The FCC Suggests Some Wishy Washy, Highly Unlikely Solutions To The Poorly-Secured Internet Of Things

from the dumb-is-the-new-smart dept

So we’ve noted how the surge in the internet-of-poorly-secured things has put us all at risk by introducing thousands of new attack vectors in homes and businesses around the world. We’ve also noted that the rise of these not-so-smart cameras, toys and hackable tea kettles has resulted in a spike in larger DDoS attacks than we’ve ever seen before, as these devices are compromised and used maliciously within minutes of being connected to the internet. Many security experts have started to warn us that it’s only a matter of time before the check comes due, potentially involving infrastructure failure and mass fatalities.

Rather unsurprisingly, this has lead to a renewed call for some kind of regulation to hold gear-makers accountable for shipping poorly-secured product. So far, however, the most we’re seeing on the policy solution front are relatively shallow missives pushed by folks like the Department of Homeland Security. The DHS’s “non-binding strategic principles” recently included such recommendations along the lines of “hey, guys, maybe some of you should actually probe your product for vulnerabilities before shipping it to consumers?” and “uh, perhaps companies should think about security a little bit during the product design phase?”

FCC boss Tom Wheeler also appears to be vaguely exploring the idea of regulating the internet of things space with an eye on avoiding an IOT-induced cyber-apocalypse. In a letter by Wheeler to Senator Mark Warner (pdf), Wheeler advocates an FCC-mandated cybersecurity certification process for IOT devices, as well as a system to apply “consumer cybersecurity labels” for IoT devices and associated services. In the letter, Wheeler argues that this is one scenario in which industry self regulation hasn’t worked, and may not work down the road:

“I do, however, share your concern that we cannot rely solely on the market incentives of ISPs to fully address the risk of malevolent cyber activities. As private actors, ISPs operate in economic environments that pressure them to not take those steps, or to take them minimally. Given the interconnected nature of broadband networks, protective actions taken by one ISP against cyberthreats can be undermined by the failure of other ISPs to take similar actions. This weakens the incentive of all ISPs to take such protections. Cyber-accountability therefore requires a combination of market-based incentives and appropriate regulatory oversight where the market does not, or cannot, do the job effectively.”

Wheeler’s responding to an October letter from Warner regarding the Dyn DDoS attack, which was fueled by IOT devices. But like the DHS’s recommendations few companies will actually follow, Wheeler’s letter similarly leans heavily on ambiguities and lip service, while realizing the FCC’s precarious current position. Buried under some oblique references to the FCC’s Open Internet Order (Wheeler really only says that ISPs can manage these threats without running afoul of net neutrality), the baseline message is that industry needs to step up and fix its own problem:

“In 2014, I initiated a new paradigm for how the FCC would address cybersecurity for our nation’s communications networks and services. I stated that it begins with private sector leadership that recognizes how easily cyber threats cross corporate and national boundaries and that, because of this, the communications sector must step up its responsibility and accountability for cyber risk management.”

While stories like this one over at Morning Consult engage in a lot of hand wringing about the FCC engaging in regulatory over-reach, there’s little to no actual chance of Wheeler’s ideas actually being implemented. Wheeler is set to step down as chairman on January 20, and Trump’s incoming telecom advisors have made it abundantly clear their top priority will be not only eliminating the FCC’s net neutrality rules, but working to defang and defund the agency. The GOP is also cooking up a Communications Act rewrite now that it has Congressional and White House control that will similarly aim to hamstring the regulator.

A defunded and weakened FCC will likely be in no position to dramatically expand its authority into regulation of internet of things devices. In fact, it will likely mean the erosion of many FCC rules that already exist now. In other words, when it comes to IOT security we’re going to be exactly where we started: waiting for gear makers to step up and take some responsibility for the fact they’re laziness has left us all immeasurably less secure, while bickering over whether regulatory over-reach on security could hinder the innovation in the IOT market.

Meanwhile, it’s going to take a dramatic IOT-fueled incident of dysfunction and disaster before we stop doing the bare minimum, and begin taking the entire problem more seriously.

Filed Under: , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “The FCC Suggests Some Wishy Washy, Highly Unlikely Solutions To The Poorly-Secured Internet Of Things”

Subscribe: RSS Leave a comment
34 Comments
Anonymous Coward says:

Re: Re:

About the only thing I can see anyone do, is implement a required certification program like UL for electricity or the FCC certification for wireless radios. If they are not certified they can not be sold on the US market. The problem is defining something that is unknown. Back in the day you could have chargen, SNMP, NTP, et al on the open internet and it was perfectly fine, now not so much. And for tomorrow, we have no clue what vulnerabilities will be discovered. Enforcing proper firewalls on end-users with default block rules will probably go a lot further, but someone will still just stick them on the outside for ease of use. So, I honestly can’t think of a good solution myself that will work for every idiot out there.

