Should Insecure IoT Devices Be Banned?

After the Mirai botnet was recently used to bring down large portions of cyberspace, there have been new calls for regulating Internet of Things (IoT) devices. Since the voluntary IoT security approach is clearly failing, what can we expect moving forward? Are better standards needed? Should government mandate more security for IoT devices for consumer protection? Let’s explore.

by / October 30, 2016

After plenty of talk and minimal action on securing new Internet of Things (IoT) devices for several years, many security and technology industry experts knew this was coming.

Indeed, a majority in the security community have been predicting this outcome — with 2016 security predictions from last year full of examples of IoT troubles ahead. The message to global manufacturers: “Get your IoT house in order, or else. ...”

Well — perhaps the “or else” has arrived regarding insecure smart devices. But before we delve into potential regulatory actions or other responses, here’s some background. But is there more to come? Almost certainly.

Background on Recent Distributed Denial of Service (DDoS) Attacks

This IoT Journal article provides some good background on the recent DDoS Attacks prior to Oct. 21 DDoS attack on Dyn’s Domain Name Service (DNS). Here’s an excerpt:

On Sept. 20, that is what happened — except that rather than targeting a household brand, the hackers took aim at an investigative reporter, Brian Krebs, who covers cybersecurity.

In an attempt to take down his website, KrebsonSecurity, hackers infected a massive network of computers with malware, creating a botnet that perpetrated the largest distribution denial-of-service (DDoS) attack ever recorded.

And then, a major DDoS cyberattack brought down almost half the Internet on Oct. 21, 2016.

Twitter, Spotify and Reddit, and a huge swath of other websites were down or screwed up this morning. This was happening as hackers unleashed a large distributed denial of service (DDoS) attack on the servers of Dyn, a major DNS host. It’s probably safe to assume that the two situations are related.

Update 12:28 PM EST: Dyn says it is investigating yet another attack, causing the same massive outages experienced this morning. Based on emails from Gizmodo readers, this new wave of attacks seems to be affecting the West Coast of the United States and Europe. It’s so far unclear how the two attacks are related, but the outages are very similar.

Update 4:22 PM EST: Looks like this is probably going to get even worse before it gets any better. Dyn says they are being hit with a third wave of attacks. Dyn told CNBC the attack is “well planned and executed, coming from tens of millions IP addresses at the same time.”

Here are some more details on what happened in this latest DDoS attack on Dyn, released on Oct. 28, 2016.

Hilton explained the early estimates of tens of millions of IP addresses were due to "the retry storm providing a false indicator of a significantly larger set of endpoints than we now know it to be. We are still working on analyzing the data, but the estimate at the time of this report is up to 100,000 malicious endpoints."

"We are able to confirm that a significant volume of attack traffic originated from Mirai-based botnets," Hilton wrote. "Dyn is collaborating in an ongoing criminal investigation of the attack and will not speculate regarding the motivation or the identity of the attackers."

This incident led to recalls of some IoT products by many global manufacturers, such as this recalled Web camera which is made in China.

Chinese electronics firm Xiongmai is initiating a product recall after the enormous hacking attack that took down much of the internet on the east coast of the US and also affected Europe on Friday.

The root of the attack, which took the form of a distributed denial of service attack (DDoS), was a network of hacked “Internet of Things” devices, such as webcams and digital recorders, many of which were made by Xiongmai.

New Calls for Regulation and IoT Oversight

After the DDoS and Internet outages, there have been plenty of reactions, such as Sen. Mark Warner asking the FCC whether ISPs can block insecure ISP devices. Here’s an excerpt:

“Mirai’s efficacy depends, in large part, on the unacceptably low level of security inherent in a vast array of network devices. Attackers perform wide-ranging scans of IP addresses, searching for devices with poor security features such as factory default or hard-coded (i.e., unchangeable) passwords, publicly accessible remote administration ports (akin to open doors), and susceptibility to brute force attacks,” Warner said in his letter to FCC Chairman Thomas Wheeler.

“In my June 6th letter to the Federal Trade Commission (FTC), I raised serious concerns with the proliferation of these insecure connected consumer products, noting that the ‘ever-declining cost of digital storage and Internet connectivity have made it possible to connect an unimaginable range of products and services to the Internet,’ potentially without adequate market incentives to adopt appropriate privacy and security measures.”

