Cybercriminals are increasingly targeting individuals and businesses through ransomware – a sophisticated and strategic extortion method.
Australia is now one of the top targets for ransomware, with new forms of varying complexity being discovered, created and updated every day.
“Jackware” is one such type of ransomware we are foreseeing, which could potentially become one of the most common and threatening kinds of malware for consumers and businesses within the next ten years.
What is jackware and how could it target cars?
Jackware – a termed suggested by fellow senior ESET researcher Stephen Cobb – is malicious software seeking to take control of a device. Ransomware such as Locky and Cryptolocker use codes to encrypt documents on computers and demand a ransom to unlock them. Jackware could target a car or other connected IoT device and lock it or otherwise subvert its normal functioning until the victim pays up.
Fortunately, jackware is still theoretical and hasn’t been experienced… yet. Seeing how ransomware incidents have surged this year, we suspect it is only a matter of time before jackware is developed and deployed.
This is based on the number of examples of cars and connected devices that have already been exposed as being vulnerable to remote exploitation, and hence to these potential forms of malware.
One of the most compelling examples from last year was the Chrysler / Jeep incident that resulted in more than a million digitally connected vehicles containing vulnerabilities being recalled. The “recall” involved the manufacturers sending USBs with a software patch to be installed by the car owners through their vehicle’s dashboard.
In Australia, car hacking is already a concern for the police. Newer vehicles with the latest technologies that might improve safety, offer voice control or even optimise fuel consumption, unless properly secured with updated protection technologies, might also have vulnerabilities.
Any security flaws in the car’s entertainment system or connectivity could be an opportunity for e-criminals to not only access sensitive data and systems but also to remotely manipulate a car’s functionality, unlock it and even start it.
BMW’s ConnectedDrive service is a good example of systems accessible beyond the car itself: you can use it to remotely control the lights, temperature, alarm and entertainment systems in your house via Amazon Echo, but this in-vehicle system can also be remotely hacked.
Is jackware the future of ransomware?
It seems like a logical progression and ransomware may increasingly target cars in the future if vulnerabilities aren’t patched. Beyond asking for payment to unlock cars, jackware could potentially pose a serious future threat for self-driving cars.
For example, what if, in a moving self-driving car, the computer takes over, locks the car and heads to the wrong destination? The next step could be a hacker behind the set-up demanding ransom of a certain amount of bitcoins before allowing the passenger to get out of the car or to proceed to their desired destination.
While this is one of the worst-case scenarios, there are still many solutions to avoid this kind of outcome. As we work to develop highly advanced and digitally connected cars, we need to ensure the appropriate precautions and protective technologies are also put into practice.
How can we prevent jackware?
To avoid getting your car or other connected devices hacked, here are some essential tips we recommend at ESET:
- Keep informed of the latest security threats and how they are arising
- Make sure your security software for all connected devices, including your car, is up to date
- Beware of e-criminals who might take advantage of a software upgrade to send emails with malicious attachments or websites containing malicious software
- Avoid making unauthorised software modifications on a car or connected devices
Nick FitzGerald is a Senior Research Fellow at ESET