Anonymous Hero says:

> when it comes to IOT security we’re going to be exactly where we started: waiting for gear makers to step up and take some responsibility for the fact they’re laziness has left us all immeasurably less secure

Gear makers don’t leave us insecure. Consumers make themselves insecure by purchasing insecure gear.

Not everyone is a pen-tester, but people should be security conscious about the stuff they buy (especially if the item happens to be a security camera!). I’d prefer education to regulation.

ltlw0lf (profile) says:

Re: Re:

Not everyone is a pen-tester, but people should be security conscious about the stuff they buy (especially if the item happens to be a security camera!). I’d prefer education to regulation.

I totally agree with your thoughts here, security education is a far better way of dealing with this, though there are limits to education as well. I tell friends and family why they shouldn’t buy something all the time, giving facts and rational, but most of the time I get “so, who cares, I don’t have anything a hacker would ever want.” This even after I explain that the criminals out there want their identity, their credit, their bank accounts, etc., and most of those exist on their computer.

But the issue is that most manufacturers won’t even open up their firmware so that security researchers can look at them, much less let their customers know of potential risks. They don’t want to loose their profit margin by being able to “expire” equipment less than a year old by no longer supporting it, making their customers get on the endless device obsolescence model they currently have. There are some niche groups, including security camera vendors, where all you can get is cameras with clunky, closed source, and poorly supported firmware, and unless someone goes in and makes this illegal, the companies aren’t going to change.

Anonymous Coward says:

Re: Re:

Not everyone is a pen-tester, but people should be security conscious about the stuff they buy (especially if the item happens to be a security camera!). I’d prefer education to regulation.

After twenty years of non-technical people using Windows unsafely despite repeated warnings about how insecure it is, and Microsoft going to considerable lengths to make it painful to use the system in an insecure manner, people still use Windows in insecure ways. To me, that demonstrates an oft-stated truth: people abhor security measures that have any non-trivial cost and will demonstrate their preference by choosing the path of least resistance, even when it is demonstrably less secure. We see this in users’ choice of terrible passwords too. Educating such people might make them more aware that they are acting recklessly, but it will not, in most cases, motivate them to be careful.

Even setting aside that users will happily choose insecure products for even a small perceived convenience over the secure alternative, if there are no products on the market that are secure enough, what good does it do to create consumers who want to avoid buying insecure products? How many of those people will decide to buy nothing at all when presented with a catalogue of only insecure products?

I distrust regulation in this matter, but we got here because vendors have managed to absolve themselves of any responsibility whatsoever for the consequences of their shoddy work. We need some way to motivate them not to ship poor quality products. Convincing enough of their customers to shun them for doing a poor job is a nice idea, but very hard to make work at scale.

Anonymous Coward says:

Re: Re:

Education is all well and good, but often the information about security simply doesn’t exist.
Besides, keeping people up to date on security would be tough. Algorithms become deprecated all the time and to teach most people the difference between a hash and an encryption algorithm or what the difference is between a public and private key if they don’t have even the slightest interest in the subject will be next to impossible.
Instead I think there should be a required stamp or sticker on these products, after they have been tested. The picture should be of a lock and then either red, yellow, or green, depending on the security of the product.
Educating people on basic colors is much easier than educating them on IT security.

wiserabbit says:

Re: Re: Re: Re:

No kidding to this.

I work in InfoSec. I knew the questions to ask. It took three months to find a security system after thieves broke in and took everything including the half used cans of house paint.

Go to a consumer security company’s website and try to figure out what are the make and models of any of the equipment they are selling. Good luck with that. Call their sales and support lines. There are a little better results there but comedy ensues when you try to learn about the manufacturers of the components inside. Never heard what crickets sound like? Ask about firmware versions.

We did the best that we possibly could including letting some folks I work with attack the darn things but it still feels like it is more of a wing-and-a-prayer situation.

Thad (user link) says:

Re: Re: Re:

The problem with the “every ____ gets the ____ they deserve” line, however it’s deployed, is that it tends to assume that the repercussions of poor and careless decisions only affect the people who made those decisions.

The thing about botnets is, the people who bought the crappy IoT gizmos that run them are usually not the ones being harmed by them.

And you can have a top-notch security team doing evertyhing right and it’s still not going to protect you against a DDoS attack of sufficient size.

