A report from the United Kingdom’s National Crime Agency and new National Cyber Security Centre warns that Internet of Things devices will increasingly be used against their owners as botnet and ransomware attacks rise.
The report, released on Tuesday, focuses on cyber threats to UK businesses but includes a section about Internet of Things devices, which, it says, “present a growing threat to the functioning of the Internet” as well as to individuals who may find their devices locked up and information inaccessible until they pay a fee for its release. Devices with “less secure software” and default passwords that can’t be changed were particularly at risk.
“Huge numbers of insecure devices can easily be found online,” the report says.
In recent years, as Internet of Things devices rise, so too have security flaws and hacks associated with them, from thermostats to dildos to toys. In 2016, thousands of them were unwittingly enlisted into an army of bots that went after a domain name system service, taking large swathes of the internet down. The report predicts that 2017 will see the ransomware attacks that have plagued businesses and institutions target individuals through their internet connected devices, from TVs to those popular fitness trackers, locking away data with more sentimental value than anything else — but a sentimental value that will result in paid ransoms nonetheless. And criminals don’t need to have much knowledge of how the devices work to successfully infiltrate them.
“Easy access to offensive cyber capabilities, such as ransomware or DDoS, has allowed individuals and groups to have an impact disproportionate to their technical skill,” the report says. “This year has seen attacks carried out against UK-based companies, that despite requiring little skill caused considerable disruption and were widely reported on by international media
As Vocativ has reported, there are places that offer custom-built ransomware. And there may not be much recourse for the victims; currently, the report notes, hackers are increasingly difficult to track and customer service for infected devices may not be very helpful, leaving victims with the choice of paying up or losing their data forever. If that data includes, say, irreplaceable family photos, it’s pretty clear which choice they will make.
The report says that “the situation is likely to improve eventually,” but for now the best recourse may be to recall insecure devices vulnerable to hacks and for the UK government to promote the importance of securing devices and create security standards devices must meet before they can be sold in the country.
But even that won’t be good enough, the report says, as there are already millions of insecure devices out there, waiting to be attacked until they are either replaced or break down. And a largely uninformed public that continues to use them isn’t helping anything.
“Malware authors will continue to exploit [devices] to mount attacks and will continue working to find fresh vulnerabilities,” the report says. “The ‘botnet of things’ will present a serious challenge to cyber security for a considerable time to come.”
