Science·Q&A

WannaCry sheds light on where malware might attack next

Hundreds of thousands of computers around the world have been infected by ransomware in the past few days. CBC tech columnist Dan Misener looks at where the next big attack could take place.

Smart home devices and city infrastructure likely the next frontier for malware, security experts say

Dan Misener · for CBC News · Posted: May 17, 2017 2:53 PM EDT | Last Updated: May 17, 2017

A screenshot of the warning screen from a purported ransomware attack, as captured by a computer user in Taiwan, is seen on laptop in Beijing on May 13. WannaCry was able to spread worm-like through networks of computers from an infected source. (Mark Schiefelbein/The Associated Press)

Hundreds of thousands of computers around the world were infected this week by a massive ransomware attack.

Britain's National Health Service, FedEx, German rail operator Deutsche Bahn and other large organizations were among those hit by WannaCry, which exploited a vulnerability in Microsoft Windows.

The ransomware was able to spread because of computers that were running out-of-date or unsupported software that hadn't been updated with the latest security patches.

CBC tech columnist Dan Misener says this type of ransomware has been around for more than 15 years, with early versions spread by floppy disk.

If the most recent attacks were on Microsoft Windows, what other platforms might hackers target?

As we saw with WannaCry in the U.K., it can be incredibly disruptive when malware infects standard Windows PCs in a hospital setting.

A similar attack on the specialized control systems that run local infrastructure could be even worse.

Can you imagine? Software that could hold a city's sewage system for ransom?

Infrastructure hacking is exactly what has a security and surveillance expert concerned.

"We're talking about the kind of software that controls the infrastructure that underpins our lives, from traffic lights through to sewage flow," said David Murakami Wood, Canada research chair in surveillance studies at Queen's University. "That's the immediate new frontier with this type of hacking."

Security and surveillance expert David Murakami Wood says he's concerned about hacks to software that controls city infrastructure, such as traffic lights and sewage flow. (CBC)

What about ransomware on smartphones?

Smartphones seem like they'd be a lucrative target for ransomware authors, based on the sheer number of them. There were about1.5 billion smartphones sold last year, according to research company Gartner, Inc.

While there have been some smartphone ransomware attacks in recent years, we haven't seen anything on the scale of WannaCry.

According to one security expert, that's because the systems for updating smartphone operating systems are generally pretty good.

When security updates are issued, they tend to be adopted pretty quickly through automatic updates on iOS or Android.

Again, part of the reason the WannaCry ransomware was easily spread is because Windows PCs weren't kept up-to-date with the latest security updates.

That appears to be less of an issue for most smartphone platforms.

Smartphones haven't seen an attack on the scale of WannaCry because their operating systems tend to stay up-to-date. (Sean Gallup/Getty Images)

What else might be the next battleground for ransomware?

Security entrepreneur Ken Munro from Pen Test Partners says so-called smart home devices are likely the next frontier for malware.

He told me that he tries to push the boundaries of security so last summer he and colleagues tried to find bugs in smart household devices such as fridges and thermostats.

"We sought proof of the concept ransomware for a smart thermostat so you could lock someone out in the middle of winter so their heating didn't work, which is quite good fun, or turn off their AC in the middle of summer, just to prove a point so manufacturers hopefully improve their game so the bad guys can't do it," he said.

He told me a big part of the problem is that many manufacturers offer very limited support for their devices, whether it's a consumer modem, smart coffee maker or smartphone.

"Manufacturers are promising support for perhaps three years. That makes it a really interesting attack platform because I know that in three and a half years time, any new bugs found aren't going to be fixed. That's going to be a really vulnerable place to be," Munro said.

"Even Google just announced that they'd only be supporting their latest phone range and offering updates for three years. So that means in three years and a month, someone finds a nasty bug in that phone operating system, boom. You've got a really interesting attack vector."

Both Murakami Wood and Munro painted a picture of a future where a huge number of devices are running out-of-date, unsupported software that will never receive security patches.

Security entrepreneur Ken Munro says smart home devices are the next frontier for malware. (Maurizio Pesce/Flickr)

So what can people do to prepare themselves for malware attacks of the future?

The moral of the story seems to be keep your digital devices up to date and keep good backups.

That applies to the devices you already own and ones you may have in the future.

If your devices can update themselves and download security updates automatically, use those features.

And when you're considering a new digital device, whether that's a phone, a computer or a smart-home gadget, it's worth looking into just how long the manufacturer promises to support it with software updates (if it makes any promises at all).

In the past I haven't paid much attention to the support lifetime of the devices I own, but having seen WannaCry it's something I'll be paying watching much more closely.