By Phil Reitinger
You have heard of the word “brick.” Those fired clay blocks used build houses. In this case, however, the word doesn’t mean what you think it means. But the new bricks – hacked devices that fail – may be just as numerous as the bricks you know.
Last year, 2016, was the year of cyber extortion. Ransomware, which encrypts data or renders a device unusable pending a “ransom” payment to the attacker, took off, fueled by vulnerabilities in software and anonymous monetization mechanisms like bitcoin that made making money from online extortion double-click easy. Hospitals, banks, small businesses, and individuals all suffered. But ransomware is just one form of cyber extortion – besides encrypting data or locking a phone, a hacker could also threaten to attack a business or disclose data obtained through a prior intrusion. Widespread vulnerabilities, combined with easy monetization, is an equation that drives soaring cybercrime.
2016 was also the year where everyone from grandparents to toddlers started confidentially and with trepidation to talk about the Internet of Things (IoT). Many factors led to this – one of them was the Murai botnet, a massive collection of infected IoT devices like security cameras that was used to launch denial-of-service attacks on targets from a reporter to an infrastructure provider. With denial-of-service attacks that can exceed one terabit per second, few were immune from having their online business and communication shut down, if temporarily.
So back to “brick.” “Brick” is old tech-slang for turning a computer (or device) into a brick – that is, a block of useless, non-functioning hardware. It happens accidentally all the time. You mess up the firmware update on your computer or router, and you may find you have a device that can only be fixed (if then) by special equipment or prying some chips off a circuit board. You bricked it. Of course, these sorts of attacks on firmware, and the potential to brick devices, have been known for a long time.
Then just a few weeks ago, the concepts of “brick” and “IoT” came together in the widely reported story of how an LG smart TV had been infected with Android ransomware intended for a phone. Because the infected device was a TV that may have lacked the ability to click through and allow the victim to pay the ransom, it isn’t clear that ransom could be paid and the device fixed. It would be a brick. All ended well here, because a factory reset using diagnostic mechanisms recovered the device, but in the case of many or most IoT devices, such a reset may not be possible.
While this was an accident, there is, no reason to believe that future attacks on IoT devices won’t be designed to brick them. There may be more obvious attack vectors, such as building a botnet of IoT devices for denial-of-service, or spying on people or corporations (in the case of certain smart devices). One can ask why an attacker other than a nation state, terrorist, or hacktivist would brick a whole passel of devices when there are more profitable activities to be undertaken?
The answer is where we started – cyber extortion. Causing massive, senseless damage is irrational only when there isn’t someone who will pay to prevent it. Many companies would pay to recover their data if encrypted, and how many more would pay to avoid a wholesale destruction of distributed products? Certainly, for a medical or traffic safety device company, that could be an existential crisis.
Lastly, even if governments banned anonymous payment mechanisms, there are other ways to monetize cyber destruction. The Galaxy Note 7 at least temporarily caused Samsung to lose $18 billion or more in market valuation. What if that had been a software problem? You can imagine a device, whether a phone, medical device, or something else with a vulnerability, which could be attacked and bricked across a significant customer base causing billions of dollars in damage. That’s a lot of bitcoins, so instead the hacker shorts the stock (ring a bell?) and extracts his or her value.
We live in a brave new world.
The author, Phil Reitinger, is the President and CEO of the Global Cyber Alliance. You can follow him on Twitter @CarpeDiemCyber.