‘Ransomwear’: holding your watch and other wearable tech hostage
Will hackers try out ransomware on your smart clothes and implanted medical devices?
Your $350 Apple watch is right there on your wrist. But malicious hackers have locked it up with ransomware, making it as good as a (very light) brick strapped to your arm.
How much would you pay to get it back—one dollar, five dollars, even twenty?
Some cybersecurity experts say this con could become one of the next steps in Internet crime, if crooks can get ”ransomwear”—ransomware on wearable technology—to pay off in big numbers.
“Barring a massive uptick in resourcing for effective cybercrime deterrence, we will eventually see ransomware on wearables and elsewhere within the Internet of Things,” said Stephen Cobb, senior security researcher at cybersecurity company ESET.
Your money or your life
As we move our tech from our desks to our hands and now onto—and into—our bodies, we may give cyber hostage takers more incentive to take a successful scheme like ransomware to the next level.
They have so much to choose from, like smart glasses used by Olympic athletes to train for gold, smart suit jackets that can pay your bill with the swipe of a cuff, and smart medical machines implanted inside your body to help you live.
Those medical devices may end up at the top of some attackers’ target lists.
“If an attacker were to gain control over those, well, then how big would the ransom be?” asked Vincent Berk, CEO of network security company FlowTraq. “‘I’m in your pacemaker software—pay $100k now or the thing is going triple-speed at midnight tonight.’ Scary.”
Watch your watches
If the crooks turn to wearables, they may start with what’s on your wrist, according to security researcher Lysa Myers, also at ESET.
“The most likely scenario would be devices that use already-popular operating systems, like smart watches,” Myers told Archer News.
“This option would represent the lowest cost of development, as smart watches function in many ways like the phones and tablets their architecture is based on,” she added.
If the bad guys cook up a ransomware attack for popular devices like watches, they could hit a lot of people for less cost up front, and more profit on the other side.
Some see roadblocks for hackers who want to make money off your watch. Would you pay to get the data back from your wearable?
“To be honest, the kinds of files you’d have on your wearable are typically not that enticing for ransomware, plus there will likely be another copy on your primary device,” said Berk. “So as a target for ransomware, it is not that interesting.”
You may not care about the info on your wearable device—though elite athletes training for the Olympics might—but what about the device itself? Would you pay a few bucks to quickly and easily get it back?
“What if the ransom to unlock an iPhone or smart watch is significantly less than cost of the vendor solution?” asked the authors of an Institute for Critical Infrastructure Technology report, which predicts that 2016 will the year so-called “locker” ransomware gains strength, in part because of the rise of wearable tech.
“What if the ransom is low enough (say $0.99) that users are willing to pay the ransom because it is more convenient than finding a software solution and then learning how to deploy it on the locked device,” the report said.
A factory reset might save the day—or the device—for some of us.
“Some ransomware might lock IoT [Internet of Things] devices in the future, but this would not be a threat that is valid for all devices,” said Professor Engin Kirda with the College of Computer and Information Science at Northeastern University. “Some devices have a ‘reset to factory settings’ button. In such cases, the device would be easy to reset.”
Still, hackers may be able to find a way to keep you from hitting “reset,” or trigger panic so you don’t think about your options.
“In short, ransomware will target wearables if the tech is expensive (and cannot be set to factory default or if the victim does not know how…), ubiquitous, and interconnected,” ICIT co-founder and report co-author James Scott said to Archer News.
Some crooks wouldn’t even need real ransomware, Kirda suggested. They could fake it until you paid up, for example, with a Pebble watch.
“Depending on the wearable, you could try to lock the display with a message and fool the user into thinking that the device firmware has been infected and the Pebble will be rendered unusable unless a ransom amount is paid,” he told Archer News.
Hackers have already tried with smartphones, according to a post by 9to5 Mac. Users reported seeing this message on their iPhones:
“This device is locked. Unlock 50$. Email for details: firstname.lastname@example.org.”
It wasn’t true ransomware—instead, the extortionists had hacked their Apple IDs and locked their phones, hoping the owners wouldn’t be able to find a way out.
Ransom message from iPhone attack.
The price you pay for your wearable goes up as your need for that device increases, and the bad guys know that.
That’s why ransomware on the wearables that help keep you alive is a “major concern” for some experts, especially as we use those devices more and more. You might pay for crucial data on your health, and you might pay to keep the device from killing you.
Would the hackers actually kill you?
Maybe not. As Myers pointed out, if they kill you, they can’t extort you. But you might not feel comfortable taking that chance.
“The hijack could be very dangerous if we actually started to rely on the devices—which to some degree has already happened,” said Berk. “For instance, pacemakers, insulin pumps and other medical devices that apply some kind of treatment automatically.”
Security researchers found that they could hack a wireless insulin pump to deliver lethal doses, said Lawrence Abrams with Bleeping Computer—one of many ways a ransomware hacker could wreak havoc on people’s health.
“Also, many medical devices, such as X-ray machines, are now connected to a network and could potentially be infected with ransomware that encrypts the digital X-rays, or, even worse, delivers higher levels of radiation than normal,” said Larry Abrams with BleepingComputer.
And if that sounds too hard for a hacker, there could be an easier way, Berk suggested.
“The hack wouldn’t necessarily need to be the medical device. Instead it could be the iPhone that it is virtually tethered to,” he said.
When will ransomwear hit your wearable? That depends when the bad guys figure out a way to make more money off of your wearable tech than what they’re making now with regular ransomware, according to Cobb.
“The return on investment on developing and deploying a new form of ransomware will need to exceed that offered by current schemes that target valuable files that have not been properly archived,” Cobb said.
“However, we may see early experimentation in this space, looking to discover how much people will pay to unlock their digitally hijacked wearables,” he added.
Concern for the future
For now, you may not see a ransom note on your watch, or your smart jacket or smart bra. But it may be coming.
“I don’t see ransomware as being a big deal for wearables any time soon,” said Joe Hall, chief technologist at the think tank Center for Democracy and Technology.
“It’s definitely a concern for the future as if wearables don’t use serious security engineering in their design, they may be one hop away from either infecting a mobile device with malware or, more likely, eavesdropping on communications of the device and other data resident on the device, e.g., all the photos, contacts, etc. you have,” Hall explained.
We may be encouraging cyber criminals by connecting ourselves more, and giving our tech more power and more data.
“Vending machines have more processing power and network connectivity these days than my laptop did ten years ago,” said Berk.
Don’t be surprised, then, if that future smart hand implant you buy comes with a new criminal “tax”—a fee of sorts to set it free so you can actually use it and the data it gathers.
“Ultimately, as more and more of our world becomes connected, the risks associated with these connected devices increase dramatically,” said Abrams.