October 25, 2016

The co-founder of the newly launched Senate Cybersecurity Caucus is pushing federal agencies for possible solutions and responses to the security threat from insecure “Internet of Things” (IoT) devices, such as the network of hacked security cameras and digital video recorders that were reportedly used to help bring about last Friday’s major Internet outages.

In letters to the Federal Communications Commission (FCC), the Federal Trade Commission (FTC) and the Department of Homeland Security (DHS), Virginia Senator Mark Warner (D) called the proliferation of insecure IoT devices a threat to resiliency of the Internet.

“Manufacturers today are flooding the market with cheap, insecure devices, with few market incentives to design the products with security in mind, or to provide ongoing support,” Warner wrote to the agencies. “And buyers seem unable to make informed decisions between products based on their competing security features, in part because there are no clear metrics.”

The letter continues:

“Because the producers of these insecure IoT devices currently are insulated from any standards requirements, market feedback, or liability concerns, I am deeply concerned that we are witnessing a ‘tragedy of the commons’ threat to the continued functioning of the internet, as the security so vital to all internet users remains the responsibility of none. Further, buyers have little recourse when, despite their best efforts, security failures occur” [link added].

As Warner’s letter notes, last week’s attack on online infrastructure provider Dyn was launched at least in part by Mirai, a now open-source malware strain that scans the Internet for routers, cameras, digital video recorders and other Internet of Things “IoT” devices protected only by the factory-default passwords.

Once infected with Mirai, the IoT systems can be used to flood a target with so much junk Web traffic that the target site can no longer accommodate legitimate users or visitors. The attack on Dyn was slightly different because it resulted in prolonged outages for many other networks and Web sites, including Netflix, PayPal, Reddit and Twitter.

As a result of that attack, one of the most-read stories on KrebsOnSecurity so far this year is “Who Makes the IoT Things Under Attack?“, in which I tried to match default passwords sought out by the Mirai malware with IoT hardware devices for sale on the commercial market today.

In a follow-up to that story, I interviewed researchers at Flashpoint who discovered that one of the default passwords sought by machines infected with Mirai — username: root and password: xc3511 — is embedded in a broad array of white-labeled DVR and IP camera electronics boards made by a Chinese company called XiongMai Technologies. These components are sold downstream to vendors who then use them in their own products (for a look at XionMai’s response to all this, see Monday’s story, IoT Device Maker Vows Product Recall, Legal Action Against Western Accusers).

In his inquiry to the federal agencies, Warner asked whether there was more the government could be doing to vet the security of IoT devices before or after they are plugged into networks.

“In the FCC’s Open Internet Order, the Commission suggested that ISPs could take such steps only when addressing ‘traffic that constitutes a denial-of-service attack on specific network infrastructure elements,'” Warner wrote in his missive to the FCC.  “Is it your agency’s opinion that the Mirai attack has targeted ‘specific network infrastructure elements’ to warrant a response from ISPs?”

In another line of questioning, Warner also asked whether it would it be a reasonable network management practice for ISPs to designate insecure network devices as “insecure” and thereby deny them connections to their networks, including by refraining from assigning devices IP addresses.

It’s good to see lawmakers asking questions about whether there is a market failure here that requires government intervention or regulation. Judging from the comments on my story earlier this month — Europe to Push New Security Rules Amid IoT Mess — KrebsOnSecurity readers remain fairly divided on the role of government in addressing the IoT problem.

I have been asked by several reporters over the past few days whether I think government has a role to play in fixing the IoT mess. Personally, I do not believe there has ever been a technology challenge that was best served by additional government regulation.

However, I do believe that the credible threat of government regulation is very often what’s needed to spur the hi-tech industry into meaningful action and self-regulation. And that process usually starts with inquiries like these. So, here’s hoping more lawmakers in Congress can get up to speed quickly on this vitally important issue.

Sen. Warner’s letter to the FCC looks very similar to those sent to the other two agencies. A copy of it is available here.

91 thoughts on “Senator Prods Federal Agencies on IoT Mess

  1. Dave

    “In another line of questioning, Warner also asked whether it would it be a reasonable network management practice for ISPs to designate insecure network devices as “insecure” and thereby deny them connections to their networks, including by refraining from assigning devices IP addresses.”

    The answer to that question is “NO”. No, it is NOT reasonable for ISP’s to arbitrarily shut off a person’s connection because one device behind their NAT is “insecure”.

    I get it – I want these devices blocked as close to the source as possible, but this is NOT the way to do it.

    How do you determine device is “insecure”? Will there be a whitelist? A blacklist? Who’s in charge of said list or lists? How does this square with net neutrality? (hint: it doesn’t)

    What are the chances an ISP will get more phone calls to support for blocking valid devices (maybe even “insecure” ones) than they will get calls for DDoS attacks?

    Do you actually want ISP’s to be able to say “You can’t connect that device to our network”? Really think that one through, hard. Because we already had that scenario, and it didn’t work out so well for the consumer…

    1. dlroWolleH

      You make a quick jump from ‘reasonable’ to arbitrary….

      1. Dave

        I guess I’m just clever like that.

        Or maybe because it IS arbitrary.

        It can be safely argued that EVERY device is inherently insecure in some way that just isn’t knowable yet. But being extremist/pedantic like that doesn’t advance the argument.

        But suffice it to say, giving ISP’s the ability to – yes, ARBITRARILY – decide what devices are “secure” enough to connect to “their” network (not really, they’re allowing you to connect THROUGH their network to the internet) takes us straight back to the “good” (really bad) old days when the network providers not only dictated what devices could connect to the network, but that they had to own them as well – this is why we had rotary-dial telephones for decades, and paid through the nose for the “privilege” of using such antiquated technology.

        There was no reason to innovate, because AT&T was making a ton of money, reliably, off of what they allowed on to the network, all the while backed by the full force of the US Government.

        It was only with deregulation did you ever see anything like real network innovation begin – we would not have the Internet of today without it.

        So to see someone in Congress even SUGGEST that ISP’s be able to determine what connects to their network is frankly terrifying to me.

        1. Z

          It would not be arbitrary – in fact, thanks to Mirai, leaders and ISPs have the exact script to identify vulnerable devices.

          These techniques are not super sophisticated either (see Brian’s earlier article, “Spreading the DDoS Disease and Selling the Cure”). That 19 year-old from Rye, NY found 250k devices while chatting with Brian on Skype.

          The label “insecure” would not refer to brands/models, but unpatched or factory-default-password devices. No private company wants to sell a useless device – it will be in their interest to swiftly issue patches.

          The real concern is with existing vulnerable devices – many of which are owned by people totally unaware of this. I can’t think of a better way to alert and incentivize people than the risk of taking away the device’s connectivity. And I do believe ISPs are best positioned carry it out. They have technicians to assist customers and they want to keep their infrastructure running smoothly.

          1. Andrew

            Dave is right. ISPs are in a position to make money, not police your devices. Absent government regulation every ISP could make their own whitelists. It is absurb to give private corporations the legal authority to cut connections. ISPs could group together and extort funds to approve devices or standards, which they have no expertise or qualifications to execute in the real world. Where Dave is talking from.

            1. null

              ISP’s should be able to do something about devices connected to their network that are causing problems. They’d have to do something about equipment that was shorting out the network or otherwise breaking the network.

          2. Justin

            The only way for an ISP to determine that information would be to ‘poke’ around within your own internal network. Being manpower intensive, they would simply write an algorithm to scan your network (under federal approval) document your devices and compare the to a blacklist/whitelist. If you have a device on the list (patched or not, defaults changed or not) your connection is deactivated.

            ISP’s do this now if they see ‘suspicious’ traffic on your network, even if it is legitimate. The connection will be shut off until you can prove your innocence.

            There is also the definition of insecure versus secure. I may consider your home/business network which runs on the ISP’s supplied router insecure (and it is) and believe you should have a commercial grade firewall like I have.

        2. Scarboni

          I dunno it seems pretty straightforward to me: if I as an ISP can log into my customer’s devices using “username: root and password: xc3511” that IP address owner gets notified to take it off my network.

          What’s wrong with that?

          1. Justin

            So you believe in giving an ISP ‘blanket authority’ to access devices within your network?

            Let that sink in.

        3. Matt K

          I agree. I could definitely see ISPs blocking, for example, a pfSense box because it wasn’t “secure.” Of course, you can always lease (indefinitely) one of their “secure” wireless routers for only $10 a month.

        4. Larry

          What, you on’t trust the government to take care of it? LMAO!!

    2. Regret

      ‘Do you actually want ISP’s to be able to say “You can’t connect that device to our network”? ‘

      More fundamentally, do you really want (the idiots in) Congress setting technology or security standards?

      1. Joseph

        Not like the people making and marketing these pathetically insecure devices are any less an idiot though.

        Right now we leave it up to them to do the right thing.

        1. Joe

          Yeah, but having lobbyists tell Congress and ISPs that my Linux box is “insecure” or that my rooted Android phone is “insecure” isn’t the right way.

    3. Ryan

      ISPs have had policies for preventing users from running abusive services on networks for ages. Nearly ALL TOS state you can not run a newsgroup server or IRC server without permission. Finding these services (and vulnerable IoT devices) is quite simple. They are not saying which devices you can connect, but if they detect bad traffic it could be reasonable to block or restrict this traffic. Not unlike the traffic shaping of users that are ‘caught’ with torrent traffic.

      1. Justin

        Torrents are a good example of ISP’s performing blanket bans. They do not just block the torrent traffic (legitimate or not) they block the entire IP, and it is done through an automated process with no human interaction.

        Finding unsecure IOT devices would be harder, as it would be a proactive and not reactive step. The ISP would have to scan your internal network to find them. Read the article it is not about identifying traffic, but identifying potentially unsecure devices. That is broad enough to be problematic.

        Have WinXP? Well, you’re blocked.
        Have old firmware? Well, you’re blocked.
        Missing patches? Well, you’re blocked.

    4. SeymourB

      They already do. Your ISP’s TOS dictates that they can disconnect your connection if you use it in a way they find objectionable.

      Even signing up for a business connection doesn’t exclude you from this clause. They can still disconnect your internet connection for traffic originating from your network that they find objectionable.

      Think about this for a second. What you’re suggesting means that if you share copyrighted movies and music on your internet connection that the ISP can’t disconnect you for that traffic. They clearly already have that ability.

      What ISPs should do in the case of malicious or known vulnerable IoT traffic is block, not disconnect. Meaning your connection goes down, but with a simple phone call to the ISP and some work on your part to remove or update the offending device, the traffic originating from your network will stop and the block should be removed.

      In short, if you can’t be responsible for the equipment connected to your network, you can’t be trusted with a connection. So it has always been, so it will always be.

    5. Eric

      The problem is that nobody in the industry is all that interested in try to solve the problem. I see finger pointing, and blame shifting. So the problem just gets worse and worse, and if they let it go long enough, government is going to get in there.

      If the industry doesn’t want government imposing more rules, then industry needs to figure out how to solve this themselves, and they had probably better come up with something pretty quickly.

    6. Adrian Challinor

      I speak as someone whose company suffered as part of the second IoT attack, the one that occurred in late September. Some of the servers my product line was one were behind the firewalls that were attacked by the 150M IoT devices. So, for me, like Brian, this is not an Academic issue.

      Clearly something needs to be done, and done very quickly. Having the Marai code now in the wild is probably the worst and best thing that could have happened.

      It should be possible to use the Marai code base to generate a network scanner that detects devices that are vulnerable. If we know the devices and ports we can then do something about this. Detection is certainly something that can and should be done centrally.

      The first thing would be to inform the ISP. They are the ones with the contract with the customer. The ISP should then contact the customer, inform them of the situation, and then block the ports, not the IP addresses, just the the ports. I under that the main vector is via Telnet. So why not just require the ISP to block inbound telnet ports to the customer. Once the customer can demonstrate that action has been taken, release the block.

      This can be done hierarchically: start with the main ISP. They won’t want telnet blocked from their network by the backbone internet routers so they will act quickly to identify which of the their customers are responsible. They can then block those, and get their master block removed. Rinse, repeat, for as many levels of the hierarchy as needed.

      I repeat: this is are not blocking the end user from accessing the internet, it is blocking the inbound ports that perpetrate the attack vector – shut down the C&C botnets ability to communicate with the devices. Many users might actually welcome this: it does not stop their use of the protocols within their sub-domains. It adds to their security.

      The internet, whether we lie it or not, is part of the critical infrastructure that many people rely upon. From Police, military and first responders, to the person wanting to watch VoD. We have rules for other key infrastructures that are based on protecting them from abuse and damage. Having some protection against damage for the internet is a logical progression of its development.

      Legislation alone won’t work. It may give you laws to punish wrong doers but it is a reaction after the event. It does not, in itself , protect against abuse. What is needed is controlled, positive action to detect, list, and block access to the devices or vectors that cause this issue.

      1. Justin

        So, your solution is to allow a commercial entity (the ISP) to scan private networks?

        Would you allow a private company to have unfettered access to your internal network, to perform a scan of insecure devices? Without a BAA signed?

        1. Infosec Pro

          “without a BAA signed”? When you sign up as the customer of an ISP you have to agree with the TOS. Problem solved.

          Of course you might find an ISP that doesn’t care to do that. OTOH there’s no reason that such an ISP couldn’t be denied interconnect by those more diligent.

          Love this quote from Nolan Bushnell: “Business is a good game. The rules are simple, and you keep score with money.” All that we need to do is to make sure the cost of poor security is paid by those who create it. A multi-tiered Internet may be the result. “Net Neutrality” needs to incorporate broader economic factors, like costs and benefits of good or bad security practices.

    7. MickeyD

      I agree 100% with you on net neutrality, even if the price for net neutrality were no Internet for nobody then I’d still be willing to pay that price. Even if I have an insecure device sending traffic I don’t want nobody to decide whether or not my fucking device is allowed to send malicious traffic or not. Sure, they could notify me but net neutrality all the fucking way!

      1. Infosec Pro

        Sorry Mickey, if your device is insecure I shouldn’t have to accept traffic from it. Neutrality needs to be truly neutral, not favorable to malicious practices.

    8. vardenafil tablets 20 mg snovitra

      My sentiments regarding acceptance of the result of course apply to either outcome.Anybody know if walking money is still used in Philly? In the 08 primary cycle both Obama and H.Clinton declined to supply the moolah but as to current status I am unclear.Tacitus

  2. Brad Regan

    I’m wondering if the Cybersecurity Caucus should also be looking into the profusion of unsafe and non-compliant practices by government leadership in the state department and other government agencies. I’m sure that what has been pointed out as a result of the presidential election is just the tip of the iceberg. Most government servers are probably owned and I’m sure anything operating outside of government control used for government business is probably worse. In my opinion the government should clean up its own house before pointing fingers. They have virtually no IT security credibility at this point.

    1. Bob Miller

      My sentiments exactly. Stones, glass houses yada yada….

    2. Greg D.

      100% correct – this is all about politics and zero to do with actual internet security. Mark Warner’s just trying to take advantage of the Mirai attack, especially since his buddy Tim Kaine is in the political spotlight. A quick review of Mark Warner’s voting record proves he is nothing but a big-government loving hack. Nothing here but political opportunism, folks.

  3. Steve

    Why is there little talk (at least that I’ve come across) about independently-validated certifications, voluntarily chosen by manufacturers?

    Let’s have a security industry body lay out a few “tiers” of certifications for manufacturers. Say “level 1” requires submitting your device/firmware/software for active security assessment, demonstrated commitment to provide patches or updates to newly-discovered security issues within 30 days, 90% of the time, etc. It would have to have an expiry/recertification date to avoid some obvious blunders in other security certification schemes.

    Consumers, businesses, etc. can learn to recognize and insist upon certain certification levels. Manufacturers can sell products at various price points and verified security levels.

    This voluntary approach would at least allow security-conscious builders, their supply-chain and the users to avoid being part of the problem.

    1. No Money

      Manufacturers are not interested in the agenda that you propose because there is no money in it for them.

      Some might say that devices from manufacturers with a proven track record of creating insecure devices should be fined. In the USA they can say anything they want, but will those fines hold up under scrutiny in a US court?

      Then the recourse might be denying importation of devices from manufacturers that make insecure devices. Again, that’s an issue that will end up in court, not to mention creating a “black market” in insecure devices that people might want.

      Sadly there is no “silver bullet” to solving this problem. All the “political grandstanding” by US lawmakers will not change that, and probab;y make matters worse.

      1. George William Herbert

        Manufacturers are not interested in UL ratings on products because there’s no money in it, either. Except that there is. Many retailers won’t stock non-UL electric products. Can’t be used in businesses with certain insurance policies. Etc.

        1. Infosec Pro

          But you just invalidated your own point. There is money in UL ratings, because of the insurance implications, and some marketability issues without them.

          Problem is, there is no cost to producers of insecure network devices, and often not to their users, just to the innocent third party victims on the receiving end of the resulting DDoS attacks.

          There need to be liability consequences visited upon those who put insecure devices on the network if those devices are compromised and used to harm others. It’s really something that should be considered contributory negligence and made to pay.

    2. John Moore

      The problem with this certification approach is that consumers may not care or may not be aware. Their devices participating in DDOS attacks may not harm them at all, if the device limits its traffic.

      That’s why the Senator’s mention of “tragedy of the commons” is appropriate – incentives are not lined up right.

      I agree that life is best if government stays out of it. But one of the most widely agreed upon roles of government is intervening in tragedy of the commons situation.

      Let’s hope something less heavy handed than government intervention will work. So far, I have not seen a convincing alternative.

  4. IRS ITUNE cards

    Right now ,a even equal growing problem is all the scammers from India and Pakistan calling the United States saying they are the from I.R.S, criminal investigation division or giving out free government grants

    Krebs needs to do a article on this issue.

  5. null

    The job of the government is to govern, to decide. To step in when problems arise.

  6. Chris Nielsen

    Why can’t the government function as a coordinator for efforts like this? Why is it always do nothing or regulate(for good or ill)?

    Personally, I view the ISPs as our first line of defense since we lack a “Wall” around that USA behind our border routers.

    If we don’t do something soon we are going to have a world with two Internets: Public and Private. The private Internet will have much less of the crap that goes on now with the public Internet. But that safety is going to come at a price that I think most of us will not be happy about paying. And you can expect the private Internet to be owned by someone. That means your “privacy” will only exist to the extent allowed by the TOS.

    Is it really that hard to ISPs to also be able to detect insecure devices and block those that use default passwords??? Isn’t it in the best interest of ISPs and their customers for them to keep an eye on unusual network traffic?

    Look, I just recycled two old CRT monitors at Best Buy last week. The person could not charge me for both fees on one slip, so they put through two charges at $25 each. Today, Capital One sent me an email alerting me to the possibility that I may have been charged twice for a single purchase. THAT is the kind of monitoring and alerts I would like to see from any provider that involves security issues.

    “Dear customer, we have detected network traffic from your assigned IP that is PINGing Twitter.com over 40 times a second. This is a 100% increase from the normal 20 times a second. If you feel there is an issue with your equipment please let us know how we can help.”

    1. Dan

      ““Dear customer, we have detected network traffic from your assigned IP that is PINGing Twitter.com over 40 times a second. This is a 100% increase from the normal 20 times a second. If you feel there is an issue with your equipment please let us know how we can help.”” –Chris Nelson

      I can foresee said customer calling the help desk and asking them what PINGing means, and the help desk technician not knowing network terminology being unable to answer. Or said customer just ignoring the message all together and consider it spammish in nature. If I saw an email like that, then I would assume that it is spam and delete it without taking action on my own with a follow up email or phone call. I would chalk this up to the fake phone calls from some guy who claims they are from Microsoft Security Team notifying you that you have a virus and that they can help remove it, but first they need to install malware on your machine.

