October 8, 2016

The European Commission is drafting new cybersecurity requirements to beef up security around so-called Internet of Things (IoT) devices such as Web-connected security cameras, routers and digital video recorders (DVRs). News of the expected proposal comes as security firms are warning that a great many IoT devices are equipped with little or no security protections.

iotb2According to a report at Euractiv.com, the Commission is planning the new IoT rules as part of a new plan to overhaul the European Union’s telecommunications laws. “The Commission would encourage companies to come up with a labeling system for internet-connected devices that are approved and secure,” wrote Catherine Stupp. “The EU labelling system that rates appliances based on how much energy they consume could be a template for the cybersecurity ratings.”

In last week’s piece, “Who Makes the IoT Things Under Attack?,” I looked at which companies are responsible for IoT products being sought out by Mirai — malware that scans the Internet for devices running default usernames and passwords and then forces vulnerable devices to participate in extremely powerful attacks designed to knock Web sites offline.

One of those default passwords — username: root and password: xc3511 — is in a broad array of white-labeled DVR and IP camera electronics boards made by a Chinese company called XiongMai Technologies. These components are sold downstream to vendors who then use it in their own products.

That information comes in an analysis published this week by Flashpoint Intel, whose security analysts discovered that the Web-based administration page for devices made by this Chinese company (http://ipaddress/Login.htm) can be trivially bypassed without even supplying a username or password, just by navigating to a page called “DVR.htm” prior to login.

Worse still, even if owners of these IoT devices change the default credentials via the device’s Web interface, those machines can still be reached over the Internet via communications services called “Telnet” and “SSH.” These are command-line, text-based interfaces that are typically accessed via a command prompt (e.g., in Microsoft Windows, a user could click Start, and in the search box type “cmd.exe” to launch a command prompt, and then type “telnet” to reach a username and password prompt at the target host).

“The issue with these particular devices is that a user cannot feasibly change this password,” said Flashpoint’s Zach Wikholm. “The password is hardcoded into the firmware, and the tools necessary to disable it are not present. Even worse, the web interface is not aware that these credentials even exist.”

Flashpoint’s researchers said they scanned the Internet on Oct. 6 for systems that showed signs of running the vulnerable hardware, and found more than 515,000 of them were vulnerable to the flaws they discovered.

Flashpoint says the majority of media coverage surrounding the Mirai attacks on KrebsOnSecurity and other targets has outed products made by Chinese hi-tech vendor Dahua as a primary source of compromised devices. Indeed, Dahua’s products were heavily represented in the analysis I published last week.

For its part, Dahua appears to be downplaying the problem. On Thursday, Dahua published a carefully-worded statement that took issue with a Wall Street Journal story about the role of Dahua’s products in the Mirai botnet attacks.

“To clarify, Dahua Technology has maintained a B2B business model and sells its products through the channel,” the company said. “Currently in the North America market, we don’t sell our products directly to consumers and businesses through [our] website or retailers like Amazon. Amazon is not an approved Dahua distributor and we proactively conduct research to identify and take action against the unauthorized sale of our products. A list of authorized distributors is available here.”

Dahua said the company’s investigation determined the devices that became part of the DDoS attack had one or more of these characteristics:

-The devices were using firmware dating prior to January 2015.
-The devices were using the default user name and password.
-The devices were exposed to the internet without the protection of an effective network firewall.

The default login page of Xiongmai Technologies “Netsurveillance” and “CMS” software. Image: Flashpoint.

The default login page of Xiongmai Technologies “Netsurveillance” and “CMS” software. Image: Flashpoint.

Dahua also said that to the best of the company’s knowledge, DDoS [distributed denial-of-service attacks] threats have not affected any Dahua-branded devices deployed or sold in North America.

Flashpoint’s Wikholm said his analysis of the Mirai infected nodes found differently, that in the United States Dahua makes up about 65% of the attacking sources (~3,000 Internet addresses in the US out of approximately 400,000 addresses total).

ANALYSIS

Dahua’s statement that devices which were enslaved as part of the DDoS botnet were likely operating under the default password is duplicitous, given that threats like Mirai spread via Telnet and because the default password can’t effectively be changed.

Dahua and other IoT makers who have gotten a free pass on security for years are about to discover that building virtually no security into their products is going to have consequences. It’s a fair bet that the European Commission’s promised IoT regulations will cost a handful of IoT hardware vendors plenty.

