The next ransomware attack will likely be worse than WannaCry warns security tech and author
The most recent cyberattack affected more than 230,000 computers around the world, but what will happen when the Internet of Things is targeted?
PUBLISHED : Wednesday, 17 May, 2017, 1:00pm
UPDATED : Friday, 19 May, 2017, 5:40pm
Related topics
Ransomware isn’t new, but it’s increasingly popular and profitable.
The concept is simple. Your computer is infected with a virus that encrypts your files until you pay a ransom.
The criminals provide step-by-step instructions on how to pay, sometimes even offering a helpline for victims unsure how to buy bitcoin. The price is designed to be cheap enough for people to pay instead of giving up: a few hundred dollars in many cases. Those who design these systems know their market, and it’s a profitable one.
Why ransomware is a big threat for computer users, and how to prevent attack
WannaCry is the latest headline-making ransomware that has affected computer systems in more than 150 countries and cities including Hong Kong. At least 30 local cases were reported last week to have been infected by the virus, according to the Hong Kong Computer Emergency Response Team. China was hit harder, with 30,000 organisations reportedly affected.
Worst of WannaCry may be over but the ‘cyberattack game has changed’
WannaCry doesn’t seem to be any more virulent or more expensive than other ransomware.
But it does have an interesting pedigree. It’s based on a vulnerability developed by the National Security Agency that can be used against many versions of the Windows operating system. The NSA’s code was, in turn, stolen by an unknown hacker group called Shadow Brokers – widely believed by the security community to be Russian – in 2014 and released to the public in April.
US government’s hacking tools may end up with criminals
Microsoft patched the vulnerability a month before, presumably after being alerted by the NSA that the leak was imminent. But the vulnerability affected older versions of Windows that Microsoft no longer supports, and there are still many people and organisations that don’t regularly patch their systems. This allowed whoever wrote WannaCry – it could be anyone from a lone individual to an organised crime syndicate – to use it to infect computers and extort users.
The lessons for users are obvious: keep your system patches up to date and back up your data regularly. This isn’t just good advice to defend against ransomware, but good advice in general. But it’s becoming obsolete.
Everything is becoming a computer. Your microwave is a computer that makes things hot. Your refrigerator is a computer that keeps things cold. Your car and television, the traffic lights and signals in your city and national power grid are all computers. This is the much-hyped Internet of Things. It’s coming, and faster than you might think. And as these devices connect to the internet, they become vulnerable to ransomware and other computer threats.
It’s only a matter of time before people get messages on their car screens saying that the engine has been disabled and it will cost US$200 in bitcoin to turn it back on. Or a similar message on their phones about their internet-enabled door lock telling them to pay US$100 if their want to get into their house tonight. Or pay far more if they want their embedded heart defibrillator to keep working.
This isn’t just theoretical. Researchers have already demonstrated a ransomware attack against smart thermostats, which may sound like a nuisance at first but can cause serious property damage if it’s cold enough outside. If the device under attack has no screen, you’ll get the message on the smartphone app you control it from.
Thinxtra to roll out Internet of Things network in Hong Kong next year
Hackers don’t even have to come up with these ideas on their own; the government agencies whose code was stolen were already doing it. One of the leaked CIA attack tools targets internet-enabled Samsung smart televisions.
Even worse, the usual solutions won’t work with these embedded systems. You have no way to back up your refrigerator’s software, and it’s unclear whether that solution would even work if an attack targets the functionality of the device rather than its stored data.
These devices will be around for a long time. Unlike our phones and computers, which we replace every few years, cars are expected to last at least a decade. We want our appliances to run for 20 years or more, our thermostats even longer.
What happens when the company that made our smart washing machine – or just the computer part – goes out of business, or otherwise decides that they can no longer support older models?
WannaCry affected Windows versions as far back as XP, a version that Microsoft no longer supports. 
The company broke with policy and released a patch for those older systems, but it has both the engineering talent and the money to do so.
That won’t happen with low-cost internet-of-things devices.
Those devices are built on the cheap, and the companies that make them don’t have the dedicated teams of security engineers ready to craft and distribute security patches. The economics doesn’t allow for it. Even worse, many of these devices aren’t patchable.
Remember last autumn when the Murai botnet infected hundreds of thousands of internet-enabled digital video recorders, webcams and other devices and launched a massive denial-of-service attack that resulted in a host of popular websites dropping off the web? Most of those devices couldn’t be fixed with new software once they were attacked. The way you update your DVR is to throw it away and buy a new one.
Solutions aren’t easy and they’re not pretty. The market is not going to fix this unaided. Security is a hard-to-evaluate feature against a possible future threat, and consumers have long rewarded companies that provide easy-to-compare features and a quick time-to-market at the expense of protection.
We need to assign liabilities to companies that write insecure software that harms people, and possibly even issue and enforce regulations that require companies to maintain software systems throughout their life cycle. We may need minimum security standards for critical devices.
And it would help, in the US, if the NSA got more involved in securing our information infrastructure and less in keeping it vulnerable so the government can eavesdrop.
I know this all sounds politically impossible right now, but we simply cannot live in a future where everything – from the things we own to our nation’s infrastructure – can be held for ransom by criminals again and again.