Meanwhile, Business Insider’s Rob Price wrote that the government needs to step in and save the Internet from hacked toasters. “The Internet is facing an unprecedented threat from toasters — and calls are mounting for governments to step in and fix things.”

The article goes on to also give a contrarian view from Rob Graham. He pointed out that even if some nations did legislate against insecure IoT devices, it would do little to affect those sold in other jurisdictions — which could then be used for attacks.

"Morons think U.S. should pass a software liability law that will somehow affect Chinese devices sold to Ukraine," he wrote on Twitter.

In another post DDoS response example, Technobuffalo.com responded with calls for regulation, not recalls, as the answer for the Mirai botnet. “This is certainly a topic that will continue to make headlines. It’s now our job to call on manufacturers and, indeed, the government, to create regulations for stricter security in connected devices. Unfortunately, millions of insecure products are still on the market. A recall of 10,000 will hardly make a difference, even if it’s a step in the right direction.”

IoT Perspectives from the Wisconsin Cyber Summit 2016

I was in Madison, Wisc., this past week to present on Securing IoT at Gov. Scott Walker’s 4th Cybersecurity Summit.

The opening keynote was given by Dr. P.W. Singer on The Future of Technology and Geopolitics. His remarks also addressed the reasons that securing IoT devices will be so hard moving forward and the top challenges we face. Here they are:

  1. Manufacturers of IoT devices are generally not computer or security companies. They don’t see security as their role or responsibility.
  2. The liability landscape is totally different with connected devices in an IoT world. For example, historically, the liability for kitchen appliances has been limited to not have malfunctioning cause fires or injury in using the device. But connected devices that are hacked can be used to cause harm in new ways.
  3. Manufacturers continue to prioritize convenience over security. This space is fast moving, and the ‘first to market’ push is relentless.
  4. There are few incentives (currently) to get security right. However, regulation is likely coming.

That last point is one that I certainly agree with.

While I would prefer to see voluntary action taken by industry rather than new regulation, it appears that the voluntary approach is not working.

However, I think we are still a long way from seeing banned IoT devices, in the same way we have the Samsung Galaxy Note 7 currently banned on U.S. airline flights due to the risk of fire. Could some devices eventually be banned? Perhaps, but I suspect we will start seeing stronger standards being implemented first.

Final Thoughts

My presentation in Wisconsin focused on our need to learn from history and not just be naysayers on IoT. I discussed what I have learned about enabling security through my experiences with Wi-Fi and BYOD. I ended my IoT presentation this week with a list of recommendations that I will share with you now.

Consumers should:

  1. Before you buy a wearable or other IoT device, google its name together with the word "hack," and also with the word "fraud" or "scam." This will alert you to published problems and enable you to make more informed decisions.
  2. Set up your wearable and any associated online accounts with an obscure user name and unique passwords, all of which should be hard to guess.
  3. CHANGE DEFAULT passwords on all IoT devices.
  4. Read the privacy policy of any device and app you currently use or plan to use. Look closely at privacy assurances. Decide how serious you think the company is about protecting your data.
  5. Be prepared not to use certain features or apps if you do not feel the provider is serious about security and could potentially expose sensitive information.
  6. USE THE SECURITY FEATURES PROVIDED!
  7. Stay engaged, updated and informed as things change.
  8. Consider using a separate Wi-Fi network for IoT at home and work. That is, don’t share with your PCs or other network devices.
  9. Get Help — Ask questions of manufacturers. Don’t assume anything regarding security.
  10. Re-examine your smartphone security — which is becoming the universal remote to IoT — and life

For connected device manufacturers, I offered this advice a few weeks back about utilizing the new Cloud Security Alliance (CSA) Guide for Securing IoT Products. In my Wisconsin Cybersecurity Summit presentation, I also encouraged IoT vendors to:

  • Prepare your incident response plan so that you can react appropriately in the event of a data breach. Remember, folks who are likely to use fitness trackers are also likely to be active on social media.
  • You can make more money selling secure systems than insecure ones.
  • Cybersecurity of the device is as important as the device itself.
  • Pay for a professional penetration test.

I leave you with this quote from William Pollard: "Learning and innovation go hand in hand. The arrogance of success is to think that what you did yesterday will be sufficient for tomorrow."