The growing cyber threat of ransomware could be turned against connected systems with the potential to bring a smart city to a grinding halt
Last year ransomware saw everything from family photo archives to business networks targeted by cyber criminals demanding bitcoins to set your data free. Then, out of the shadows, emerged concerted attacks with higher ransoms as hospitals and local councils were in the crosshairs. But why stop there? What if ransomware went after a whole smart city?
Back in 2007, Bruce Willis experienced the chaos that ensues when all the traffic lights are set to green by hacking villains in the Die Hard 4.0 movie. A decade on and real life promises just as much city-wide disruption if the bad guys get their way.
“If hackers had control of traffic lights this would affect everything, from the economic impact of preventing employees getting to work, to safety consequences of an immobilised emergency services,” warns Peter Godden, vice president for Europe, the Middle East and Africa at disaster recovery specialists Zerto.
But internet-connected traffic lights; is that a real-life concern?
Global technology research company Gartner predicts that within just two years some 50 per cent of citizens in cities with a population of a million or more will benefit from smart city programs. Driven in no small measure by the internet of things, we will see cities where connected “things” vastly outnumber the human population.
“Smart traffic lights that adapt to traffic conditions to help improve flow and vehicles that communicate with central hubs are all in development,” cyber-security expert Ben Silverstone at Arden University points out.
Crucially, these must be connected to a network at some point and this makes them vulnerable to attack. Equally crucially, traffic lights don’t currently fall under the critical national infrastructure umbrella and so are not protected from attack to the same degree as utilities such as electricity, gas and water.
How cyber crime works
Not that it really matters when well-resourced actors can access the Democratic National Committee’s e-mails during a US presidential election campaign. Doing so using nothing more complex than a spear-phishing attack – targeted e-mails with a malware payload – shows that people are the biggest danger when it comes to large-scale cyber attacks. Even, says Dr Silverstone, attacks that can disable key infrastructure on a city-wide basis. “People have what it takes to become the small crack in the door needed to cause such havoc,” he says.
Weaponised e-mail attachments remain the most successful malware delivery mechanism for a reason – human frailty. “At all levels, industry, enterprise and government are all woefully ill-prepared,” says Greg Sim, chief executive at disruptive security specialists Glasswall.
Mr Sim lays the responsibility partly on “creaking old anti-virus detection that can never keep up” and also on the modern curse of trusting the internet.
Hit it in the winter and you have a systemic crisis event – multiple failures in many and various parts of the entire critical national infrastructure
The truth of the matter is that the plague of ransomware seen last year was mostly delivered via such spray-and-pray operations using templated phishing campaigns. This templating is important, dictating as it does the return on investment; the ransom is identical for your gran, who wants the family photo album back, and the hospital administrator with critical patient health records beyond reach.
As ransomware evolution continues, so these tactics will change. “Criminals will shift tactics to a two-staged approach,” says social engineering defence instructor PhishMe’s co-founder Aaron Higbee. “Malware will infect silently, not immediately notifying the victim that their files are being encrypted.” In the second phase, the malware will send back information about the victim to enable the crooks to adjust the size of the ransom, depending on the value of the encrypted data.
Attacking smart cities
Ken Munro’s penetration testing company Pen Test Partners has already demonstrated how proof-of-concept ransomware can attack smart thermostats and roll heating and cooling up and down. He says it would be possible to “create a mass ransomware attack using these devices to knock over the national grid and extort money from the utility provider”.
This could be done by switching half a million devices, say, to maximum to draw as much current as possible to coincide with maximum load on the power grid. It could cause a blackout or even a black start as power stations struggle to recover over a number of hours. “Hit it in the winter and you have a systemic crisis event – multiple failures in many and various parts of the entire critical national infrastructure. No power, no heat – people die,” says Mr Munro.
Some argue the increased risk of getting caught, if ramping up to what potentially falls under the terrorism umbrella, will deter ransomware criminals. But combining the lure of exponentially richer ransoms with the inter-connectivity of devices, utilities and services acting as force-multipliers, and you have the perfect cyber storm.
Why wouldn’t blackmailers hold an entire municipality to ransom using a single-entry point if they could? An entry point, remember, that could well be human rather than hardware in origin. “At that stage,” Glasswall’s Greg Sim concludes, “the smart city is going to look pretty stupid.
Case study: San Francisco
A ransomware attack on the networks of the Municipal Transport Agency (MTA) responsible for public transport in San Francisco resulted in free travel on Black Friday 2016.
Some 2,112 non-operational computers were left displaying a message which read “You Hacked, ALL Data Encrypted” along with an e-mail address and a demand for 100 bitcoins (£75,000).
The HDDCryptor ransomware variant did not affect safety, or running of buses or trains, but as all 8,000 terminals had to be isolated to prevent any risk of the malware spreading further, the ticket gates were opened.
Yet the MTA was not specifically targeted, it seems, as the hacker claimed in a statement that the software was working completely automatically.
The transport system was caught up in a random scattergun e-mail with an attachment being opened by an unlucky worker. Not as unlucky as the hacker though, who seems to have been out of his depth.
MTA chief technology officer Lisa Walton said the hacker insisted he was ransoming 32 gigabytes of data, yet that’s just a tiny fraction of the data the system handles. Unsurprisingly then, the large ransom was not paid.
The hacker’s luck may continue to run out as the FBI is investigating the attack and revenue losses alone are estimated at $50,000 (£40,000). Throw in business disruption, a system recovery team of 15 and ongoing security auditing costs, and the total financial damages are likely to be well into six figures.