The Washington Post
Schneier is a security technologist and a lecturer at the Kennedy School of Government at Harvard University. His latest book is Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World.
This article appeared in the South China Morning Post print edition as: cry, cry again
Most Popular
Viewed
- 1
![The piano duo of Jennifer Rüth (left) and Ming, known as the Queenz of Piano, who will perform their dynamic acrobatic musical show, mixing classical, pop and rock music in Hong Kong on November 17.]( "The piano duo of Jennifer Rüth (left) and Ming, known as the Queenz of Piano, who will perform their dynamic acrobatic musical show, mixing classical, pop and rock music in Hong Kong on November 17.")
- 2
![A Chinese tourist frolics with a cabaret performer at ZAG, a gay bar in Thailand’s southern tourist destination of Phuket. Photo: AFP]( "A Chinese tourist frolics with a cabaret performer at ZAG, a gay bar in Thailand’s southern tourist destination of Phuket. Photo: AFP")
- 3
![From monitoring sales to researching seat layouts, it’s possible to fly business if you plan ahead]( "From monitoring sales to researching seat layouts, it’s possible to fly business if you plan ahead")
- 4
![High-profile couples such as French President Emmanuel Macron and his wife Brigitte are proof the older woman/younger man couple can work, but they remain a rarity in Hong Kong and Asia – unlike sugar daddies]( "High-profile couples such as French President Emmanuel Macron and his wife Brigitte are proof the older woman/younger man couple can work, but they remain a rarity in Hong Kong and Asia – unlike sugar daddies")
- 5
![‘Tree of Codes’, a free-form contemporary ballet, is a bold bid to create a new artwork. Photo: Ravi Deepres]( "‘Tree of Codes’, a free-form contemporary ballet, is a bold bid to create a new artwork. Photo: Ravi Deepres")
Shared
- 1
![The piano duo of Jennifer Rüth (left) and Ming, known as the Queenz of Piano, who will perform their dynamic acrobatic musical show, mixing classical, pop and rock music in Hong Kong on November 17.]( "The piano duo of Jennifer Rüth (left) and Ming, known as the Queenz of Piano, who will perform their dynamic acrobatic musical show, mixing classical, pop and rock music in Hong Kong on November 17.")
- 2
![‘Tree of Codes’, a free-form contemporary ballet, is a bold bid to create a new artwork. Photo: Ravi Deepres]( "‘Tree of Codes’, a free-form contemporary ballet, is a bold bid to create a new artwork. Photo: Ravi Deepres")
- 3
![Marfan syndrome sufferer Lai Sai-yu (left), 16 – who has undergone heart surgery at the Hong Kong Adventist Hospital – Stubbs Road to improve her condition – with her father, Lai Chi-leung, who was told soon after her birth that she may not live long. Photo: Ali Ghorbani]( "Marfan syndrome sufferer Lai Sai-yu (left), 16 – who has undergone heart surgery at the Hong Kong Adventist Hospital – Stubbs Road to improve her condition – with her father, Lai Chi-leung, who was told soon after her birth that she may not live long. Photo: Ali Ghorbani")
- 4
![From monitoring sales to researching seat layouts, it’s possible to fly business if you plan ahead]( "From monitoring sales to researching seat layouts, it’s possible to fly business if you plan ahead")
- 5
![A Chinese tourist frolics with a cabaret performer at ZAG, a gay bar in Thailand’s southern tourist destination of Phuket. Photo: AFP]( "A Chinese tourist frolics with a cabaret performer at ZAG, a gay bar in Thailand’s southern tourist destination of Phuket. Photo: AFP")
Commented
- 1
![After one of the most powerful storms on record to hit the city, suspensions and delays mean confusion and long waits for residents]( "After one of the most powerful storms on record to hit the city, suspensions and delays mean confusion and long waits for residents")
- 2
![China’s ambassador to Sweden Gui Congyou wants a meeting with local authorities to discuss the alleged mistreatment of the Chinese tourists. Photo: Handout]( "China’s ambassador to Sweden Gui Congyou wants a meeting with local authorities to discuss the alleged mistreatment of the Chinese tourists. Photo: Handout")
- 3
![If the US does go ahead with tariffs on US$200 billion of Chinese goods, they will be the biggest round since the first batch on Chinese exports in July. Photo: Reuters]( "If the US does go ahead with tariffs on US$200 billion of Chinese goods, they will be the biggest round since the first batch on Chinese exports in July. Photo: Reuters")
- 4
![The Japanese submarine Kuroshio took part in military exercises in the South China Sea. Photo: Handout]( "The Japanese submarine Kuroshio took part in military exercises in the South China Sea. Photo: Handout")
- 5
![Taiwan has been trying for readmission to the United Nations since 1993 but has recently changed tactics with the launch of a charm offensive by officials and a letter-writing campaign to the world’s media. Photo: AFP]( "Taiwan has been trying for readmission to the United Nations since 1993 but has recently changed tactics with the launch of a charm offensive by officials and a letter-writing campaign to the world’s media. Photo: AFP")
You may also like
How you can protect your smart devices from cyberattack
In partnership with: HKT PREMIER
The Role of Philanthropy in Building a Sustainable City
Brought to you by: The Hong Kong Jockey Club Charities Trust
Comments: