The security around the development of Internet of Things products is weak and U.S. Sen. Mark R. Warner (D-Va.) today sent a letter to the Federal Communications Commission (FCC), the Federal Trade Commission (FTC) and the Department of Homeland Security (DHS) to ask why and what can be done to fix the problem.
Sen. Mark Warner (D-VA)
In the letter Warner, who is member of the Senate Select Committee on Intelligence and co-founder of the bipartisan Senate Cybersecurity Caucus, asked questions such as: What types of network management practices are available for internet service providers to respond to DDoS threats? And would it be a reasonable network management practice for ISPs to designate insecure network devices as “insecure” and thereby deny them connections to their networks, including by refraining from assigning devices IP addresses?
+More on Network World: DoJ: What does it take to prosecute federal computer crimes?+
“The weak security of many of the new connected consumer devices provides an attractive target for attackers, leveraging the bandwidth and processing power of millions of devices, many of them with few privacy or security measures, to swamp internet sites and servers with an overwhelming volume of traffic,” Sen. Warner said in a statement. “I am interested in a range of expert opinions and meaningful action on new and improved tools to better protect American consumers, manufacturers, retailers, Internet sites and service providers.”
Weak security features in many of IoT products can enable access to user data by hackers, create easy entry points to home or work networks, and allow hackers to hijack devices into enormous botnets used to send crippling amounts of data to specific internet sites and servers, Warner said. “Botnets are frequently referred to as ‘zombie computers,’ the metaphor is appropriate: bad actors infect unsuspecting computers and network devices with malware, sending remote commands to hordes of compromised computers to maliciously cripple parts of the Internet. Experts say that is what occurred on [last] Friday, temporarily affecting Twitter, Netflix, PayPal and other popular sites.”
+More on Network World: Your robot doctor overlords will see you now+
The text of Sen. Warner’s letter to the Federal Communications Commission (FCC) looks like this:
October 25, 2016
The Honorable Tom Wheeler
Federal Communications Commission
445 12th Street S.W.
Washington, D.C. 20554
Dear Chairman Wheeler,
I have watched with growing concern over the past two months as an ever-larger network of infected devices has been leveraged to conduct the largest series of Distributed Denial of Service (DDoS) attacks ever recorded. According to global telecommunications provider Level 3 Communications, the ‘Mirai botnet’ has more than doubled since the source code was first made public on October 1st. The Mirai botnet functions by taking control of highly insecure devices, such as ‘Internet of Things’ (IoT) products, and using them to send debilitating levels of network traffic from these compromised devices to particular sites, web-hosting servers, and internet infrastructure providers. By infecting consumer devices with this malware, attackers can hijack the communications capabilities of users’ devices, using large numbers of them to flood sites and servers with overwhelming traffic. As the co-Chair of the Senate Cybersecurity Caucus, I invite your prompt response to a number of important questions raised by these incidents.
Sign up for Computerworld eNewsletters.