The FCC Suggests Some Wishy Washy, Highly Unlikely Solutions To The Poorly-Secured Internet Of Things

from the dumb-is-the-new-smart dept

So we've noted how the surge in the internet-of-poorly-secured things has put us all at risk by introducing thousands of new attack vectors in homes and businesses around the world. We've also noted that the rise of these not-so-smart cameras, toys and hackable tea kettles has resulted in a spike in larger DDoS attacks than we've ever seen before, as these devices are compromised and used maliciously within minutes of being connected to the internet. Many security experts have started to warn us that it's only a matter of time before the check comes due, potentially involving infrastructure failure and mass fatalities.

Rather unsurprisingly, this has lead to a renewed call for some kind of regulation to hold gear-makers accountable for shipping poorly-secured product. So far, however, the most we're seeing on the policy solution front are relatively shallow missives pushed by folks like the Department of Homeland Security. The DHS's "non-binding strategic principles" recently included such recommendations along the lines of "hey, guys, maybe some of you should actually probe your product for vulnerabilities before shipping it to consumers?" and "uh, perhaps companies should think about security a little bit during the product design phase?"

FCC boss Tom Wheeler also appears to be vaguely exploring the idea of regulating the internet of things space with an eye on avoiding an IOT-induced cyber-apocalypse. In a letter by Wheeler to Senator Mark Warner (pdf), Wheeler advocates an FCC-mandated cybersecurity certification process for IOT devices, as well as a system to apply "consumer cybersecurity labels" for IoT devices and associated services. In the letter, Wheeler argues that this is one scenario in which industry self regulation hasn't worked, and may not work down the road:
"I do, however, share your concern that we cannot rely solely on the market incentives of ISPs to fully address the risk of malevolent cyber activities. As private actors, ISPs operate in economic environments that pressure them to not take those steps, or to take them minimally. Given the interconnected nature of broadband networks, protective actions taken by one ISP against cyberthreats can be undermined by the failure of other ISPs to take similar actions. This weakens the incentive of all ISPs to take such protections. Cyber-accountability therefore requires a combination of market-based incentives and appropriate regulatory oversight where the market does not, or cannot, do the job effectively."
Wheeler's responding to an October letter from Warner regarding the Dyn DDoS attack, which was fueled by IOT devices. But like the DHS's recommendations few companies will actually follow, Wheeler's letter similarly leans heavily on ambiguities and lip service, while realizing the FCC's precarious current position. Buried under some oblique references to the FCC's Open Internet Order (Wheeler really only says that ISPs can manage these threats without running afoul of net neutrality), the baseline message is that industry needs to step up and fix its own problem:
"In 2014, I initiated a new paradigm for how the FCC would address cybersecurity for our nation's communications networks and services. I stated that it begins with private sector leadership that recognizes how easily cyber threats cross corporate and national boundaries and that, because of this, the communications sector must step up its responsibility and accountability for cyber risk management."
While stories like this one over at Morning Consult engage in a lot of hand wringing about the FCC engaging in regulatory over-reach, there's little to no actual chance of Wheeler's ideas actually being implemented. Wheeler is set to step down as chairman on January 20, and Trump's incoming telecom advisors have made it abundantly clear their top priority will be not only eliminating the FCC's net neutrality rules, but working to defang and defund the agency. The GOP is also cooking up a Communications Act rewrite now that it has Congressional and White House control that will similarly aim to hamstring the regulator.

A defunded and weakened FCC will likely be in no position to dramatically expand its authority into regulation of internet of things devices. In fact, it will likely mean the erosion of many FCC rules that already exist now. In other words, when it comes to IOT security we're going to be exactly where we started: waiting for gear makers to step up and take some responsibility for the fact they're laziness has left us all immeasurably less secure, while bickering over whether regulatory over-reach on security could hinder the innovation in the IOT market.

Meanwhile, it's going to take a dramatic IOT-fueled incident of dysfunction and disaster before we stop doing the bare minimum, and begin taking the entire problem more seriously.
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: cybersecurity, fcc, iot, mark warner, tom wheeler


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Anonymous Coward, 12 Dec 2016 @ 12:12pm

    I am still scratching my head over WTF the FCC or FTC or any other US agency is going do that would have any effect here. The bulk of the IOT devices in recent attacks were built, sold and deployed outside of the US.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 12 Dec 2016 @ 12:38pm

      Re:

      About the only thing I can see anyone do, is implement a required certification program like UL for electricity or the FCC certification for wireless radios. If they are not certified they can not be sold on the US market. The problem is defining something that is unknown. Back in the day you could have chargen, SNMP, NTP, et al on the open internet and it was perfectly fine, now not so much. And for tomorrow, we have no clue what vulnerabilities will be discovered. Enforcing proper firewalls on end-users with default block rules will probably go a lot further, but someone will still just stick them on the outside for ease of use. So, I honestly can't think of a good solution myself that will work for every idiot out there.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Hero, 12 Dec 2016 @ 12:12pm

    > when it comes to IOT security we're going to be exactly where we started: waiting for gear makers to step up and take some responsibility for the fact they're laziness has left us all immeasurably less secure

    Gear makers don't leave us insecure. Consumers make themselves insecure by purchasing insecure gear.