      1. Infosec Pro

        Dan, you can’t get a license to take a car on the road if you don’t know how to drive. You can’t get clearance to take off in an airplane if you’re not a trained pilot. No reason you should be able to plug in a computer if you don’t know what you’re doing. You need some trained technician to make sure it’s secure, and if the user can’t do that for themselves they need to get someone who can. Otherwise the existing mess will continue and get worse.

  7. Shawn Bernard

    Even if we passed the most reasonable regulations ever made and every device sold in the United States was fully vetted, tested and had an IoT Secure certification with a shiny hologram sticker It would make so little difference as the rest of the world is also connected to the Internet. I do not foresee China and India enacting identical regulations.

    1. The Phisher King

      That’s the spirit! The problem is too widespread so we should just give up.
      How about:
      1. Cleansing our own IP space of insecure-by-default IoT crapware and therefore make someone else the easy target
      2. Europe and most Western countries will quickly follow suit and therefore create a market for secure-by-default IoT crapware, and as most manufacturers want to make only one model of something they will eventually stop making the insecure-by-default IoT crapware.

      1. Shawn Bernard

        I do not think I said “We should give up” more along the lines of “Hey guys banning peanut products in Canada is not likely to have a noticeable affect on peanut allergy emergency room related visits in Florida”

    2. Andrew

      Didn’t Brian have a map for one of these attacks, and I recall 85% of the bot devices were coming out of Spain?

      Standards need to be set, and Congress doesn’t do the details, Congress has already given authority to the FTC to investigate and seek input from industry experts to do something, which is why the senator sent the letter and didn’t introduce a Bill.

  8. Nobby Nobbs

    I hope the government can get a clue.
    I’d feel more hopeful if they’d stop using “Cyber-” as a prefix to anything I’m expected to take seriously.
    Just saying…

    1. @law

      Yes all this “cyber” in the mouths of politicians tastes awfully bad. On the other hand governments are hoarding and buying zero day exploits and any type of malware and “cyberwar” seems to be the new hype.
      I am glad to have lived the longer part of my life without the inderwebs and can very well imagine to live without it again.

  9. No

    I wonder how the recall is going – actually I don’t as I suspect the recall is a PR announcement only.

    Lets say company X builds electronics which it sells to other companies, such as company Y, who relabel it, put it in their own enclosure and box and sell it to customers.

    Then company X discovers an issue with the product and announce a recall – can they do this? Or do they advise their customers of the issue, such as company Y, who may then decide to do a recall? What if company Y does not think there is an issue, or do not care, or have gone out of business? Has Company X carried a ‘recall’ although nothing has changed for customers with the product, and in this case also those attacked by DDoS.

    (Note it would be different if a safety regulator recalled a product, however that does not appear to be the current situation)

    1. skele

      Isn’t that similar to the airbag recall recently for Toyota and a host of other car makers due to Takata airbag issues?

    2. B. Brodie

      I’m guessing zero liability for damages due to incompetent design. Consider the eula accompanying most it products:

      no warranty: you expressly acknowledge and agree that use of (product) is at your sole risk and that the entire risk as to satisfactory quality, performance, accuracy and effort is with you.

      To the maximum extent permitted by applicable law, this (product) is provided “as is” and “as available”, with all faults and without warranty of any kind, and provider hereby disclaims all warranties and conditions with respect to the (product) and any services, either express, implied or statutory, including, but not limited to, the implied warranties and/or conditions of merchantability, of satisfactory quality, of fitness for a particular purpose.

      (manufacturer) does not warrant that (product) will meet your requirements, that the operation of (product) will be uninterrupted or error-free, or that defects in (product) will be corrected.

      No oral or written information or advice given by (manufacturer) or its authorized representative shall create a warranty. Should (product) prove defective, you assume the entire cost of all necessary servicing, repair or correction.

      No liability: to the extent not prohibited by law, in no event shall (manufacturer) be liable for personal injury, or any incidental, special, indirect or consequential damages whatsoever, including, without limitation, damages for loss of profits, loss of data, business interruption or any other commercial damages or losses, arising out of or related to your use or inability to use (product), however caused, regardless of the theory of liability (contract, tort or otherwise) and even if (manufacturer) has been advised of the possibility of such damages.

      In essence, they don’t have to fix it, and you are liable for damages caused by the use of it.

      1. dwarfplanet9

        @B. Brodie,

        I think you’re spot on here. One thing that governments could do is to outlaw these “No Liability” licenses. Right now, the only way we can use one of these devices is to agree to these irresponsible “No Liability” terms.

        If manufacturers can be held liable for damages done by their unsecure devices, then they will have a financial motivation to make more secure devices.

