The security around the development of Internet of Things products is weak and U.S. Sen. Mark R. Warner (D-Va.) today sent a letter to the Federal Communications Commission (FCC), the Federal Trade Commission (FTC) and the Department of Homeland Security (DHS) to ask why and what can be done to fix the problem.
In the letter Warner, who is member of the Senate Select Committee on Intelligence and co-founder of the bipartisan Senate Cybersecurity Caucus, asked questions such as: What types of network management practices are available for internet service providers to respond to DDoS threats? And would it be a reasonable network management practice for ISPs to designate insecure network devices as “insecure” and thereby deny them connections to their networks, including by refraining from assigning devices IP addresses?
+More on Network World: DoJ: What does it take to prosecute federal computer crimes?+
“The weak security of many of the new connected consumer devices provides an attractive target for attackers, leveraging the bandwidth and processing power of millions of devices, many of them with few privacy or security measures, to swamp internet sites and servers with an overwhelming volume of traffic,” Sen. Warner said in a statement. “I am interested in a range of expert opinions and meaningful action on new and improved tools to better protect American consumers, manufacturers, retailers, Internet sites and service providers.”
Weak security features in many of IoT products can enable access to user data by hackers, create easy entry points to home or work networks, and allow hackers to hijack devices into enormous botnets used to send crippling amounts of data to specific internet sites and servers, Warner said. “Botnets are frequently referred to as ‘zombie computers,’ the metaphor is appropriate: bad actors infect unsuspecting computers and network devices with malware, sending remote commands to hordes of compromised computers to maliciously cripple parts of the Internet. Experts say that is what occurred on [last] Friday, temporarily affecting Twitter, Netflix, PayPal and other popular sites.”
+More on Network World: Your robot doctor overlords will see you now+
The text of Sen. Warner’s letter to the Federal Communications Commission (FCC) looks like this:
October 25, 2016
The Honorable Tom Wheeler
Federal Communications Commission
445 12th Street S.W.
Washington, D.C. 20554
Dear Chairman Wheeler,
I have watched with growing concern over the past two months as an ever-larger network of infected devices has been leveraged to conduct the largest series of Distributed Denial of Service (DDoS) attacks ever recorded. According to global telecommunications provider Level 3 Communications, the ‘Mirai botnet’ has more than doubled since the source code was first made public on October 1st. The Mirai botnet functions by taking control of highly insecure devices, such as ‘Internet of Things’ (IoT) products, and using them to send debilitating levels of network traffic from these compromised devices to particular sites, web-hosting servers, and internet infrastructure providers. By infecting consumer devices with this malware, attackers can hijack the communications capabilities of users’ devices, using large numbers of them to flood sites and servers with overwhelming traffic. As the co-Chair of the Senate Cybersecurity Caucus, I invite your prompt response to a number of important questions raised by these incidents.
While the precise form of Mirai’s attacks is not new, the scale of these volumetric attacks is unprecedented. The weak security of many IoT devices provides an attractive target for DDoS attackers, leveraging the bandwidth and processing resources of millions of connected devices. Botnets are frequently referred to as “zombie computers” and the metaphor is fitting: bad actors infect unsuspecting computers and network devices with malware, sending remote commands to hordes of compromised computers. Analysts have also noted the dynamic nature of Mirai Command and Control (C&C) servers (platforms used by attackers to send these remote commands to the botnets), with the malicious operator or operators switching C&C servers far more rapidly than in past botnet attacks. The United States Computer Emergency Readiness Team (US-CERT) notes in its alert that the release of the Mirai source code has increased the risk of similar botnets being created, acknowledging at least one new separate malware family leveraging IoT vulnerabilities in a manner similar to Mirai.
Mirai’s efficacy depends, in large part, on the unacceptably low level of security inherent in a vast array of network devices. Attackers perform wide-ranging scans of IP addresses, searching for devices with poor security features such as factory default or hard-coded (i.e., unchangeable) passwords, publicly accessible remote administration ports (akin to open doors), and susceptibility to brute force attacks. In my June 6th letter to the Federal Trade Commission (FTC), I raised serious concerns with the proliferation of these insecure connected consumer products, noting that the “ever-declining cost of digital storage and internet connectivity have made it possible to connect an unimaginable range of products and services to the Internet,” potentially without adequate market incentives to adopt appropriate privacy and security measures. Juniper Research has projected that by the end of 2020, the number of IoT devices will grow from 13.4 to 38.5 billion – yet there is no requirement that devices incorporate even minimal levels of security. The internet’s open architecture has been a catalyst for its growth, allowing an enormous range of devices and services to connect to a global, interoperable network. The lack of gating functions, however, has potentially created a systemic risk to the resiliency of the internet.