    Not everyone is a pen-tester, but people should be security conscious about the stuff they buy (especially if the item happens to be a security camera!). I'd prefer education to regulation.

    reply to this | link to this | view in chronology ]

    • icon
      Roger Strong (profile), 12 Dec 2016 @ 12:28pm

      Re:

      Being security conscious I knew to ask whether my new internet-connected gas furnace is secure. The company said that it is. I also checked my Facebook feed for warnings.

      [...]

      What's that smell?

      reply to this | link to this | view in chronology ]

    • icon
      ltlw0lf (profile), 12 Dec 2016 @ 12:34pm

      Re:

      > Not everyone is a pen-tester, but people should be security conscious about the stuff they buy (especially if the item happens to be a security camera!). I'd prefer education to regulation.

      I totally agree with your thoughts here, security education is a far better way of dealing with this, though there are limits to education as well. I tell friends and family why they shouldn't buy something all the time, giving facts and rational, but most of the time I get "so, who cares, I don't have anything a hacker would ever want." This even after I explain that the criminals out there want their identity, their credit, their bank accounts, etc., and most of those exist on their computer.

      But the issue is that most manufacturers won't even open up their firmware so that security researchers can look at them, much less let their customers know of potential risks. They don't want to loose their profit margin by being able to "expire" equipment less than a year old by no longer supporting it, making their customers get on the endless device obsolescence model they currently have. There are some niche groups, including security camera vendors, where all you can get is cameras with clunky, closed source, and poorly supported firmware, and unless someone goes in and makes this illegal, the companies aren't going to change.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 12 Dec 2016 @ 1:09pm

      Re:

      Not everyone is a pen-tester, but people should be security conscious about the stuff they buy (especially if the item happens to be a security camera!). I'd prefer education to regulation.

      After twenty years of non-technical people using Windows unsafely despite repeated warnings about how insecure it is, and Microsoft going to considerable lengths to make it painful to use the system in an insecure manner, people still use Windows in insecure ways. To me, that demonstrates an oft-stated truth: people abhor security measures that have any non-trivial cost and will demonstrate their preference by choosing the path of least resistance, even when it is demonstrably less secure. We see this in users' choice of terrible passwords too. Educating such people might make them more aware that they are acting recklessly, but it will not, in most cases, motivate them to be careful.

      Even setting aside that users will happily choose insecure products for even a small perceived convenience over the secure alternative, if there are no products on the market that are secure enough, what good does it do to create consumers who want to avoid buying insecure products? How many of those people will decide to buy nothing at all when presented with a catalogue of only insecure products?

      I distrust regulation in this matter, but we got here because vendors have managed to absolve themselves of any responsibility whatsoever for the consequences of their shoddy work. We need some way to motivate them not to ship poor quality products. Convincing enough of their customers to shun them for doing a poor job is a nice idea, but very hard to make work at scale.

      reply to this | link to this | view in chronology ]

      • identicon
        Thad, 13 Dec 2016 @ 4:28pm

        Re: Re:

        Right; this is what I meant by my seatbelt analogy. It is a well-established engineering truism at this point that it's far, far easier to design a safer product than to make safer human beings.

        reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 12 Dec 2016 @ 1:12pm

      Re:

      Education is all well and good, but often the information about security simply doesn't exist.
      Besides, keeping people up to date on security would be tough. Algorithms become deprecated all the time and to teach most people the difference between a hash and an encryption algorithm or what the difference is between a public and private key if they don't have even the slightest interest in the subject will be next to impossible.
      Instead I think there should be a required stamp or sticker on these products, after they have been tested. The picture should be of a lock and then either red, yellow, or green, depending on the security of the product.
      Educating people on basic colors is much easier than educating them on IT security.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 12 Dec 2016 @ 1:16pm

        Re: Re:

        I should elaborate on that first line: I meant that information about included security of the product simply doesn't exist.

        reply to this | link to this | view in chronology ]

        • identicon
          wiserabbit, 12 Dec 2016 @ 2:58pm

          Re: Re: Re:

          No kidding to this.