        That’s the theory anyway

  10. Mark Sigsbee

    Wait! Is this the SAME Federal Government that recently sent ICANN to the private sector. Mixed signals here.

    1. KFritz

      I was ready to consign your comment to the “reflexively libertarian” trash can…but no, you’re correct! I was under the vague impression that supervision would transfer to something akin the UN, a Government Sponsored Entity (GSE) sponsored by multiple governments (MGSE?). Instead it’s a multi-input mish mash. Neoliberalism strikes again.

  11. B. Brodie

    I’m guessing zero liability for damages due to incompetent design. Consider the EULA accompanying most IT products:






    In essence, they don’t have to fix it, and you are liable for damages caused by the use of it.

    1. John Moore

      That legalese protects the manufacturer from the person who bought the device. It doesn’t protect them from the victim, who signed nothing.

      It is like a car with defective brakes. The person run into can sue the manufacturing chain.

    2. SeymourB

      The problem with a lot of legalese in contracts is that they’re essentially written because executives at the manufacturer want it to be written in, not because the terms are in any way, shape, or form enforceable. Meaning a reasonable legal defense can pick apart the contract in a court.

      That’s why so many software licenses are essentially laughable in terms of the rights they claim they’re taking away, when those rights can’t be signed away. You cannot sign someone into slavery (at least in most parts of the world), similarly you cannot sign away other rights.

      The problem is that many companies are huge with massive legal teams and firms on retainer to essentially deter anyone from poking holes in their contracts. You would either need to be a lawyer with a fairly deep breadth of skills to challenge them in court with a whole lot of time to go through the sheer amount of paperwork they’ll inundate you with (which is typically why they’ll hire on legal aides and paralegals to sort, and they won’t work for free), or a man of personal wealth to essentially pay a firm all their costs related to the suit in order to challenge the contract.

      Of course the real winners here are the law firms who write the contracts. They inform the executives that the contracts are worthless and the executives don’t care, all that happens is that the billable hours go up as the meetings continue where they inform execs that their latest directives are ultimately unenforceable, but the execs never care and tell them to write it in anyway. I’ve actually sat in on more than a few of those meetings.

  12. vb

    The government has a role in cleaning up this mess. The FCC should speak up and clarify exactly what it is for an ISP to be a common carrier.

    I want ISP’s to be able to say “You can’t keep that device connected to our network” if that device is sending out a spoofed IP address.
    Examining the control plane information is well within the bounds of common carrier practices and well within the bounds of net neutrality. If the ISP were to examine the data plane, that would be stepping over the line.

    1. Infosec Pro

      But, are ISPs common carriers?

      IIRC their position is, they are only to the extent it is to their benefit, but never if it means the government might tell them what to do by regulating them.

  13. vb

    In Finland, network operators are required to:
    “[…] prevent in their IP interconnection interfaces such IP traffic to the operator’s network where the source address of a received IP packets 1) belongs to an IP address space that the telecommunications company itself administers or advertises, 2) belongs to an IP address space that is reserved for non-public use, or 3) do not belong to routes advertised by a telecommunications company that conveys traffic to other telecommunications companies.”

  14. Lee

    I think the thing being ignored in all the coverage that I’ve seen so far is the fact that these cameras and DVRs and etc are accessible via Telnet and SSH when most everyone should be behind NAT firewalls. This is telling me that UPnP is a serious security problem that needs to be addressed and disabled by default by all firewalls. The IoT devices should not be accessible by SSH and Telnet from the internet to start with.

    1. Kalif

      Lee, very good point.

      Something is wrong if any consumer device inside a DSL or cable router has a publicly routable IP address.

      Every router I’ve ever had does NAT and is effectively a stateful firewall. Doesn’t this mean that the devices inside the router’s network can’t be port-scanned?

      1. Joe

        No, that is exactly what IPv6 does.
        NAT is a kludge to deal with limited IPv4 addresses. Using NAT as firewall is just a bad thing.
        Have a decent firewall set up.

        1. Whoever

          Joe, Kalif and Lee are right. This is primarily a UPnP problem, not a telnet, dns, ssh or other network problem. Disable UPnP and this specific issue goes away.

    2. Christenson

      Two proposals:

      Technical: My consumer ISP connection has but one IP address, and my ISP should not accept any packets that spoof it.

      Legal: My ISP should “have to” configure my modem/router by default not to accept incoming IP connections.

      I agree with Brian that the government is a horrible regulator: I’d prefer different notions of “legal” and “have to” than FCC regulations.

  15. Jacob

    Remember, a large number of the “bots” were both made and used overseas, out of US government regulatory reach.

    1. null

      Yet as others have said, they have been tested for radio interference (FCC) and are UL listed. And they have to follow all sorts of internet standards to actually work.

      Where are the minimum security standards ?

    2. SeymourB


      The EU implemented the RoHS directive and items that didn’t implement the RoHS directive were no longer allowed to be imported into the EU.