Additionally, the global nature of the supply chain for such devices requires attention not just to the final product integrator’s practices, but also to that of suppliers throughout the manufacturing process. In the recent Mirai botnet, researchers have identified a single software supplier as responsible for vulnerabilities in a wide range of manufacturers’ products, with Flashpoint concluding that over 500,000 connected devices were vulnerable to Mirai because of an exploitable component from a single vendor’s management software. Manufacturers today are flooding the market with cheap, insecure devices, with few market incentives to design the products with security in mind, or to provide ongoing support. And buyers seem unable to make informed decisions between products based on their competing security features, in part because there are no clear metrics. Because the producers of these insecure IoT devices currently are insulated from any standards requirements, market feedback, or liability concerns, I am deeply concerned that we are witnessing a ‘tragedy of the commons’ threat to the continued functioning of the internet, as the security so vital to all internet users remains the responsibility of none. Further, buyers have little recourse when, despite their best efforts, security failures occur.
Under the Federal Communications Commission’s (FCC’s) Open Internet rules, ISPs cannot prohibit the attachment of “non-harmful devices” to their networks. It seems entirely reasonable to conclude under the present circumstances, however, that devices with certain insecure attributes could be deemed harmful to the “network” – whether the ISP’s own network or the networks to which it is connected. While remaining vigilant to ensure that such prohibitions do not serve as a pretext for anticompetitive or exclusionary behavior, I would encourage regulators to provide greater clarity to internet service providers in this area.
DDoS attacks can be powerful tools for censorship, criminal extortion, or nation-state aggression. Tools such as Mirai source code, amplified by an embedded base of insecure devices worldwide, accomplish more than isolated nuisance; these are capabilities – weapons even – that can debilitate entire ranges of economic activity. While the internet was not designed with security in mind, its resiliency –which serves as its animating principle – is now being undermined.
I respectfully request that you respond to the following questions:
1. What types of network management practices are available for internet service providers to respond to DDoS threats? In the FCC’s Open Internet Order, the Commission suggested that ISPs could take such steps only when addressing “traffic that constitutes a denial-of-service attack on specific network infrastructure elements.” Is it your agency’s opinion that the Mirai attack has targeted “specific network infrastructure elements” to warrant a response from ISPs?
2. Would it be a reasonable network management practice for ISPs to designate insecure network devices as “insecure” and thereby deny them connections to their networks, including by refraining from assigning devices IP addresses? Would such practices require refactoring of router software, and if so, does this complicate the feasibility of such an approach?
3. What advisories to, or direct engagement with, retailers of IoT devices have you engaged in to alert them of the risks of certain devices they sell? Going forward, what attributes would help inform your determination that a particular device poses a risk warranting notice to retailers or consumers?
4. What strategies would you pursue to take devices deemed harmful to the network out of the stream of commerce? Are there remediation procedures vendors can take, such as patching? What strategy would you pursue to deactivate or recall the embedded base of consumer devices?
5. What consumer advisories have you issued to alert consumers to the risks of particular devices?
6. Numerous reports have indicated that users often fail to install relevant updates, despite their availability. To the extent that certain device security capabilities can be improved with software or firmware updates, how will you ensure that these updates are implemented?
7. Do consumers have meaningful ability to distinguish between products based on their security features? Are formal, or third-party, metrics needed to establish a baseline for consumers to evaluate products? If so, has your agency taken steps to create or urge the creation of such a baseline?
8. Should manufacturers have to abide by minimum technical security standards? Has your agency discussed the possibility of establishing meaningful security standards with the National Institute of Standards and Technology?
9. What is the feasibility, including in terms of additional costs to manufacturers, of device security testing and certification, akin to current equipment testing and certification of technical standards conducted by the Federal Communications Commission under 47 CFR Part 2?
I look forward to your response.
Mark R. Warner
United States Senator