WannaCry sheds light on where malware might attack next

Hundreds of thousands of computers around the world wereinfected this week by a massive ransomware attack.

Britain's National Health Service, FedEx, German rail operator Deutsche Bahn and other large organizations were among those hit by WannaCry, whichexploited a vulnerability in Microsoft Windows.

Theransomwarewas able to spread because of computers that were running out-of-date or unsupported software that hadn't been updated with the latest security patches.

CBC tech columnist Dan Misener says this type of ransomware has been around for more than 15 years, withearly versions spreadby floppy disk.

• WannaCry ransomware: What you need to know
• WannaCry conjures up Titanic for N.B. security expert
• WannaCry most dangerous to smaller companies, says Canadian cybersecurity firm

If the most recent attacks were on Microsoft Windows, what other platforms might hackers target?

As we saw with WannaCry in the U.K., it can be incredibly disruptive when malware infects standard Windows PCs in a hospital setting.

A similar attack on the specialized control systems that run local infrastructure could be even worse.

Can you imagine? Software that could hold a city's sewage system for ransom?

Infrastructure hacking is exactly what has a security and surveillance expert concerned.

"We're talking about the kind of software that controls the infrastructure that underpins our lives, from traffic lights through to sewage flow," said David Murakami Wood, Canada research chair in surveillance studies at Queen's University. "That's the immediate new frontier with this type of hacking."

What about ransomware on smartphones?

Smartphones seem like they'd be a lucrative target for ransomware authors, based on the sheer number of them. There were about1.5billion smartphones sold last year, according to research company Gartner, Inc.

While there have been somesmartphone ransomwareattacks in recent years, we haven't seen anythingon the scale of WannaCry.

According to one security expert, that's becausethe systems for updating smartphone operating systems are generally pretty good.

When security updates are issued, they tend to be adopted pretty quickly through automatic updates on iOS or Android.

Again, part of the reason the WannaCry ransomwarewas easily spread is becauseWindows PCs weren't kept up-to-date withthe latest security updates.

That appears to beless of an issue for most smartphone platforms.

What else might be the next battleground for ransomware?

Security entrepreneur KenMunrofrom Pen Test Partners says so-called smart homedevices are likely the next frontier for malware.

He told me that he tries to push the boundaries of security so last summer he and colleagues tried to find bugs in smart household devices such as fridges and thermostats.

"We sought proof of the concept ransomware for a smart thermostat so you could lock someone out in the middle of winter so their heating didn't work, which is quite good fun, or turn off their AC in the middle of summer, just to prove a point so manufacturers hopefully improve their game so the bad guys can't do it," he said.

He told me a big part of the problem is that many manufacturers offer very limited support for their devices, whether it's a consumermodem, smart coffee maker or smartphone.

"Manufacturers are promising support for perhaps three years. That makes it a really interesting attack platform because I know that in three and a half years time, any new bugs found aren't going to be fixed. That's going to be a really vulnerable place to be," Munro said.

"Even Google just announced that they'd only be supporting their latest phone range and offering updates for three years. So that means in three years and a month, someone finds a nasty bug in that phone operating system, boom. You've got a really interesting attack vector."

Both Murakami Wood and Munro painted a picture of a future where a huge number of devicesare running out-of-date, unsupported software that will never receive security patches.

So what can people do to prepare themselves for malware attacks of the future?

The moral of the story seems to be keep your digital devices up to date and keep good backups.

That applies to the devices you already own and onesyou may have in the future.

If your devices can update themselvesand download security updates automatically, use those features.

And when you're considering a new digital device, whether that's a phone, a computeror a smart-home gadget, it's worth looking into just how long the manufacturer promises to support it with software updates (if it makes any promises at all).

In the pastI haven't paid much attention to the support lifetime of the devices I own, but having seen WannaCryit's something I'll be paying watching much more closely.