Anonymous Coward says:

Re: Re:

I think it describes a dystopian future where the government tries to spy on everything everyone does 24-7 all the while wagging their finger at the public about all those bad things they are doing … and that they need to be held “accountable” for their transgressions. How dare you visit that librul website and read all that fake news !!!

SolutionIsAlreadyThere says:

Again where's the UL rating for these items

We hear about JD Powers rankings of cars everyday through advertising. Where’s the equivalent of the Underwriter Labs UL rating for these devices.

Put simply, DON’T BUY this crap unless is passes some rating system. That is something tangible that doesn’t need government involvement.

If anything the government should be pushing consumers into the hands of consumer oriented ranking systems.

Not approved, DO NOT BUY, not approved and goes into flames, the company SELLING the product should be liable as much as the manufacturer. Yes, WalMart, Amazon and all these giant commerce shops SHOULD be on the hook for not doing their due diligence.

Anonymous Coward says:

wouldn’t it be cheaper to simply outlaw connecting trivial crap to the internet? the cost of securing a bauble will surely dwarf the value of the thing.

that’s if the manufacturer can get by without the spy income component. that may make connection necessary. just make the public pay for the safe spying. thousand dollar tea kettle sounds about right.

Vikarti Anatra (profile) says:

What if...

It’s interesting how both buyers and makers of insecure things will react to: when your device takes part in DDoS attack at one specific site, your internet connection will be cutted (physicall and paper notice will be attached), no matter where you are on Earth(yes, this means some mistakes will happen like cutting apartment complex instead of specific flat). You can sue owner of system which did cutting but you won’t get anything from it. If connection is repaired it will work…until it takes part in DDoS again.

Yes, SciFi scenario. One I thinking about using in my book.

Tom Mink (profile) says:

What people are used to

One of the biggest reasons why insecure products get bought is because consumers have been assured that things sold commercially are expected to be safe. Speaking of which – why is the DHS and FCC taking the lead when we have a Consumer Product Safety Commission? Do IoT devices have to catch fire or smother children to be eligible for scrutiny?

Derek Kerton (profile) says:

Seems to Me Something The Free Market May Solve

And I don’t say that every time!

So, we already have independent third party nationally recognized and trusted testing Laboratories like UL. UL provides a certification for thousands of consumer electronics devices, to assure the customer that they won’t shatter, catch fire, explode, short-circuit your home, emit too much RF, and a variety of other risks.

Many of the IoT products we’re talking about here (in these DDOS bot nets) already have UL certification. So
UL (or other certification labs) should add a test of whether a product meets some basic Internet security standards, and just make that part of their certification.

In fact, it’s kinda lame on them if they don’t do that already.

Wendy Cockcroft (user link) says:

The market will take care of it

//…waiting for gear makers to step up and take some responsibility for the fact [they’re] their laziness has left us all immeasurably less secure, while bickering over whether regulatory over-reach on security could hinder the innovation in the IOT market. //

Now, now, Karl, know you not that the market will take care of it? Competition keeps you honest, and all that.

Yes indeed, through zero collective action via boycotting campaigns on the part of the public and completely sans regulation, consumers will decide of their own free will to either get something else or do without, thereby forcing the manufacturers to get their act together. Who needs the FCC and consumer protection when Randian fantasies can do the job so much better?

DannyB (profile) says:

Make the device manufacturer financially liable for damage

Unlike most of my posts, this one is serious and not intended as sarcasm or parody.

Put the financial liability for damage caused by hacked devices upon the manufacturers of the device. Yes, seriously.

Let me head off several replies before anyone even replies. I’m NOT suggesting any sort of government certification or licensing or registration of devices. Just simply that if your device is hacked, the hacking results in financial damage, then the manufacturer has liability for the damages caused.

Simply don’t ship devices that are hackable. Impossible!, you say? If that is true, then don’t make any IoT devices. If it is impossible to prevent them from being used for massive damage, then why should you be making and selling them at all? That’s like saying it is impossible to make a toaster that won’t burn your house down. If true, then why should you be making or selling any toasters.

If it is possible to secure the devices, then do so. You might start looking at a lot of basic things like:
* highly limit what internet ports your device uses
* no default passwords
* no back doors
* use digitally signed software updates to ensure they are from the manufacturer
* no insecure protocols
* minimize exposed functionality to minimize attack surface

And other ideas to lock down your device. Steps like this substantially reduce the odds that your device will be hacked, and that you will incur liability from damages caused.

The problem that this fixes is that now device makers have a financial incentive to secure and lock down their devices. It isn’t impossible. Yes, it may cost some additional time and engineering in the design.

But just as I expect a toaster to not burn my house down, I expect IoT devices to not be instantly and trivially hackable.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »