The FCC Suggests Some Wishy Washy, Highly Unlikely Solutions To The Poorly-Secured Internet Of Things
from the dumb-is-the-new-smart dept
So we’ve noted how the surge in the internet-of-poorly-secured things has put us all at risk by introducing thousands of new attack vectors in homes and businesses around the world. We’ve also noted that the rise of these not-so-smart cameras, toys and hackable tea kettles has resulted in a spike in larger DDoS attacks than we’ve ever seen before, as these devices are compromised and used maliciously within minutes of being connected to the internet. Many security experts have started to warn us that it’s only a matter of time before the check comes due, potentially involving infrastructure failure and mass fatalities.
Rather unsurprisingly, this has lead to a renewed call for some kind of regulation to hold gear-makers accountable for shipping poorly-secured product. So far, however, the most we’re seeing on the policy solution front are relatively shallow missives pushed by folks like the Department of Homeland Security. The DHS’s “non-binding strategic principles” recently included such recommendations along the lines of “hey, guys, maybe some of you should actually probe your product for vulnerabilities before shipping it to consumers?” and “uh, perhaps companies should think about security a little bit during the product design phase?”
FCC boss Tom Wheeler also appears to be vaguely exploring the idea of regulating the internet of things space with an eye on avoiding an IOT-induced cyber-apocalypse. In a letter by Wheeler to Senator Mark Warner (pdf), Wheeler advocates an FCC-mandated cybersecurity certification process for IOT devices, as well as a system to apply “consumer cybersecurity labels” for IoT devices and associated services. In the letter, Wheeler argues that this is one scenario in which industry self regulation hasn’t worked, and may not work down the road:
“I do, however, share your concern that we cannot rely solely on the market incentives of ISPs to fully address the risk of malevolent cyber activities. As private actors, ISPs operate in economic environments that pressure them to not take those steps, or to take them minimally. Given the interconnected nature of broadband networks, protective actions taken by one ISP against cyberthreats can be undermined by the failure of other ISPs to take similar actions. This weakens the incentive of all ISPs to take such protections. Cyber-accountability therefore requires a combination of market-based incentives and appropriate regulatory oversight where the market does not, or cannot, do the job effectively.”
Wheeler’s responding to an October letter from Warner regarding the Dyn DDoS attack, which was fueled by IOT devices. But like the DHS’s recommendations few companies will actually follow, Wheeler’s letter similarly leans heavily on ambiguities and lip service, while realizing the FCC’s precarious current position. Buried under some oblique references to the FCC’s Open Internet Order (Wheeler really only says that ISPs can manage these threats without running afoul of net neutrality), the baseline message is that industry needs to step up and fix its own problem:
“In 2014, I initiated a new paradigm for how the FCC would address cybersecurity for our nation’s communications networks and services. I stated that it begins with private sector leadership that recognizes how easily cyber threats cross corporate and national boundaries and that, because of this, the communications sector must step up its responsibility and accountability for cyber risk management.”
While stories like this one over at Morning Consult engage in a lot of hand wringing about the FCC engaging in regulatory over-reach, there’s little to no actual chance of Wheeler’s ideas actually being implemented. Wheeler is set to step down as chairman on January 20, and Trump’s incoming telecom advisors have made it abundantly clear their top priority will be not only eliminating the FCC’s net neutrality rules, but working to defang and defund the agency. The GOP is also cooking up a Communications Act rewrite now that it has Congressional and White House control that will similarly aim to hamstring the regulator.
A defunded and weakened FCC will likely be in no position to dramatically expand its authority into regulation of internet of things devices. In fact, it will likely mean the erosion of many FCC rules that already exist now. In other words, when it comes to IOT security we’re going to be exactly where we started: waiting for gear makers to step up and take some responsibility for the fact they’re laziness has left us all immeasurably less secure, while bickering over whether regulatory over-reach on security could hinder the innovation in the IOT market.
Meanwhile, it’s going to take a dramatic IOT-fueled incident of dysfunction and disaster before we stop doing the bare minimum, and begin taking the entire problem more seriously.
Filed Under: cybersecurity, fcc, iot, mark warner, tom wheeler
Comments on “The FCC Suggests Some Wishy Washy, Highly Unlikely Solutions To The Poorly-Secured Internet Of Things”
I am still scratching my head over WTF the FCC or FTC or any other US agency is going do that would have any effect here. The bulk of the IOT devices in recent attacks were built, sold and deployed outside of the US.
Re: Re:
About the only thing I can see anyone do, is implement a required certification program like UL for electricity or the FCC certification for wireless radios. If they are not certified they can not be sold on the US market. The problem is defining something that is unknown. Back in the day you could have chargen, SNMP, NTP, et al on the open internet and it was perfectly fine, now not so much. And for tomorrow, we have no clue what vulnerabilities will be discovered. Enforcing proper firewalls on end-users with default block rules will probably go a lot further, but someone will still just stick them on the outside for ease of use. So, I honestly can’t think of a good solution myself that will work for every idiot out there.
