Turbulence: Ransomware Proof of Concept for Resource-Constrained IoT Devices

The “Internet of Things” (IoT) is a term used to describe smart devices that are capable of connecting to a network. IoT devices can take many forms, such as cameras, televisions, or home assistants, and are often designed to perform specific tasks. While they only require limited processing power to achieve their intended purpose, their connected nature means they are still vulnerable to attack. Most IoT-based malware is designed to infect devices using General Purpose Operating Systems, such as Linux. Malware targeting “constrained” IoT devices, which have lower hardware specifications and implement bare-metal firmware or a Real Time Operating System, are significantly less common, as they present a number of challenges that can hinder malware development. In this work, we identify these challenges and assess the viability of implementing functional ransomware that targets constrained IoT devices. We then test our findings by developing a ransomware Proof of Concept capable of locking a target system and spreading throughout a network. Finally, we analyse the ransomware’s performance against an intentionally vulnerable testbed to identify the requirements and limitations of – as well as potential countermeasures against – ransomware targeting constrained IoT devices.