Also, in the past week I’ve heard from two different attorneys who are weighing whether to launch class-action lawsuits against IoT vendors who have been paying lip service to security over the years and have now created a massive security headache for the rest of the Internet.

I don’t normally think class-action lawsuits move the needle much, but in this case they seem justified because these companies are effectively dumping toxic waste onto the Internet. And make no mistake, these IoT things have quite a long half-life: A majority of them probably will remain in operation (i.e., connected to the Internet and insecure) for many years to come — unless and until their owners take them offline or manufacturers issue product recalls.

Perhaps Dahua is seeing the writing on the wall as well. In its statement this week, the company confirmed rumors reported by KrebsOnSecurity earlier, stating that it would be offering replacement discounts as “a gesture of goodwill to customers who wish to replace pre-January 2015 models.” But it’s not clear yet whether and/or how end-users can take advantage of this offer, as the company maintains it does not sell to consumers directly. “Dealers can bring such products to an authorized Dahua dealer, where a technical evaluation will be performed to determine eligibility,” the IoT maker said.

In a post on Motherboard this week, security expert Bruce Schneier argued that the universe of IoT things will largely remain insecure and open to compromise unless and until government steps in and fixes the problem.

“When we have market failures, government is the only solution,” Schneier wrote. “The government could impose security regulations on IoT manufacturers, forcing them to make their devices secure even though their customers don’t care. They could impose liabilities on manufacturers, allowing people like Brian Krebs to sue them. Any of these would raise the cost of insecurity and give companies incentives to spend money making their devices secure.”

I’m not planning on suing anyone related to these attacks, but I wonder what you think, dear reader? Are lawsuits and government regulations going to help mitigate the security threat from the 20 billion IoT devices that Gartner estimates will be plugged into the Internet by 2020? Sound off in the comments below.


117 thoughts on “Europe to Push New Security Rules Amid IoT Mess

  1. Drone

    When China starts the war they so desperately seek, our first line of defense should consist of pen testing and vuln exploitation. I believe we’ll find all their systems to use open ports with admin/admin username/password sets.

      1. SeymourB

        What he really needs to cut back on are the conspiracy theorist websites & videos. These guys are all over YouTube. They went stir-crazy when Weird Al made fun of them in Foil.

        He probably needs to see a doctor and get prescribed some medication, but that’s between him and his lizard person… oops, I mean doctor.

  2. Abhijit Chakravorty

    Securing IOT devices will necessitate need for regular patching. A nightmare in itself, given the volume we’re talking about, failed patches, rollbacks, etc. Instead, a potential mean could be for tech to evolve and provide security controls at the point of connection of these devices to their ISP – and provided by third parties. There will be issues around privacy that will have to be addressed, but I see little other options.

  3. Toni Selkälä

    I think that many here dream of a perfect society, even though a more intermediate goal of a “better society” would likely be goal of regulation, if any, passed. Moreover, in the EU people generally trust more public than private actors to guarantee their rights in a striking opposition to what the situation is in the US. Thus, for the citizens of the EU it feels quite natural to have regional regulation on IoT devices.

    Certainly, these devices won’t be updated regularly nor will they remain foolproof from here-on-now — but then again, there is no such device in existence that would be safe from hacking. Having some kind of robinhoodism as a solution (let’s ban all slackers) just comes to show the fickleness of the internet technocrati: It is abhorrent to prevent e.g. internet access because a person is illegally downloading copyright protected material (as in France), yet they would be perfectly A-Okay preventing people from not belonging to small circles of technologically savvy technology users of the world.

    All-in-all, a regulation with basic safety parameters defined as in other standards would combine the nimbleness of markets (market players do define standards in EU through ESOs) with enforceability of public exercise of power. Sure, we would have still “bad” devices five years from now, but at the very least they would not all be target to attack due to inherent failure in hard-coded safety. I think there is a world of difference there, and a difference most of us would consider for the better.

  4. Shane Killian

    I’d feel a lot better if this were being done by someone like the IETF instead of a government. Governments tend to have this “my way or the highway” attitude, forcing one way on others, and being slow to change if that way is shown to be inadequate.

    The IETF would also probably do a better job of making standards that are applied internationally, instead of having one set of standards for Europe, one for the US, one for Australia, etc.

    1. Sherrane

      Completely agree Shane. Politics and bureaucracy are the products of government, not tech. We’re going to end up with layers of ineffective security and endless finger pointing when it inevitably fails instead of a real solution.