Re: Re: Re:
Bu-b-but regulation! Of course you realise that since government ruins everything it touches the security failings in the IOT must be of their making, right? /sarc
> when it comes to IOT security we’re going to be exactly where we started: waiting for gear makers to step up and take some responsibility for the fact they’re laziness has left us all immeasurably less secure
Gear makers don’t leave us insecure. Consumers make themselves insecure by purchasing insecure gear.
Not everyone is a pen-tester, but people should be security conscious about the stuff they buy (especially if the item happens to be a security camera!). I’d prefer education to regulation.
Re: Re:
Being security conscious I knew to ask whether my new internet-connected gas furnace is secure. The company said that it is. I also checked my Facebook feed for warnings.
[…]
What’s that smell?
Re: Re:
Re: Re:
After twenty years of non-technical people using Windows unsafely despite repeated warnings about how insecure it is, and Microsoft going to considerable lengths to make it painful to use the system in an insecure manner, people still use Windows in insecure ways. To me, that demonstrates an oft-stated truth: people abhor security measures that have any non-trivial cost and will demonstrate their preference by choosing the path of least resistance, even when it is demonstrably less secure. We see this in users’ choice of terrible passwords too. Educating such people might make them more aware that they are acting recklessly, but it will not, in most cases, motivate them to be careful.
Even setting aside that users will happily choose insecure products for even a small perceived convenience over the secure alternative, if there are no products on the market that are secure enough, what good does it do to create consumers who want to avoid buying insecure products? How many of those people will decide to buy nothing at all when presented with a catalogue of only insecure products?
I distrust regulation in this matter, but we got here because vendors have managed to absolve themselves of any responsibility whatsoever for the consequences of their shoddy work. We need some way to motivate them not to ship poor quality products. Convincing enough of their customers to shun them for doing a poor job is a nice idea, but very hard to make work at scale.
Re: Re: Re:
Right; this is what I meant by my seatbelt analogy. It is a well-established engineering truism at this point that it’s far, far easier to design a safer product than to make safer human beings.
Re: Re:
Education is all well and good, but often the information about security simply doesn’t exist.
Besides, keeping people up to date on security would be tough. Algorithms become deprecated all the time and to teach most people the difference between a hash and an encryption algorithm or what the difference is between a public and private key if they don’t have even the slightest interest in the subject will be next to impossible.
Instead I think there should be a required stamp or sticker on these products, after they have been tested. The picture should be of a lock and then either red, yellow, or green, depending on the security of the product.
Educating people on basic colors is much easier than educating them on IT security.
Re: Re: Re:
I should elaborate on that first line:
I meant that information about included security of the product simply doesn’t exist.
Re: Re: Re: Re:
No kidding to this.
I work in InfoSec. I knew the questions to ask. It took three months to find a security system after thieves broke in and took everything including the half used cans of house paint.
Go to a consumer security company’s website and try to figure out what are the make and models of any of the equipment they are selling. Good luck with that. Call their sales and support lines. There are a little better results there but comedy ensues when you try to learn about the manufacturers of the components inside. Never heard what crickets sound like? Ask about firmware versions.
We did the best that we possibly could including letting some folks I work with attack the darn things but it still feels like it is more of a wing-and-a-prayer situation.
Re: Re:
I think we should get rid of seatbelts and just teach everybody to be a safe driver.
Re: Re:
Every customer gets the security they deserve ?
Re: Re: Re:
The problem with the “every ____ gets the ____ they deserve” line, however it’s deployed, is that it tends to assume that the repercussions of poor and careless decisions only affect the people who made those decisions.
The thing about botnets is, the people who bought the crappy IoT gizmos that run them are usually not the ones being harmed by them.
And you can have a top-notch security team doing evertyhing right and it’s still not going to protect you against a DDoS attack of sufficient size.
“Cyberaccountability”?
Is that like normal accountability but involving a robe and wizard hat?
Re: Re:
I think it describes a dystopian future where the government tries to spy on everything everyone does 24-7 all the while wagging their finger at the public about all those bad things they are doing … and that they need to be held “accountable” for their transgressions. How dare you visit that librul website and read all that fake news !!!
Again where's the UL rating for these items
We hear about JD Powers rankings of cars everyday through advertising. Where’s the equivalent of the Underwriter Labs UL rating for these devices.
Put simply, DON’T BUY this crap unless is passes some rating system. That is something tangible that doesn’t need government involvement.
If anything the government should be pushing consumers into the hands of consumer oriented ranking systems.
Not approved, DO NOT BUY, not approved and goes into flames, the company SELLING the product should be liable as much as the manufacturer. Yes, WalMart, Amazon and all these giant commerce shops SHOULD be on the hook for not doing their due diligence.
You say the GOP is working to rewrite the Communications Act. Wouldn’t it be more accurate to say “some in GOP leadership”?
Not every Republican opposes Net Neutrality. Asserting otherwise fosters a perception that it’s pointless to educate and work with Republicans on supporting Net Neutrality.
