do have MCUs capable of supporting it tend to follow a *nix model, and run in RAM not from PROM.

As for the majority of signiture systems they are used to prevent PROM updates etc. Those that are used in the run-time environment only check the signiture on "loading into RAM". Thus after loading the only protection against modification is the MMU, if and only if it is setup correctly, which with boiler plate *nix systems churned out in vast quantities is often not the case.

After all ask yourself the question of why both Apple and Abdroid smart phones / pads etc get "rooted" as often as they do...

I can not see any IoT developers of white goods, entertainment systems or household infrastructure actually going the several country miles extra distance even if they wanted to because managment won't take the cost hit against the meger profit on low value FMCE.

albertMay 25, 2017 11:46 AM

@ats,

How do you propose to 'remove' Bitcoin?

What is an "illicit currency"?

. .. . .. --- ....

atsMay 25, 2017 1:19 PM

You remove bitcoin for all practical purposes by removing portability to other currencies. If no bank will complete a transaction to bit coin nor complete a transaction for anyone who will, bitcoin dies. Bitcoin does not have its own market, it is merely used for obfuscation of transactions primarily buy actors who cannot conduct business in a legit currency.

And illicit currency is any currency without oversight and tranactional protection.

Once again, literally the only reason for bitcoin at this point is illicit activities and speculation of the value of the currency based off those illicit activities. There is zero reason to use any cryptocurrency for any legitimate transaction over national currency systems from either a buyer or seller perspective.

Clive RobinsonMay 25, 2017 5:33 PM

@ ats,

There is zero reason to use any cryptocurrency for any legitimate transaction over national currency systems from either a buyer or seller perspective.

Oh I can see plenty of quite legitimate reasons, one of which is "privacy at a distance" that is for quite a few good reasons you want to do the equivalent of "buy with cash" which is considered normal behaviour in most places.

Further cryptocurrency is a way to avoide the pariahs that are the banking indistry. Have a look at what it would cost you in credit card fees, exchange fees etc for "buying from abroad" with a credit card.

Also there is a security aspect to crypto currencies, like cash you can only loose what you hand over. Credit Cards and Debit Cards however can turn into an endless nightmare if used online from some jurisdictions.

So your "zero reason to use any cryptocurrency for any legitimate transaction" is quite the falsehood.

gordoJune 12, 2017 4:47 PM

Lawmakers to hold hearing on ‘Wanna Cry’ ransomware attack
BY MORGAN CHALFANT - 06/12/17 The Hill

House lawmakers on Thursday will hold a hearing examining the “Wanna Cry” ransomware attack that spread to more than 150 countries and dealt a crippling blow to Britain’s national health system last month.


The hearing is the first focusing on the ransomware, which broke out in mid-May and forced the Trump administration to convene emergency meetings to manage the damage. The impact of the ransomware, which exploited a vulnerability in Microsoft Windows, was minimal in the United States when compared to other nations.

Members on two subpanels of the House Science Committee will hear testimony from individuals inside and outside the government about how the U.S. can better protect its systems against similar attacks.

http://thehill.com/business-a-lobbying/337440-lawmakers-to-hold-hearing-on-wanna-cry-ransomware-attack

Hearing page:
https://science.house.gov/legislation/hearings/joint-subcommittee-oversight-and-subcommittee-research-and-technology-hearing

Hearing charter:
https://science.house.gov/sites/republicans.science.house.gov/files/documents/HHRG-115-SY21-20170615-SD001.pdf

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Sidebar photo of Bruce Schneier by Joe MacInnis.