    2. The Phisher King

      The problem has already been solved.
      Underwriters Laboratories (UL) created a Cybersecurity Assurance Program for vendors a while ago.
      In the same way a consumer grade electrical device can carry the UL or CE stamp if it meets the electrical saftey standard, an IoT device can do the same for meeting the cybersecurity standard.
      There is just no compulsion by legislators or traction in the marketplace by consumers to pay the extra 15-20% to have that happen.

    3. Barry Nelson

      The IETF could write whatever standards it wants and the device manufacturers will happily ignore them, and there is nothing that the IETF could do about it. It amounts to asking one of these greedy device manufacturers: Could you please (whatever, blah blah blah). The manufactures won’t even bother to reply no, they will just do what ever they want.

  5. georgemck

    The ISPS will have to be compelled to shutdown rogue IoT devices just as they do with spam servers. In the future, this needs to be network layer solution.

    I doubt manufacturers can be held accountable yet. But if the customer can’t get the device to work, then they won’t buy them.

  6. Chris Vail

    I concur with georgemck that the ISP’s can help. Pro-actively they can scan for these IOT devices, and if found deal with their customers directly. If one is found, the customer gets an email telling them that the device will be blocked until a firmware upgrade is completed. Most people, upon finding that the cheapie webcam they just purchased is ‘insecure’ will do something about it. Give them 30 days to upgrade (if possible) and just block the device.

    Most people purchase a webcam for their home network only. But when they find they can’t get to it from their smartphone, they will upgrade or replace.

    ISP’s won’t do this unless compelled by threat of lawsuit, however. That’s the sad part. But their are far fewer ISP’s than users.

    1. Mike

      With most devices stuffing their traffic and everything they can find through ports 80, 8080, and 443, it will be hard to block just one participating device at a given IP address. Remember back to Kreb’s previous article, that many of these set themselves up in the modem’s firewall via UPnP.

      1. bill

        Block all devices behind the bad IP address. Something behind the IP is causing harm to others.

    2. Vog Bedrog

      That might have some impact, but with ISPs sending out emails about technical problems end-users barely understand there might easily come a flood of

      Subject: Insecure device detected!

      Body: We as Your ISP have detected an Insecure Unacceptable Device on Your Home Network. You are required make Every Step to Ensure this Security Vulnerability is Addressed, or risk that Your Device is permanently blocked from all internet access after 48 Hours from After Receipt of Email. Full Details of Your Insecure Device and Instructions for Coping with Insecurity, read attachment.

      Attachment: obviousransomware.doc.js

  7. Charles James

    Since certain sources are selling less than secure devices, some that I feel were deliberately created to allow surreptitious access, to our companies who are using the devices as a part of a package puts us at risk.

    If we as individuals, for it is us the individuals most at risk and who will pay the highest price of such insecurities, speak up and have both those companies as well as our legislatures, etc., take a positive role in making the IoT more secure and those that fail pay large sums of money, the sums that really hurt in relation to the offender be it individual or large business, then we will have gone a long way to create a more secure, a more safe and a more profitable Internet environment, both the surface we all see and the U-verse hidden underneath.

    The idea is to hinder all those fly-by-night predators that rely on the more nefarious ones who create ways to use and circumvent security in software, hardware and all the related IoT’s.

    Just sayin!!! Oh, and those nefarious dudes who are making IoT products the way they are, all such devices being imported must past rigorous testing before being allowed and then having a tariff like tax added to pay for it all. Just sayin!!!

  8. Russ

    There absolutely needs to be a universal “manageability” standard taking into account of upgradeability, security and firmware upgrades, , and prominent posting through the supply chain. A simple code or number rating stamped on every device (or EASILY accessed by the lowest common denominator of user). Something like the wattage rating of a lightbulb. Sure there might be some fraud but the common user must be able to look at a product and tell if the thing is safe and will stay safe for a while, or not.

  9. Tony

    New laws are desperately needed ASAP. I also recommend establishing a certification agency such as UL that will enable consumers to easily recognize that the product has achieved some level of security.

    Example: “SECURITY A – This product has built in security measures that make it acceptable for use on the Internet without additional configuration.”

    “SECURITY B – This product has built in security measures that require mandatory configuration before use on the Internet.”

    “SECURITY D – This product has built in security measures that can optionally be configured for use on the Internet.

