My guest on the Inner Circle podcast this week is Cesar Cerrudo, CTO of IOActive. Our topic revolves around ransomware–but with a twist that involves robots.
I think we can all agree that ransomware is annoying. When it comes to the standard ransomware business model of encrypting data and holding it hostage, though, there’s a simple solution. As long as you have current backups of your data, you can simply ignore the ransomware demand and restore your unencrypted data from backup.
Researchers from IOActive have uncovered a potential twist on ransomware, however, that would make it much harder to ignore or recover from without paying the ransom. If attackers use malware to exploit vulnerabilities in robots and take them offline or make them dysfunctional, that could have a significant financial impact on companies that rely on robot automation for manufacturing, production, and logistics.
A blog post from IOActive explains, “Businesses and factories lose money every second one of their robots is non-operational. It stands to reason, then, that service and/or production disruption is another strategy for attackers. Instead of encrypting data, an attacker could target key robot software components to make the robot non-operational until the ransom is paid.”
The robot ransomware angle has two significant and insidious advantages over the standard ransomware model. First, as mentioned above, recovery is more complex and can’t be achieved by simply restoring data from backup. Second, the companies that rely on robots will suffer huge financial losses while the robots remain dysfunctional–providing a massive incentive to simply pay the ransom and get back to business.
The IOActive blog post points out that many robots don’t provide any simple way to perform a factory reset or update the operating system or software. “Having a technician fix a robot problem could take weeks depending on availability. Ironically, during our research, our robot started to malfunction. The only option to repair it was to send it back to the vendor. We had to ship it from our country to the US and wait a couple weeks for its return. We also had to cover the associated shipping costs, including customs handling.”
As promised in the podcast, here are the links to the resources from IOActive:
- Blog: http://blog.ioactive.com/2018/03/robots-want-bitcoins-too.html
- Video: https://youtu.be/4djvZjme_-M
- Press Release: https://www.ioactive.com/news-events/ioactive-conducts-first-ever-ransomware-attack-on-robots-at-kaspersky-security-analyst-summit-2018.html
Check out the podcast to learn more. Share your thoughts or ask questions in the comments below.