          I work in InfoSec. I knew the questions to ask. It took three months to find a security system after thieves broke in and took everything including the half used cans of house paint.

          Go to a consumer security company’s website and try to figure out what are the make and models of any of the equipment they are selling. Good luck with that. Call their sales and support lines. There are a little better results there but comedy ensues when you try to learn about the manufacturers of the components inside. Never heard what crickets sound like? Ask about firmware versions.

          We did the best that we possibly could including letting some folks I work with attack the darn things but it still feels like it is more of a wing-and-a-prayer situation.

          reply to this | link to this | view in chronology ]

    • identicon
      Thad, 12 Dec 2016 @ 4:29pm

      Re:

      I'd prefer education to regulation.

      I think we should get rid of seatbelts and just teach everybody to be a safe driver.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 12 Dec 2016 @ 5:24pm

      Re:

      Every customer gets the security they deserve ?

      reply to this | link to this | view in chronology ]

      • identicon
        Thad, 13 Dec 2016 @ 10:43am

        Re: Re:

        The problem with the "every ____ gets the ____ they deserve" line, however it's deployed, is that it tends to assume that the repercussions of poor and careless decisions only affect the people who *made* those decisions.

        The thing about botnets is, the people who bought the crappy IoT gizmos that run them are usually not the ones being harmed by them.

        And you can have a top-notch security team doing evertyhing right and it's *still* not going to protect you against a DDoS attack of sufficient size.

        reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 12 Dec 2016 @ 12:13pm

    "Cyberaccountability"?

    Is that like normal accountability but involving a robe and wizard hat?

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 13 Dec 2016 @ 4:46am

      Re:

      I think it describes a dystopian future where the government tries to spy on everything everyone does 24-7 all the while wagging their finger at the public about all those bad things they are doing ... and that they need to be held "accountable" for their transgressions. How dare you visit that librul website and read all that fake news !!!

      reply to this | link to this | view in chronology ]

  • identicon
    SolutionIsAlreadyThere, 12 Dec 2016 @ 12:57pm

    Again where's the UL rating for these items

    We hear about JD Powers rankings of cars everyday through advertising. Where's the equivalent of the Underwriter Labs UL rating for these devices.

    Put simply, DON'T BUY this crap unless is passes some rating system. That is something tangible that doesn't need government involvement.

    If anything the government should be pushing consumers into the hands of consumer oriented ranking systems.

    Not approved, DO NOT BUY, not approved and goes into flames, the company SELLING the product should be liable as much as the manufacturer. Yes, WalMart, Amazon and all these giant commerce shops SHOULD be on the hook for not doing their due diligence.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 12 Dec 2016 @ 1:16pm

    You say the GOP is working to rewrite the Communications Act. Wouldn't it be more accurate to say "some in GOP leadership"?

    Not every Republican opposes Net Neutrality. Asserting otherwise fosters a perception that it's pointless to educate and work with Republicans on supporting Net Neutrality.

    reply to this | link to this | view in chronology ]

  • icon
    geddy2112 (profile), 12 Dec 2016 @ 1:24pm

    if i know anything about americans....

    ....then I know we won't react to this situation until it becomes time to overreact! it's like clockwork...it's all fun and games until someone gets hurt..then it's time to pass reactionary legislation that actually does nothing but makes everyone feel better....pretty sure it goes something like that.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 12 Dec 2016 @ 1:31pm

    wouldn't it be cheaper to simply outlaw connecting trivial crap to the internet? the cost of securing a bauble will surely dwarf the value of the thing.

    that's if the manufacturer can get by without the spy income component. that may make connection necessary. just make the public pay for the safe spying. thousand dollar tea kettle sounds about right.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 12 Dec 2016 @ 3:43pm

    The insecurity of "internet of things" is something that the spy agencies enjoy.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 12 Dec 2016 @ 5:11pm

    Aren't most of these devices built in China?

    Makes you wonder.

    reply to this | link to this | view in chronology ]

  • icon
    Vikarti Anatra (profile), 12 Dec 2016 @ 7:49pm

    What if...

    It's interesting how both buyers and makers of insecure things will react to: when your device takes part in DDoS attack at one specific site, your internet connection will be cutted (physicall and paper notice will be attached), no matter where you are on Earth(yes, this means some mistakes will happen like cutting apartment complex instead of specific flat). You can sue owner of system which did cutting but you won't get anything from it. If connection is repaired it will work...until it takes part in DDoS again.