    “SECURITY F – This product’s security has not been tested by an authorized government agency. As such, it should not be connected to the Internet”

    You get the idea. Mandatory security standards labeling.

    1. Clayton Dobbs

      I really like this idea of security tiers, and also a comparison to UL ratings/listings.

      However, because the end result affects ‘innocent’ people, I don’t like the option of a consumer buying the cheaper and lower rated device and just plugging it in anyway.

  10. Mike

    Do you guys have any clue what your asking for?

    This WILL lead to U.N. resolutions for turning your neighbors internet back on. You think your ISP is bad about things! Can you imagine what it would be to have to go through an international body for every little problem?

    All because you can’t be bothered to take responsibility for your own things.

    1. SeymourB

      Reply to your own posts much?

      Also, calling your boogeyman the UN is still making something a boogeyman.

      1. Mike

        lol…..no boogeyman

        Although I’ve been hearing abit about idiotes dressing a ‘scary clown’ costumes.

        If you look hard enough, that wasn’t me. I’m sure there is more than one person that reads Krebs that has the name ‘Mike’. There just might be more than just you that has the same name that you do.

      2. loli

        Plot Twist: It’s two different people with the same name

      3. Mike

        lol…..no boogeyman

        Although I’ve been hearing abit about idiotes dressing in ‘scary clown’ costumes.

        If you look hard enough, that wasn’t me. I’m sure there is more than one person that reads Krebs that has the name ‘Mike’. There just might be more than just you that has the same name that you do.

  11. Silemess

    It comes down to liability.

    Consumers won’t notice that their devices are included in IOT attacks unless a compromised device on their network is used to compromise their own personal details.

    If ISPs were held acountable for the attacks issuing from their networks, they’d have a reason to turn around and chive consumers to fix the problems that they are hosting.

    If the manufacturers were held accountable for their insecure devices, then they’d want to improve and maintain them until that period of accountability ends (EG: Devices must be supported for 3 years, then 3 years is as long as some will support).

    Right now, the attacked have no recourse except to find a network that can shield them.

    The market won’t pursue a solution because none of the costs are falling on those who are consuming the product (Consumers or manufacturers). In theory, consumers will buy more secure devices. In practice until they are hit by this themselves, they are not likely to have a reason to spend the extra money.

    I’m not sure about the EU’s idea of rating secure devices. How do you make that stay current, and keep consumers informed that their devices are secure/insecure? Where do you manage to encourage them to move on when their device falls from the good list to the bad list?

    I am of the mind that this is a solution that requires government intervention. But it needs to have a solution that is developed outside of the government first and then implemented and maintained by it. Simply passing a law that says “All devices must be secure” is unenforceable and utterly useless. Declaring who has responsibility when these devices are misused, would perhaps create this drive to fix them.

    There is going to be unfairness, no matter what solution is employed. Is a manufacturer to be held accountable for an old device that’s 15 years out of date? How much grace does a consumer have for a device that’s now vulnerable?

  12. vb

    If every ISP filtered their outbound traffic to ensure that the source IP address was not spoofed, there would be few DDoS problems. Filtering out DDoS traffic would be simple if there were no spoofed IP addresses.

    If managing the Internet is needed, ISPs are easier to manage than device manufacturers.

  13. @law

    Its very simple: DON’T BUY IoTs and hook them to your internet connection. You can buy them and NEVER hook them up. Unless these telnet backdoors remain open, you simply need to be informed, so I think this is a role for journalism to fulfill, not government. Its their job to inform. Even if the government would force producers/vendors to put an extra warning instruction into the package, how many users read this?

    I am not an IT expert but I am sure that if it was possible for the ISP’s and large telcos to block insecure IoTs, they still wouldn’t do it because of legal risks.

    So in the end its each individuals responsibility.

    1. VW

      What you are asking is impossible. You do realize that even refrigerators have Wifi and are Internet enabled now right?

      Its not long until even your coffee machine will be connected to the Internet.

        1. @law

          via IV a mobile app that relies on Bluetooth connectivity
          quite a difference unless your “smart”phone is configured as Wlan hotspot maybe?

          I am quite sure that all these id(IoT)ic things can be simply disconnected from W-Lan if one learns how to use his home-wlan router and reads the manuals.

          You can make your wlan invisible, change the passwords, restrict the permissions via MAC address…there are many ways.