      Guess what that meant? Items for sale in the US also meet the RoHS directive, because manufacturers aren’t going to make two different items, its not cost effective. They make one item that meets all regulations, sell that item everywhere, costs of scale work in their favor and they make a profit. There are fixed costs for starting a production run that have to be distributed across each unit manufactured in that run. Two runs of different units means twice the fixed costs and a higher per unit cost.

      Its hard to sell an item in the US if it doesn’t meet US regulations, the same way it’s hard to sell an item in the EU if it doesn’t meet EU regulations. You can always import it through back channels and sell it on the black market, but there’s only so much volume you can get in that way before getting caught.

  16. Don

    I think the US needs a WALL. A FireWall and we get China to pay for it.

    1. Jon snow

      i doubt it, expect after the creator released it on his forum it was downloaded by many, there is apparently a git repository for it. maybe there is some english mash up where brian got an exclusive, as in the only or one of few people talking about it.

    2. SeymourB

      The link to Mirai was posted to crime forums long before Krebs posted about it. He only has a window into some of the forums, not every forum, everywhere.

      Trying to blame reporters for reporting on stories is a very old game. Politicians throughout time have based their entire campaigns around it. Ultimately nothing is gained by shooting the messenger.

  17. JAK

    As a former tech with a large security camera company, we’d always recommend any IP cameras be on a dedicated network with no access to outgoing internet. They would connect to the DVR, which in turn had a single IP facing outward to the company network and internet. This kept cameras themselves from being directly accessed, and the DVR had it’s own security measures and passwords.
    Just throwing that out there to mention if any cameras are participating in DDOS, it’s failure to install them properly

    1. John Moore

      These devices use UPnP to drill holes through the NAT, so they can be accessed from the outside. Home users like to have Internet access to some of their IoT devices, such as security cameras and DVR’s.

      After reading about this, I took a look at my ISP provided DOCSIS CATV internet router, and found 6 different devices drilling those holes, including a Dish Network DVR.

  18. Jay

    Has any security agent or company developed a vetted program or app to scan a network, especially a home network, for vulnerable or corrupted IoT devices that are connected to that network? Would be very helpful to disable and remove an offending device. Is such a app possible?

    1. The Dex

      Well, an app is possible – probably won’t be 100% secure, but around 80%-90% would do (the same as with AntiVirus solutions). I think it can also be mobile, but some problems might arise.

      On the other hand, a customer C spends 100$ on a poorly-designed device – and he sets it up, uses it etc. Are you sure it will throw away [or isolate] that device if he finds out it might be a potential threat?

  19. tz

    Or simply create liability no different for other unsafe or ineffective products.
    A door lock that could be easily opened without a key or locksmithing tools would be recalled.
    VW owes 15 billion over cheatware.
    I had a bad DNS setting so a router was used in an amplification attack, and my ISP was going to disconnect or block me if I didn’t fix it. They should do the same with IoT.

  20. George Bonser

    The problem with IoT devices is that they are often owned by people who do not know how to locate the offending device. We are talking about the average consumer who has a camera to catch the guy stealing their Amazon packages. They might get notified that SOMETHING in their network is compromised but is it their TV, printer, camera? They have no idea how to find it.

    And to address the issue of the rest of the world going along with any regulations, if both the EU and the NAFTA countries declared that in order to sell any internet enabled device in their economy, the device needed to have changeable credentials that are unique for each device when shipped (even using the device serial number as a password would be better than nothing), the manufacturers would make that the standard for every device built.

    India and China might not want to implement those regulations in their countries but they certainly want to sell into western markets and they probably are not going make two different kinds of device. So by the large western consumer markets making such a standard regulation, the other consumer markets are also protected. The problem would be coordinating between the governments to make a single standard that manufacturers could meet and sell into all markets.

  21. Jean Camp

    “Personally, I do not believe there has ever been a technology challenge that was best served by additional government regulation.”

    You liked it when there were no safety standards for electrical power lines? Power distribution was once competitive, multiple lines on a pole, and under-capitalized companies would leave downed lines.

    You do not food safety? Salmonella really has so few remaining fans.

    That seems a remarkably ahistorical POV.


  22. David

    Probably crazy but there could be legislation for future IoT devices to choose random ports above say port 1000 and then it’s up to the user to tweak them back to whatever they need if they want to. The vast majority of users will just plug and play and have no clue what a telnet port is. This will make scanning Ip ranges for open ports much slower. This obviously won’t solve the already sold devices though.

    1. The Dex

      In the future, the scanning speeds will also grow – alongside with fingerprinting speeds. We already have ZMAP and other very-fast scanners. We also have 100Mbps download and 100Mbps+ upload speeds for an “average Joe” – at least, in some parts of the world.

      For example, here in Romania, we have 1Gbps [max] download and 500 Mbps [max] upload for about 10$. That makes scanning & others very easy and very fast…

  23. Scott Allen

    In order for the market to work, consumers need to be able to understand what the security posture is, of the IoT products they buy. What we need is a UL type organization to rate these products. Anyone want to start a business?

  24. Silemess

    Side idea;

    What if the IoT devices had to speak to a hub before going to the world at large?

    Basically, requiring that there be a home server or something similar instead of simply the consumer router that’s currently available. That server would then act as the line of defense to protect the devices downstream of it.

    Making it an operating standard means that no manufacturer gets to claim an advantage over the other IoT’s because (in theory) they should swap easily. The server filters and relays the desired info (your home temp, video, etc) without relaying the administrative access.

    The server would be more likely to be maintained, and better able to handle required security upgrades than the plethora of devices that would be hiding behind it. Same basic flaws apply though, it would be another useful asset to be compromised in the event someone does get in, and it would be extremely unlikely to be monitored by the owner because as long as they can still see their devices remotely, they wouldn’t have a clue that the server was compromised.

    In practice, I suspect that this would simply be abused by the manufacturers as well. The various server suppliers would simply degrade the non-preferred devices so that people swap to the “better” gear. And there’s still the problem of making sure that the servers stay updated, but I’m envisioning this being an OS manufacturer already. But trying to collect and protect these simple (and lets face it, already doomed to fail) devices behind a better firewall (preferably one that can double as an IDS and prevent bruteforce attacks) is the only way to improve things.

    A lot of the gear that people are planning to make IoT, simply won’t be kept updated for the lifespan of the device. If they are effectively directly on the internet (as is the case of things that use UPnP) or nearly directly on (simply behind a consumer’s ISP provided default router (or worse, something that is itself already a decade old and never updated)), we’re going to be screwed. Fridges and home thermostat systems simply aren’t going to be replaced with the regularity of cameras or even cars. Manufacturers aren’t going to support the devices for their functioning lifetime, and they’ll wash their hands of it after a 5yr period saying that they’ve supported it as long as they can (try to) call reasonable.

    Really, until it becomes the IoT-as-a-service, this is a path that leads to madness.

  25. Robert Gezelter

    The problem of unsecure IoT devices is admittedly complex. Easy consumer use requires easy configurations, which in turn lead to vulnerabilities. ISPs do not have visibility to devices located behind NATs and firewalls, but these same devices can be accessed via phishing and similar attacks against other devices behind the NAT/firewall.

    Well-known default passwords and otherwise weak passwords are a problem. Good practice is that well-known passwords/weak passwords should not be used.

    ISPs (and ISP-provided access portals) should implement egress/ingress filtering, a concept I described in the “Computer Security Handbook, Third Edition” (1995) and was subsequently codified in IETF BCP 38.

    Securing IoT devices and home networks is not a simple problem. For a start, IoT devices should probably be on a separately firewalled subnetwork, without unfettered access to the rest of the home/office network, much less unfettered access to the general Internet.

  26. Dennis Kavanaugh

    I am not fond of government regulation. They are not timely, they are overly reactive, and in general not nimble enough to get in front of these kinds of issues. I am fond of transparency, and part of that transparency can involve federal involvement in creating a means to evaluate, expose and even perhaps certify the IoT devices sort of like the Underwriters Lab or perhaps a FIPS type of classification.

  27. CJ

    One thing I’m not seeing here is personal responsibility. If you buy an object that has adverse effects on common infrastructure you should be personally liable or at least liable to have your access to that infrastructure shut off.
    That creates an incentive for customers to be cognizant of certified or quality devices and the shoddy junk that is currently causing problems.
    It is now in the customers best interest to buy something better and then companies will look to meet those needs.
    Harness the market with simple principles. Property rights seem to answer this perfectly. The ISP certainly has a right to stop your connection from attacking infrastructure.
    P.S. A warranty saying you aren’t responsible for anything that goes wrong will not necessarily hold up in court.

  28. G.Scott H.

    ISPs are at a good location to make a difference. Packets with spoofed source addresses should not leave an ISP’s network. But they do. There are many network services such as telnet, ftp, smtp, dns, http(s), ssh, etc(;) that the vast majority of their customers are not providing to the Internet. But inbound packets to the ports of those services are not blocked. The equipment most of their customers use to connect is provided by a fee by the ISP or purchased from a compatible list maintained by the ISP. But that equipment is not vetted for security. That equipment is frequently configured by the ISP and not the customer.

    Spoofed source packets should be blocked by ISPs. Inbound traffic for common services should be blocked by default with the the customer able to request them to be opened as needed. Connection equipment maintained by the ISP should be maintained by the ISP and properly configured to include secure operation.

    One of my ISPs was blocking my use of an alternate DNS provider. I was told this was for security. I was able to get my way with a little effort, I was surprised it wasn’t harder. They had suffered a DNS outage, but I did not. Most of their other customers thought the Internet was broken. I suspect the real reason for forcing the use of their DNS was for monetizing purposes not security.

    I have an idea for a more secure implementation of an IoT device’s intended inbound connection. Use an ephemeral port token akin to authentication tokens. The device and it’s app would use the “ephemeral port of the minute” to communicate. The time cycle could be less than a minute.

  29. Reba

    Either business will do what needs to be done, or they can let the government impose a solution on them. If they are smart, they had better get cracking patching those security holes…

Comments are closed.