Pressure is growing on federal regulators and homeland security officials to offer some reassurance to the public about the security of the internet of things after last week’s massive DDoS attack.
In letters Tuesday to the Federal Trade Commission, the Federal Communications Commission and the Department of Homeland Security’s National Cybersecurity and Communications Integration Center, Sen. Mark Warner, D-Va., co-founder of the bipartisan Senate Cybersecurity Caucus, asked about the tools the agencies have — and the ones they might need — to prevent cybercriminals from weaponizing IoT devices.
It’s now clear that the network of infected internet computers which knocked major websites offline Friday was composed of internet-connected consumer devices like webcams, DVRs and routers. They had been manipulated by a malicious software program, known as Mirai, which scans the internet looking for IoT devices with default passwords or other security flaws to recruit them into the botnet.
Mirai’s source code was released Oct. 1, enabling any low-skill hacker to use it to build a network of unsecured, but internet-connected devices. Even a few thousand of these devices can generate large amounts of internet traffic.
“Mirai’s efficacy depends, in large part, on the unacceptably low level of security” in IoT devices, wrote Warner.
Under the FCC’s Open Internet rules, internet providers cannot prohibit the connection of “non-harmful devices.” But Warner argued that “devices with certain insecure attributes could be deemed harmful to the ‘network’ – whether the ISP’s own network or the networks to which it is connected.”
He challenged the agencies to define network management practices that service providers could use to limit the damage from mega-botnets like Mirai.
Former FTC Commissioner Julie Brill told the Privacy and Security Forum in Washington Tuesday that her agency was concerned with three security issues raised by IoT: The security of personal data; the weaponization of botnets and consumer safety.
“It’s very personal data,” she said of the information collected by IoT devices like medical equipment, “So there’s a privacy aspect to ensuring that this information is secure.”
That’s “one of the animating principles” at the root of FTC’s approach in the IoT arena, she said. Brill, who was an FTC commissioner for almost six years until March, is co-head of Hogan Lovells’ global privacy and cybersecurity practice.
“These devices raise questions about how motivated some of the manufacturers are going to be to ensure the security of the information that is being traded and sold along to others,” she said. “Do they have the expertise, do they have the business model to push through patches?”
The safety issue was obvious in driverless car technology, as well as networked medical devices, but it was also present even in connected home applications. “You’re gonna have devices that are connected to the internet, maybe they’ll be vulnerable and maybe someone could do something quite extraordinary and hazardous right in someone else’s home.”
The agency, she said, will be looking at all three of those issues, using the “reasonable security” standard to measure corporate malfeasance.
“The FTC will be out there looking for cases,” she said.
Cybersecurity experts have been warning for years that competitive pressures and consumer ignorance have combined to make security the red-headed stepchild of IoT manufacturers.
“Most security practitioners will tell you,” said Ned Miller, public sector CTO of Intel Security, their companies’ key concern is “time to market … the last thing they think about is security.”
Miller, speaking alongside Brill at the forum, said that in the mass market, security only became an issue when “it gets personal,” as it had on data security for most Americans with the huge payment card breaches earlier in the decade.
He said he hoped Friday’s attack would start to make the IoT issue personal in the same way. Having spent two decades working on security standards in IT, Miller told the forum that he had a sense of deja vu from the IoT.
“It’s like we’re starting all over again … the mistakes of the past are coming back to bite us again,”
He said when it came to the multi-stakeholder forums conventionally favored as standards-setting bodies in the online world, the number and variety of business interest at the table was much greater for IoT than it ever had been for IT.
Consumers were not blameless, he added. “We want plug and play … We want them [IoT devices] to work right out of the box.”
“There always seems to be a compromise of functionality,” when security or privacy issues were involved, said Alex Wall, senior counsel and global privacy officer for software company Radar.
When the panel was asked to identify a single security measure or best practice that could help, Miller responded, “Don’t allow it work until you reset the password.”
Forcing the reset of default passwords was the kind of best practice recommended in the FTC’s January 2015 report on IoT, Brill said.
“It’s almost two years ago and still not everybody is following that” best practice,” she said.