The FCC Suggests Some Wishy Washy, Highly Unlikely Solutions To The Poorly-Secured Internet Of Things
from the dumb-is-the-new-smart dept
So we've noted how the surge in the internet-of-poorly-secured things has put us all at risk by introducing thousands of new attack vectors in homes and businesses around the world. We've also noted that the rise of these not-so-smart cameras, toys and hackable tea kettles has resulted in a spike in larger DDoS attacks than we've ever seen before, as these devices are compromised and used maliciously within minutes of being connected to the internet. Many security experts have started to warn us that it's only a matter of time before the check comes due, potentially involving infrastructure failure and mass fatalities.Rather unsurprisingly, this has lead to a renewed call for some kind of regulation to hold gear-makers accountable for shipping poorly-secured product. So far, however, the most we're seeing on the policy solution front are relatively shallow missives pushed by folks like the Department of Homeland Security. The DHS's "non-binding strategic principles" recently included such recommendations along the lines of "hey, guys, maybe some of you should actually probe your product for vulnerabilities before shipping it to consumers?" and "uh, perhaps companies should think about security a little bit during the product design phase?"
FCC boss Tom Wheeler also appears to be vaguely exploring the idea of regulating the internet of things space with an eye on avoiding an IOT-induced cyber-apocalypse. In a letter by Wheeler to Senator Mark Warner (pdf), Wheeler advocates an FCC-mandated cybersecurity certification process for IOT devices, as well as a system to apply "consumer cybersecurity labels" for IoT devices and associated services. In the letter, Wheeler argues that this is one scenario in which industry self regulation hasn't worked, and may not work down the road:
"I do, however, share your concern that we cannot rely solely on the market incentives of ISPs to fully address the risk of malevolent cyber activities. As private actors, ISPs operate in economic environments that pressure them to not take those steps, or to take them minimally. Given the interconnected nature of broadband networks, protective actions taken by one ISP against cyberthreats can be undermined by the failure of other ISPs to take similar actions. This weakens the incentive of all ISPs to take such protections. Cyber-accountability therefore requires a combination of market-based incentives and appropriate regulatory oversight where the market does not, or cannot, do the job effectively."Wheeler's responding to an October letter from Warner regarding the Dyn DDoS attack, which was fueled by IOT devices. But like the DHS's recommendations few companies will actually follow, Wheeler's letter similarly leans heavily on ambiguities and lip service, while realizing the FCC's precarious current position. Buried under some oblique references to the FCC's Open Internet Order (Wheeler really only says that ISPs can manage these threats without running afoul of net neutrality), the baseline message is that industry needs to step up and fix its own problem:
"In 2014, I initiated a new paradigm for how the FCC would address cybersecurity for our nation's communications networks and services. I stated that it begins with private sector leadership that recognizes how easily cyber threats cross corporate and national boundaries and that, because of this, the communications sector must step up its responsibility and accountability for cyber risk management."While stories like this one over at Morning Consult engage in a lot of hand wringing about the FCC engaging in regulatory over-reach, there's little to no actual chance of Wheeler's ideas actually being implemented. Wheeler is set to step down as chairman on January 20, and Trump's incoming telecom advisors have made it abundantly clear their top priority will be not only eliminating the FCC's net neutrality rules, but working to defang and defund the agency. The GOP is also cooking up a Communications Act rewrite now that it has Congressional and White House control that will similarly aim to hamstring the regulator.
A defunded and weakened FCC will likely be in no position to dramatically expand its authority into regulation of internet of things devices. In fact, it will likely mean the erosion of many FCC rules that already exist now. In other words, when it comes to IOT security we're going to be exactly where we started: waiting for gear makers to step up and take some responsibility for the fact they're laziness has left us all immeasurably less secure, while bickering over whether regulatory over-reach on security could hinder the innovation in the IOT market.
Meanwhile, it's going to take a dramatic IOT-fueled incident of dysfunction and disaster before we stop doing the bare minimum, and begin taking the entire problem more seriously.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: cybersecurity, fcc, iot, mark warner, tom wheeler
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Gear makers don't leave us insecure. Consumers make themselves insecure by purchasing insecure gear.