  14. Hanno Böck

    Like many I get frightened whenever someone says that we should regulate IT security through governments. However on the other hand given the current IoT mess I can hardly think how we can solve this otherwise. The crucial thing is that it isn’t enough to have some regulation, it must be regulation that actually improves security and that doesn’t cause harm otherwise.

    I think the past experience with governments regulating software security is pretty bad. There are two big problems: Checklist security where people need some kind of audit, but the auditor has no responsibilities for the result (FIPS, CC etc.) and security regulations that tend to lock out open solutions and restrict user freedoms.

    I’m open to listening to good proposals on how to regulate IT security in a smart way. But I think it’s a hard problem.

  15. Bob

    I wouldn’t be surprised, in the U.S., if we start seeing shrink wrap contracts on IoT devices that prevent people from filing or participating in class action lawsuits, requiring binding private arbitration, etc.
    Unfortunately, as long as business has Congress in its pocket, we are unlikely to see any improvement.

  16. Ronan Murphy

    In Europe we have European GDPR coming into force in May 2018. This means that the controllers of data will be liable if the data is compromised when in the possession of the processors e.g. IoT innovators etc the fines are 20million or or 4% of global revenue. This regulation is on a crash course with IoT innovation and adoption. The general consensus is that there will be new enforced European regulation on standards for IoT. Although DDos dent necessarily mean that data privacy has been compromised it will certain raise the bar in terms of the due diligence that is required on both current and legacy devices.

  17. VW

    One of the very rare cases where government regulation works for the benefit of everyone because unsecured devices affect everyone of us on the Internet. If its one spam you receive, or a major DOS attack, botnets should not be tolerated.

    I would be so amazing if the EU could do the same for Android and force OEM’s to actually patch their phones. No vendor should sell a computer device that can connect to the Internet which is not going to be patched or secured anymore. At least 3 years should be the bare minimum. For TV’s and other big house electronics at least 10 years.

    The next Android botnet is just waiting to happen around the corner with so many devices that Google is not willing to patch anymore and that OEM’s don’t care the minute a phone is sold.

    The only way this can work is if regulations ban a company from selling that device or force them to comply with security patches in order to be approved in a market. With so much crappy gadgets coming from China which are insecure the minute you plug them in, this should be a requirement for national security.

    1. Mike

      It sounds like you think that it can all be fixed with a patch or update of some kind. Well, that’s NOT the case. If that were the case then this entire thing would be so very easy to make go away. Have you ever considered ‘where’ these patches come from? Or do you just blindly follow where ever the piper leads you? Oh, that Windows patch came from Microsoft…..yeah right, sure….what ever. They might have their name on it but that does not mean they wrote it. Apple has their name on the iphone but it is made by Foxconn.

      1. SeymourB

        Just because Foxconn is a manufacturer doesn’t mean Foxconn is the author. My system at home has a motherboard made by ASUS. Does that mean every operating system installed on it was written by ASUS?

        iOS is a far more integrated system, the firmware that runs the hardware and the OS that lives on top are both written by Apple, not Foxconn.

        That being said, by reading between the lines you can see that the IoT devices in question aren’t designed to be flashable. Which is both a blessing and a curse, because if they were flashable, then simply resetting the device wouldn’t remove the infection because they would write it to flash.

        1. Mike

          I never said anything even close to the idea that iOS was in any way written by Foxconn. I’m also not suggesting that Foxconn writes any OS at all. As far as I’m aware, the idea that ASUS puts their name on motherboards has no direct bearing on what OS you can run on it. Go back and read what I actually did say.

          Now, it should be glaringly obvious that Foxconn (with it’s excessive employee base) has direct access to the hardware as they are the ones that actually fabricate it, build it, and do have a hand in the design of it. This is just one example but it is a good one.

          There is more going on here. Code is getting processed that the OS never sees.

          It doesn’t take much to create a radio transceiver that will process hundreds of frequencies and then write a driver for the OS that makes the OS think it can on handle twenty three. You think this is conspiracy theory? or perhaps I’m just grasping at straws?

          While many here (including Brian) want ISP’s to step up and do something about all this DDOS nonsense…..
          One particular cable company has just anounced 1TB caps for it customers. Now on the surface you might think this is a good thing but in reality it actually clears a path to aid in the proliferation of DDOS attacks. They are not going to do anything that actually fixes this problem. They are more inclined to notice you if you are using P2P software or torrents. Even then, it is only for being pushed into it by Hollywood lawyers and government mandate.

          1. CplDaniel

            Mike: re ISP’s interest in torrent/copywrite material — The largest ISP’s are not just maintaining the cables to people’s homes. Comcast owns Universal and they just bought Pixar animation. TimeWarner owns HBO films/shows and of course Warner Bros. The ISP’s are a lot closer to Hollywood than just their lawyers. They are Hollywood.

          2. SeymourB

            Not to get all technical on you, but did you actually go back and read what you wrote?

            “They might have their name on it but that does not mean they wrote it. Apple has their name on the iphone but it is made by Foxconn.”

            In what weird wacky form of English does this mean anything other than Foxconn wrote iOS?

        2. Mike

          One more thing……

          While everyone is concerned about the UN/PW for device admin logins, there is something that I don’t see anyone discussing anywhere.

          There are no rules anywhere that says that there can only be ONE username and/or password. Microsoft sets up their OS with a multitude of usernames (it’s one of the reasons Windows is so easily hacked). Some people refer to this as a ‘backdoor’. There is no reason that routers, cameras, DVR’s or any other IoT device couldn’t be given a separate login that few people know. That black hats -stumble upon-. That would never be effected by the one that gets changed by the person that bought it.

          1. @law

            if the device is NOT connected backdoors dont work.

            I dont think IoT´s are offered because of popular demand. They are the result of “marketing”.

          2. DigitalRchtect

            I think Mike mistakenly thinks that the command line exploit was installed at the hardware level and that is why the web interface “doesn’t know about it.” A telnet server especially on a lightweight hardware device will almost always run on an operating system because the effort outweighs the benefits, and all else being equal laziness will generally prevail.

  18. Anon

    I can tell you right now Brian, from a Government perspective, manufacturers do not care one iota about security unless it can be spun as a value-add to the product pitch, Apple are one of few to capatilize on this, if engineering security adds an extra dollar to production cost, that cannot be realised at sale they will continue to ignore security. The ONLY solution is some kind of regulation, we need a standard that vendors are to comply with, a secure framework or standard operating system for IOT devices to use that is easily patched and some ability for financial penalties to incentivize vendors to give a damn. None of this is difficult, people just need to take the nike approach and just damn well do it. ~Anon.

    1. cpldaniel

      You don’t need to worry about government ineptness at regulating design and security because there is an intermediate step to address the IoT security threat. Tort liability for negligence, coupled with a bond or insurance threshold requirement to cover potential costs to be determined by a per-unit sold basis. In such cases, an insurance market will spring up and they will issue best practice guidelines for their manufacturer clients more dynamically and responsively than government bureaucrats. Either the system will place a barrier to absurdly cheap/shoddy entrants to the market, or it will be a system where by be bonded/insured you limit you max liability risk postential like the system often used for furniture moving companies. By being insured, the company owner cant be wiped out for destroying something or everything somebody owns. Instead he is liability is maxxed at some $/per lbs of the cargo destroyed, but the customers are guaranteed that there are funds available to pay him for a loss.

  19. The Phisher King

    There are two discrete issues:
    1. How do we get IoT manufacturers and suppliers to consumers, to take security seriously?
    2. How do we get consumers of IoT devices to understand that they have a responsibility to purchase and deploy “safe” devices, rather than whatever is the cheapest?
    The first issue is resolved by making it uneconomic to continue to produce and release “unsafe” devices to market, and that will largely be dictated in the long term by taking steps to resolve the second issue.
    If you want to seriously fix issue two you may have to take the drastic step of when an unsafe IoT device is detected that the owner be notified they have 14 days to bring it up to a safe level otherwise their ISP will be compelled to remove its Internet access. When an ISP refuses to do so, they themselves need to be warned by their carrier that they, in turn, have 14 days to comply otherwise either their rates will double, or they risk being suspended from the Internet until such time as they do comply. And so on up the foodchain.
    This could allow the ISPs and upstream carriers do choose, if they wish to do so, to sue the producers of unsafe IoT devices for selling their crapware to the ISPs unsuspecting clients.

  20. Joe

    Use Mirai to direct devices that are insecure-by-default/insecure even with reasonable effort by technically inept consumers to attack the net presence (web site, email servers, etc) of the companies that make those devices. The only thing they care about is the ROI of the investment to secure their wares. Currently, there is no incentive for them to do so. In fact, there is probably only disincentive, in the form of making their products slightly more difficult to set up, and possibly by generating additional customer support issues.

    Make them have to jump through the hoops Brian has had to jump through to keep themselves on the net due to the shoddy security of their own products.

  21. Paul

    A Microsoft Time Server went off DST Monday. It caused applications saved to be time stamped an hour early on my PC. I did not wait around for it to be corrected and changes to another time server.
    Was this a glitch or intentional? What security implications would this have in tandem with other exploits?

  22. Scott

    I suspect security standards will change the effort to compromise an IoT device from “trivially easy” to “mildly difficult”, which is far from sufficient. IoT devices are just small computers, and it will always be worth the trouble for blackhats to compromise them.

    Internet users/consumers should bear responsibility, even if they are unknowingly hosting nefarious activity. But we need some assistance from ISPs to filter non-compliant packets (eg: spoofed IP addresses), and I’d go further to suggest a stateful firewall (hosted by the ISP) independent of the modem/router/CPE, and configurable for advanced users. Yes, it would cost $3-5/month more for each user, and it’s optional if you think you can take responsibility. Some users might value it, if it can *warn* them about bad stuff being sent, because people generally don’t like to have their network compromised.

    ISPs should bear responsibility for walling off poor behaviour of user equipment, ranging from complete blockage to filtering (where paid for).

    I’m sure this approach is not perfect, but setting standards for IoT devices just feels weak as the only action.

  23. ProfYamaguchi

    It will always be a cat and mouse game. The other side of this is ensuring that forensics keeps up. Good news there are many various IOT forensics experts focused on the particular device (e.g baby monitor) but how do we ensure that those needed are in supply upfront ready and able to share evidence needed in part for enforcing the laws/regs…

  24. BRMA

    Excellent reporting Bryan, as usual. Its time to stop this IoT madness, or at least slow it down.

  25. Matt Weatherford

    How about requiring any IoT device to put the source code / build / toolchain in to escrow… so that in the event the device maker abandons updating or patching, the code is released to the public domain ?

    Is it time for openness to be a requirement for participation in a public good (the internet) ? Proprietary stacks are getting less attractive anyway for reasons of laziness stated above (why reinvent a ssh/telnet/web server when u can use an open source free one?)

  26. Peders

    The problem I see with IoT devices and their continued growth is that we will have to switch our thinking from having ways of securing clients to securing more and more what clients have access to the data we are trying to protect. I saw in Walmart the other day a toothbrush with Bluetooth. What on earth would this type of device need to be added to a network for? Right now companies are going to be pushing more and more of these devices into the environment because it is the newest and latest thing that consumers want. What we need to have is limits on what these devices can do on a network in place. Imagine a few years from now when everything new in your house is connected by Bluetooth with each other. Say you get hacked by one of the teams out there using ransomware, this now becomes an issue not only with protecting your data but protecting your physical possessions. They turn on your heat in the summer and crank it way up until you pay them. The implications of these clients on a network cannot be overstated. We need to come up with ways to build incentivized for companies to limit what these devices can communicate over the network. The problem with this is one of my pet peeves in software liability. Software companies offer no guarantees that they will cover vulnerabilities with their products makes this more and more of the Wild West. In my opinion, this will never happen until there is a loss of life and that will force congress to make a law forcing them to stop with these book long liability agreements you see all the time.

  27. Zeno

    Don’t all devices that connect to the internet require certification by the FCC? It is time for the FCC to withdraw certification for any device made by Dahua or with components from XiongMai Technologies. This should make them unsalable in the US.

    The next step is a recall. The manufacturers that have used these devices or these components should be required to recall them.

  28. Rob

    Go ahead, call me a paranoiac, too, I don’t care. I think we shouldn’t be trading tech products with China. They clearly have it out for us. U.S. Companies aren’t allowed to have any kind of web presence inside the great Chinese firewall and our products are virtually banned there through regulatory fiat. Obviously, they see us as an enemy. If that is the case, we can also safely surmise that they are going to do this type of shady stuff to us, or at least turn a blind eye when some state-sponsored electronics company wants to unleash some sketchy products onto the U.S. market. That brings me to U.S. tech companies that have decided to make all their gear in China. It’s $&@”?!& UNCONSCIONABLE that not even a single U.S. made tech product can be found anywhere on retail shelves. To the dogs with all of you.

Comments are closed.