Could IoT devices become victims of ransomware?

In a recent report from ICIT entitled “Combatting the Ransomware Blitzkreig”, the authors James Scott and Drew Spaniel make the point that “It is not inconceivable that malware, and ransomware in particular, will eventually target IoT devices.”  They cited the scenario of someone paying to remove ransomware from a pacemaker, which could ultimately drain the battery.  Commenting, Cesare Garlati, chief security strategist for the prpl Foundation said:

“prpl agrees that connected devices represent a major threat to consumers and the public at large due to poor or non existent security in place to help protect them.  Ransomware, however, is traditionally used for criminals to prevent users from accessing important data or files.  This is an important distinction to make, as connected devices generally do not store any valuable information or personal content.   Having said that, they do make up critical devices, such as the home router – and while there is no information to encrypt, it does sit at the edge of the home network and in that way it will be attractive to attackers who may be able to penetrate it to pursue the home network.

“The distinction here is between actually placing ransomware on a connected device, which is unlikely since connected devices themselves tend not to contain data, or using that connected device as a gateway to users’ critical information, which is more likely.”

He goes one to elaborate on securing devices at the chip or hardware level can solve this problem and also how by manufacturing devices that are “always connected” via the internet is not necessary and can be unnecessarily exposing consumers to data theft.