Not everyone is a pen-tester, but people should be security conscious about the stuff they buy (especially if the item happens to be a security camera!). I'd prefer education to regulation.
[ link to this | view in chronology ]
Re:
Being security conscious I knew to ask whether my new internet-connected gas furnace is secure. The company said that it is. I also checked my Facebook feed for warnings.
[...]
What's that smell?
[ link to this | view in chronology ]
Re:
I totally agree with your thoughts here, security education is a far better way of dealing with this, though there are limits to education as well. I tell friends and family why they shouldn't buy something all the time, giving facts and rational, but most of the time I get "so, who cares, I don't have anything a hacker would ever want." This even after I explain that the criminals out there want their identity, their credit, their bank accounts, etc., and most of those exist on their computer.
But the issue is that most manufacturers won't even open up their firmware so that security researchers can look at them, much less let their customers know of potential risks. They don't want to loose their profit margin by being able to "expire" equipment less than a year old by no longer supporting it, making their customers get on the endless device obsolescence model they currently have. There are some niche groups, including security camera vendors, where all you can get is cameras with clunky, closed source, and poorly supported firmware, and unless someone goes in and makes this illegal, the companies aren't going to change.
[ link to this | view in chronology ]
Re:
After twenty years of non-technical people using Windows unsafely despite repeated warnings about how insecure it is, and Microsoft going to considerable lengths to make it painful to use the system in an insecure manner, people still use Windows in insecure ways. To me, that demonstrates an oft-stated truth: people abhor security measures that have any non-trivial cost and will demonstrate their preference by choosing the path of least resistance, even when it is demonstrably less secure. We see this in users' choice of terrible passwords too. Educating such people might make them more aware that they are acting recklessly, but it will not, in most cases, motivate them to be careful.
Even setting aside that users will happily choose insecure products for even a small perceived convenience over the secure alternative, if there are no products on the market that are secure enough, what good does it do to create consumers who want to avoid buying insecure products? How many of those people will decide to buy nothing at all when presented with a catalogue of only insecure products?
I distrust regulation in this matter, but we got here because vendors have managed to absolve themselves of any responsibility whatsoever for the consequences of their shoddy work. We need some way to motivate them not to ship poor quality products. Convincing enough of their customers to shun them for doing a poor job is a nice idea, but very hard to make work at scale.
[ link to this | view in chronology ]
Re: Re:
Right; this is what I meant by my seatbelt analogy. It is a well-established engineering truism at this point that it's far, far easier to design a safer product than to make safer human beings.
[ link to this | view in chronology ]
Re:
Besides, keeping people up to date on security would be tough. Algorithms become deprecated all the time and to teach most people the difference between a hash and an encryption algorithm or what the difference is between a public and private key if they don't have even the slightest interest in the subject will be next to impossible.
Instead I think there should be a required stamp or sticker on these products, after they have been tested. The picture should be of a lock and then either red, yellow, or green, depending on the security of the product.
Educating people on basic colors is much easier than educating them on IT security.
[ link to this | view in chronology ]
Re: Re:
I should elaborate on that first line: I meant that information about included security of the product simply doesn't exist.
[ link to this | view in chronology ]
Re: Re: Re:
I work in InfoSec. I knew the questions to ask. It took three months to find a security system after thieves broke in and took everything including the half used cans of house paint.
Go to a consumer security company’s website and try to figure out what are the make and models of any of the equipment they are selling. Good luck with that. Call their sales and support lines. There are a little better results there but comedy ensues when you try to learn about the manufacturers of the components inside. Never heard what crickets sound like? Ask about firmware versions.
We did the best that we possibly could including letting some folks I work with attack the darn things but it still feels like it is more of a wing-and-a-prayer situation.
[ link to this | view in chronology ]
Re:
I think we should get rid of seatbelts and just teach everybody to be a safe driver.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
The thing about botnets is, the people who bought the crappy IoT gizmos that run them are usually not the ones being harmed by them.