Re: Re:
Isn’t it more like .. the GOP is asking their corporate overlords if they would like to write a few new laws.
Re: Re: Re:
Why do the Dems still pretend they aren’t corporate puppets too?
Re: Re: Re: Re:
I have no idea – not sure why you ask, is this pertinent?
Re: Re: Re:2 Re:
One presumes this is to balance the partisan books. The point is moot, however, until after the mid-term elections in two years’ time since the GOP now owns both Houses. The ball is squarely in their court.
if i know anything about americans....
….then I know we won’t react to this situation until it becomes time to overreact! it’s like clockwork…it’s all fun and games until someone gets hurt..then it’s time to pass reactionary legislation that actually does nothing but makes everyone feel better….pretty sure it goes something like that.
wouldn’t it be cheaper to simply outlaw connecting trivial crap to the internet? the cost of securing a bauble will surely dwarf the value of the thing.
that’s if the manufacturer can get by without the spy income component. that may make connection necessary. just make the public pay for the safe spying. thousand dollar tea kettle sounds about right.
The insecurity of “internet of things” is something that the spy agencies enjoy.
Aren't most of these devices built in China?
Makes you wonder.
What if...
It’s interesting how both buyers and makers of insecure things will react to: when your device takes part in DDoS attack at one specific site, your internet connection will be cutted (physicall and paper notice will be attached), no matter where you are on Earth(yes, this means some mistakes will happen like cutting apartment complex instead of specific flat). You can sue owner of system which did cutting but you won’t get anything from it. If connection is repaired it will work…until it takes part in DDoS again.
Yes, SciFi scenario. One I thinking about using in my book.
What people are used to
One of the biggest reasons why insecure products get bought is because consumers have been assured that things sold commercially are expected to be safe. Speaking of which – why is the DHS and FCC taking the lead when we have a Consumer Product Safety Commission? Do IoT devices have to catch fire or smother children to be eligible for scrutiny?
FCC Agency DeFanging
Maybe someone should point out to congressional representatives, that if they gut the FCC, ISPs will no longer need to lobby them and fuel their campaigns. All that sweet money they salivate over will go elsewhere.
You can now hack someone's sole:
Make ’em feel like they’re walking on hot coals…
http://www.theverge.com/circuitbreaker/2016/12/12/13921342/winter-heated-insoles-kickstarter-bluetooth
Leave ’em without a leg to stand on.
So, beyond simply avoiding IOT devices, how can i stave off impending doom ? Cave in northern Canada i guess
Seems to Me Something The Free Market May Solve
And I don’t say that every time!
So, we already have independent third party nationally recognized and trusted testing Laboratories like UL. UL provides a certification for thousands of consumer electronics devices, to assure the customer that they won’t shatter, catch fire, explode, short-circuit your home, emit too much RF, and a variety of other risks.
Many of the IoT products we’re talking about here (in these DDOS bot nets) already have UL certification. So
UL (or other certification labs) should add a test of whether a product meets some basic Internet security standards, and just make that part of their certification.
In fact, it’s kinda lame on them if they don’t do that already.
The market will take care of it
//…waiting for gear makers to step up and take some responsibility for the fact [they’re] their laziness has left us all immeasurably less secure, while bickering over whether regulatory over-reach on security could hinder the innovation in the IOT market. //
Now, now, Karl, know you not that the market will take care of it? Competition keeps you honest, and all that.
Yes indeed, through zero collective action via boycotting campaigns on the part of the public and completely sans regulation, consumers will decide of their own free will to either get something else or do without, thereby forcing the manufacturers to get their act together. Who needs the FCC and consumer protection when Randian fantasies can do the job so much better?
Make the device manufacturer financially liable for damage
Unlike most of my posts, this one is serious and not intended as sarcasm or parody.
Put the financial liability for damage caused by hacked devices upon the manufacturers of the device. Yes, seriously.
Let me head off several replies before anyone even replies. I’m NOT suggesting any sort of government certification or licensing or registration of devices. Just simply that if your device is hacked, the hacking results in financial damage, then the manufacturer has liability for the damages caused.
Simply don’t ship devices that are hackable. Impossible!, you say? If that is true, then don’t make any IoT devices. If it is impossible to prevent them from being used for massive damage, then why should you be making and selling them at all? That’s like saying it is impossible to make a toaster that won’t burn your house down. If true, then why should you be making or selling any toasters.
If it is possible to secure the devices, then do so. You might start looking at a lot of basic things like:
* highly limit what internet ports your device uses
* no default passwords
* no back doors
* use digitally signed software updates to ensure they are from the manufacturer
* no insecure protocols
* minimize exposed functionality to minimize attack surface
And other ideas to lock down your device. Steps like this substantially reduce the odds that your device will be hacked, and that you will incur liability from damages caused.
The problem that this fixes is that now device makers have a financial incentive to secure and lock down their devices. It isn’t impossible. Yes, it may cost some additional time and engineering in the design.
But just as I expect a toaster to not burn my house down, I expect IoT devices to not be instantly and trivially hackable.