The outbreak of Trojan ransomware WannaCry has already caused a heap of trouble to all kinds of businesses. However, we expect that companies whose infrastructures employ embedded systems are feeling particularly unhappy with the authors of this malware.
Theoretically, embedded systems should not be interesting to ransomware actors — it’s doubtful that anyone would pay ransom for a purely utilitarian system that holds no valuable data and whose hard drive is routinely reformatted anyway. But WannaCry does not choose its targets. As a result of the peculiar nature of the vulnerability it exploits, WannaCry has spread itself widely across local networks and infected all unpatched and unprotected machines.
Out of the blue
It would be unfair to say that this plague has been an eye-opener: The problem of insufficient security of embedded systems is not new, and it’s long been known that they traditionally have less (if any) protection than workstations and servers. But WannaCry brought the issue into the spotlight.
When speaking of embedded system, ATMs and POS terminals may come to mind. And indeed, some of them got infected, although they tend to have some protection installed because of compliance regulations and they are frequently seen in threat models. The infection of such systems as information panels, medical equipment, and vending machines looked like a bigger deal — to say the least.
Wow, even in my building lobby! #WannaCry #ransomware pic.twitter.com/ilPqHBmiB5
— Andrew Tinits (@amtinits) May 12, 2017
The owners of infected embedded systems don’t feel any better knowing they didn’t pay ransom to criminals; they still suffered noticeable damage.
- Inoperable vending machines, ATMs, or automated ticket kiosks mean cash shortfalls.
- A ransom note on a publicly accessible screen tells customers “Our security is bad.” It’s hard to assess the damage such a message does to a company’s reputation. Will a client who sees that message come back?
- Infected terminals require repairs. If you use hundreds of terminals, you can count how much money you’re going to spend, especially given the geographical distribution and urgency with which your personnel have to reinstall operating systems and make changes in security settings. And some devices may use outdated software that is challenging or even impossible to reinstall.
Going by the trolling in social networks, these screens did not go unnoticed.
Don't worry boss, no-one outside the company will ever know we were hit by #WannaCry pic.twitter.com/ciI2gdBVSR
— Graham Cluley (@gcluley) May 14, 2017
How to solve the problem
Why do embedded systems lack protection? There are two reasons. First, until now their security was often overlooked. Second, they tend to run on old hardware and use low-bandwidth Internet channels and outdated operating systems. They seem simply unfit to run security solutions on top of their hardware resources.
We have to admit that in a way, WannaCry has helped the world by highlighting the first problem. And it’s true that protecting embedded systems with traditional antimalware solutions may not be the most effective approach. That is exactly why we developed Kaspersky Embedded Systems Security specifically for a broad range of embedded systems. It’s less resource-intensive than a desktop security solution, but it prevents infection by employing a number of desktop-class security features.
In the case of a cryptomalware attack (including WannaCry), the solution works as follows:
- Default Deny mode is the core technology of the product. It precludes execution of any code, including scripts, if they haven’t been added to an allowlist. So even if cryptomalware has been able to penetrate a system, for example, by hiding in a legitimate software package, it won’t be able to execute itself.
- The Process Memory Protection component analyzes the integrity of processes in memory and prevents attempts to exploit vulnerabilities both known and unknown.
- Kaspersky Embedded Systems Security includes a centrally controlled firewall, which allows for quick disabling of the port used by a vulnerability once it is discovered.
- Technology that controls USB devices when they are attached further enhances the solution. This prevents infection by an untrusted USB device, for example, something that may happen during maintenance.
- The antimalware module, available as an option, cleans the system of any infected files.
According to our records, none of the devices protected by Kaspersky Embedded Systems Security has been affected by the WannaCry plague. This solution currently protects hundreds of thousands of embedded systems around the world, so it’s fair to say that it has passed this serious real-life test. Therefore, if your network infrastructure includes embedded systems running Windows Embedded, we strongly recommend trying our solution.