    Yes, SciFi scenario. One I thinking about using in my book.

    reply to this | link to this | view in chronology ]

  • icon
    Tom Mink (profile), 12 Dec 2016 @ 9:09pm

    What people are used to

    One of the biggest reasons why insecure products get bought is because consumers have been assured that things sold commercially are expected to be safe. Speaking of which - why is the DHS and FCC taking the lead when we have a Consumer Product Safety Commission? Do IoT devices have to catch fire or smother children to be eligible for scrutiny?

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 13 Dec 2016 @ 3:33am

    FCC Agency DeFanging

    Maybe someone should point out to congressional representatives, that if they gut the FCC, ISPs will no longer need to lobby them and fuel their campaigns. All that sweet money they salivate over will go elsewhere.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 13 Dec 2016 @ 6:28am

    You can now hack someone's sole:

    Make 'em feel like they're walking on hot coals...

    http://www.theverge.com/circuitbreaker/2016/12/12/13921342/winter-heated-insoles-kickstarter -bluetooth

    Leave 'em without a leg to stand on.

    reply to this | link to this | view in chronology ]

  • identicon
    Dave, 13 Dec 2016 @ 8:16am

    So, beyond simply avoiding IOT devices, how can i stave off impending doom ? Cave in northern Canada i guess

    reply to this | link to this | view in chronology ]

  • icon
    Derek Kerton (profile), 13 Dec 2016 @ 11:11am

    Seems to Me Something The Free Market May Solve

    And I don't say that every time!

    So, we already have independent third party nationally recognized and trusted testing Laboratories like UL. UL provides a certification for thousands of consumer electronics devices, to assure the customer that they won't shatter, catch fire, explode, short-circuit your home, emit too much RF, and a variety of other risks.

    Many of the IoT products we're talking about here (in these DDOS bot nets) already have UL certification. So
    UL (or other certification labs) should add a test of whether a product meets some basic Internet security standards, and just make that part of their certification.

    In fact, it's kinda lame on them if they don't do that already.

    reply to this | link to this | view in chronology ]

  • identicon
    Wendy Cockcroft, 14 Dec 2016 @ 5:55am

    The market will take care of it

    //...waiting for gear makers to step up and take some responsibility for the fact [they're] their laziness has left us all immeasurably less secure, while bickering over whether regulatory over-reach on security could hinder the innovation in the IOT market. //

    Now, now, Karl, know you not that the market will take care of it? Competition keeps you honest, and all that.

    Yes indeed, through zero collective action via boycotting campaigns on the part of the public and completely sans regulation, consumers will decide of their own free will to either get something else or do without, thereby forcing the manufacturers to get their act together. Who needs the FCC and consumer protection when Randian fantasies can do the job so much better?

    reply to this | link to this | view in chronology ]

  • icon
    DannyB (profile), 14 Dec 2016 @ 7:14am

    Make the device manufacturer financially liable for damage

    Unlike most of my posts, this one is serious and not intended as sarcasm or parody.

    Put the financial liability for damage caused by hacked devices upon the manufacturers of the device. Yes, seriously.

    Let me head off several replies before anyone even replies. I'm NOT suggesting any sort of government certification or licensing or registration of devices. Just simply that if your device is hacked, the hacking results in financial damage, then the manufacturer has liability for the damages caused.

    Simply don't ship devices that are hackable. Impossible!, you say? If that is true, then don't make any IoT devices. If it is impossible to prevent them from being used for massive damage, then why should you be making and selling them at all? That's like saying it is impossible to make a toaster that won't burn your house down. If true, then why should you be making or selling any toasters.

    If it is possible to secure the devices, then do so. You might start looking at a lot of basic things like:
    * highly limit what internet ports your device uses
    * no default passwords
    * no back doors
    * use digitally signed software updates to ensure they are from the manufacturer
    * no insecure protocols
    * minimize exposed functionality to minimize attack surface

    And other ideas to lock down your device. Steps like this substantially reduce the odds that your device will be hacked, and that you will incur liability from damages caused.

    The problem that this fixes is that now device makers have a financial incentive to secure and lock down their devices. It isn't impossible. Yes, it may cost some additional time and engineering in the design.

    But just as I expect a toaster to not burn my house down, I expect IoT devices to not be instantly and trivially hackable.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Make this the First Word or Last Word. No thanks. (get credits or sign in to see balance)    
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Make this the First Word or Last Word. No thanks. (get credits or sign in to see balance)    
  • Remember name/email/url (set a cookie)

Follow Techdirt
Special Affiliate Offer

Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.