The co-founder of the newly launched Senate Cybersecurity Caucus is pushing federal agencies for possible solutions and responses to the security threat from insecure “Internet of Things” (IoT) devices, such as the network of hacked security cameras and digital video recorders that were reportedly used to help bring about last Friday’s major Internet outages.
In letters to the Federal Communications Commission (FCC), the Federal Trade Commission (FTC) and the Department of Homeland Security (DHS), Virginia Senator Mark Warner (D) called the proliferation of insecure IoT devices a threat to resiliency of the Internet.
“Manufacturers today are flooding the market with cheap, insecure devices, with few market incentives to design the products with security in mind, or to provide ongoing support,” Warner wrote to the agencies. “And buyers seem unable to make informed decisions between products based on their competing security features, in part because there are no clear metrics.”
The letter continues:
“Because the producers of these insecure IoT devices currently are insulated from any standards requirements, market feedback, or liability concerns, I am deeply concerned that we are witnessing a ‘tragedy of the commons’ threat to the continued functioning of the internet, as the security so vital to all internet users remains the responsibility of none. Further, buyers have little recourse when, despite their best efforts, security failures occur” [link added].
As Warner’s letter notes, last week’s attack on online infrastructure provider Dyn was launched at least in part by Mirai, a now open-source malware strain that scans the Internet for routers, cameras, digital video recorders and other Internet of Things “IoT” devices protected only by the factory-default passwords.
Once infected with Mirai, the IoT systems can be used to flood a target with so much junk Web traffic that the target site can no longer accommodate legitimate users or visitors. The attack on Dyn was slightly different because it resulted in prolonged outages for many other networks and Web sites, including Netflix, PayPal, Reddit and Twitter.
As a result of that attack, one of the most-read stories on KrebsOnSecurity so far this year is “Who Makes the IoT Things Under Attack?“, in which I tried to match default passwords sought out by the Mirai malware with IoT hardware devices for sale on the commercial market today.
In a follow-up to that story, I interviewed researchers at Flashpoint who discovered that one of the default passwords sought by machines infected with Mirai — username: root and password: xc3511 — is embedded in a broad array of white-labeled DVR and IP camera electronics boards made by a Chinese company called XiongMai Technologies. These components are sold downstream to vendors who then use them in their own products (for a look at XionMai’s response to all this, see Monday’s story, IoT Device Maker Vows Product Recall, Legal Action Against Western Accusers).
In his inquiry to the federal agencies, Warner asked whether there was more the government could be doing to vet the security of IoT devices before or after they are plugged into networks.
“In the FCC’s Open Internet Order, the Commission suggested that ISPs could take such steps only when addressing ‘traffic that constitutes a denial-of-service attack on specific network infrastructure elements,'” Warner wrote in his missive to the FCC. “Is it your agency’s opinion that the Mirai attack has targeted ‘specific network infrastructure elements’ to warrant a response from ISPs?”
In another line of questioning, Warner also asked whether it would it be a reasonable network management practice for ISPs to designate insecure network devices as “insecure” and thereby deny them connections to their networks, including by refraining from assigning devices IP addresses.
It’s good to see lawmakers asking questions about whether there is a market failure here that requires government intervention or regulation. Judging from the comments on my story earlier this month — Europe to Push New Security Rules Amid IoT Mess — KrebsOnSecurity readers remain fairly divided on the role of government in addressing the IoT problem.
I have been asked by several reporters over the past few days whether I think government has a role to play in fixing the IoT mess. Personally, I do not believe there has ever been a technology challenge that was best served by additional government regulation.
However, I do believe that the credible threat of government regulation is very often what’s needed to spur the hi-tech industry into meaningful action and self-regulation. And that process usually starts with inquiries like these. So, here’s hoping more lawmakers in Congress can get up to speed quickly on this vitally important issue.
Sen. Warner’s letter to the FCC looks very similar to those sent to the other two agencies. A copy of it is available here.
The burden needs to be put on the equipment manufacturers. They need to include with product guarantees for security updates. Once the security updates are scheduled to stop, the device needs to shut off or at least not allow itself to talk to the Internet (LAN access only). Consumers are too dumb to manage this stuff. It needs to auto-update and keep itself secure, and then beyond the warranty period it needs to notify the user that it is insecure and can no longer access the Internet.
Any manufacturer who won’t do this should be banned from import or US sales. “Non-commercial” homebrew/hobby/Linux equipment needs to be tackled in a like manner, except the burden would be on the owner since this is their own equipment. If you build a custom (experimental?) plane, it is on you if it causes accidents, and this is very much the same.
If the threat to infrastructure is as real as this site suggests, more drastic measures need to be taken than just regulation. Couldn’t the NSA or some other agency charged with protecting the nation’s assets install something on these insecure devices to permanently disable them? After all, if they are so insecure, how hard could it be to brick them remotely?
Do you have a list of the vulnerability of devices so I can check to see if my DVR is open to being misused, i.e., a TiVo premiere box? – Thanks