Remember those halcyon days when the worst a hacker could do to your connected camera was use it to spy on you while you were getting changed in your home? That all ended last Friday, when unknown attackers marshaled an army of similar cameras and other “Internet of Things” devices to shut down access to major websites across much of the United States.
That’s a serious issue for anybody reading this. If a bunch of amateurs can use hacked IoT devices to stage a distributed denial-of-service (DDoS) attack that breaks internet routing for hours, imagine the risks when pros wield the same open-source software, called Mirai, that ran the assault.
In the week since the domain-name-service provider Dyn found itself besieged by these “DDoS” attacks, it’s only become clearer how much work we have to do to improve IoT security.
The first step in this scrub job has to be decontaminating all of the hacked or easily-hacked IoT devices out there. That’s a topic that’s liable to make security professionals shrug their shoulders, since so many of the devices involved require their users to do the hard work of securing them.
“Even if the vendor releases firmware that can patch some of this, do most end users know how to patch firmware on an IoT device?” asked Akamai principal security researcher Ryan Barnett at a security conference in Washington Thursday.
And that’s assuming they get as far as downloading the update — which may be tough if they don’t know which company made the IoT device in question.
Consider the case of Chinese manufacturer Hangzhou Xiongmai Technology Co., Ltd, which builds internal components for other company’s devices. The research firm Flashpoint Security found that more than 500,000 internet-accessible devices made by that company used the same default username and password, which the Mirai software exploited in the Dyn attack, as well as an earlier one against the site of cybersecurity journalist Brian Krebs.
Xiongmai told Reuters and other news outlets that it will stage a recall, but how will U.S. customers know? They won’t necessarily know if Xiongmai’s hardware is in their devices, and Xiongmai’s only direct announcement seems to have taken place on China’s QQ social network.
An e-mail sent Tuesday to the company’s email address went unanswered.
The recipe for making a secure IoT device shouldn’t be that complex: Ship every product with a unique admin password, with the least exposure to the internet required to do its job and with an automatic-update system.
Then give shoppers a simple way to identify safe IoT devices when they go shopping. The example of Underwriters Laboratories’ safety labels often comes up, followed by a request that UL do just that for cybersecurity.
The answer is that they are — but the company’s efforts won’t help you shop until next year.
“We haven’t completed and certified any of those devices as of yet,” said principal engineer Ken Modeste. The first quarter of 2017 looks like the earliest possible time for retail availability of gadgets with this new label.
UL’s tests will grade gadgets both on their features and their manufacturers’ systems for verifying their security and shipping patches for them.
It won’t, however, require automatically installed updates, without which many security fixes will linger on servers or in the “Download” folders on users’ computers. That will have to wait for the second version of this standard — which, Modeste said, “we’re now starting to develop.”
If you were about to ask “isn’t it illegal to ship hardware this insecure,” the answer is “not necessarily.” We don’t have product-safety regulations for IoT devices like those that protect our food, our air travel and, more recently, our financial instruments.
Security expert Bruce Schneier wrote at Vice’s Motherboard site three weeks ago — before the Dyn attack — that the Feds had to step in. He wrote: “The economics of the IoT mean that it will remain insecure unless government steps in to fix the problem.”
The government has, in fact, taken action already. The Federal Trade Commission has been studying this problem (its 2015 report on IoT security and privacy now looks prophetic) and has used its existing authority to pursue some firms for egregious failings.
In 2014 and 2016, the FTC secured settlements from the camera vendor Trendnet and router manufacturer Asustek for misleading customers about their devices’ security — deceptive conduct being something the FTC can already punish.
The FTC’s 2015 report renewed earlier calls for nationwide privacy legislation. Right now, there isn’t even a federal standard for when companies must tell you they lost your data in a breach.
In a phone interview Tuesday, FTC commissioner Terrell McSweeny reiterated that goal as well as more recent requests that Congress expand its limited ability to fine offenders. “It would be helpful if the FTC had civil penalty authority,” she said.
Until that happens, the FTC will continue to urge companies to do better and bring cases against those who don’t or won’t. And potential IoT shoppers — McSweeny included — will have to continue to be wary.
More from Rob:
- Apple once again ignores a big market
- How Google is remaking the mobile web
- How hackers could use your smart home devices to launch web attacks
- Your silly emojis are going to court
- How the government plans to make your self-driving car safer