And you can have a top-notch security team doing evertyhing right and it's *still* not going to protect you against a DDoS attack of sufficient size.
[ link to this | view in chronology ]
Is that like normal accountability but involving a robe and wizard hat?
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Again where's the UL rating for these items
Put simply, DON'T BUY this crap unless is passes some rating system. That is something tangible that doesn't need government involvement.
If anything the government should be pushing consumers into the hands of consumer oriented ranking systems.
Not approved, DO NOT BUY, not approved and goes into flames, the company SELLING the product should be liable as much as the manufacturer. Yes, WalMart, Amazon and all these giant commerce shops SHOULD be on the hook for not doing their due diligence.
[ link to this | view in chronology ]
Not every Republican opposes Net Neutrality. Asserting otherwise fosters a perception that it's pointless to educate and work with Republicans on supporting Net Neutrality.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re:
[ link to this | view in chronology ]
if i know anything about americans....
[ link to this | view in chronology ]
that's if the manufacturer can get by without the spy income component. that may make connection necessary. just make the public pay for the safe spying. thousand dollar tea kettle sounds about right.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Aren't most of these devices built in China?
[ link to this | view in chronology ]
What if...
Yes, SciFi scenario. One I thinking about using in my book.
[ link to this | view in chronology ]
What people are used to
[ link to this | view in chronology ]
FCC Agency DeFanging
[ link to this | view in chronology ]
You can now hack someone's sole:
http://www.theverge.com/circuitbreaker/2016/12/12/13921342/winter-heated-insoles-kickstarter -bluetooth
Leave 'em without a leg to stand on.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Seems to Me Something The Free Market May Solve
So, we already have independent third party nationally recognized and trusted testing Laboratories like UL. UL provides a certification for thousands of consumer electronics devices, to assure the customer that they won't shatter, catch fire, explode, short-circuit your home, emit too much RF, and a variety of other risks.
Many of the IoT products we're talking about here (in these DDOS bot nets) already have UL certification. So
UL (or other certification labs) should add a test of whether a product meets some basic Internet security standards, and just make that part of their certification.
In fact, it's kinda lame on them if they don't do that already.
[ link to this | view in chronology ]
The market will take care of it
Now, now, Karl, know you not that the market will take care of it? Competition keeps you honest, and all that.
Yes indeed, through zero collective action via boycotting campaigns on the part of the public and completely sans regulation, consumers will decide of their own free will to either get something else or do without, thereby forcing the manufacturers to get their act together. Who needs the FCC and consumer protection when Randian fantasies can do the job so much better?
[ link to this | view in chronology ]
Make the device manufacturer financially liable for damage
Put the financial liability for damage caused by hacked devices upon the manufacturers of the device. Yes, seriously.
Let me head off several replies before anyone even replies. I'm NOT suggesting any sort of government certification or licensing or registration of devices. Just simply that if your device is hacked, the hacking results in financial damage, then the manufacturer has liability for the damages caused.
Simply don't ship devices that are hackable. Impossible!, you say? If that is true, then don't make any IoT devices. If it is impossible to prevent them from being used for massive damage, then why should you be making and selling them at all? That's like saying it is impossible to make a toaster that won't burn your house down. If true, then why should you be making or selling any toasters.
If it is possible to secure the devices, then do so. You might start looking at a lot of basic things like:
* highly limit what internet ports your device uses
* no default passwords
* no back doors
* use digitally signed software updates to ensure they are from the manufacturer
* no insecure protocols
* minimize exposed functionality to minimize attack surface
And other ideas to lock down your device. Steps like this substantially reduce the odds that your device will be hacked, and that you will incur liability from damages caused.
The problem that this fixes is that now device makers have a financial incentive to secure and lock down their devices. It isn't impossible. Yes, it may cost some additional time and engineering in the design.
But just as I expect a toaster to not burn my house down, I expect IoT devices to not be instantly and trivially hackable.
[ link to this | view in chronology ]