Letter to the Honorable Edith Ramirez, Chairwoman of the Federal Trade Commission - Regarding the Security Standards of Internet of Things Manufacturers

Letter

Dear Chairwoman Ramirez:

Investigators now believe that the recent hack against the internet routing company Dyn was powered by multiple massive "botnets" comprised of vulnerable Internet of Things (IoT) devices.[1] This attack, which shut down an array of popular websites and services, including Amazon, PayPal, The New York Times, and Twitter, severely disrupted the economy, consumer access to news and entertainment, and could have endangered public safety. While unprecedented, this episode was hardly unpredictable and could just be a preview of what's to come if aggressive action is not taken to secure Internet connected devices. Too many IoT devices today remain shockingly deficient in basic security standards, making it far too easy for this kind of distributed denial-of-service attack to occur. As Ranking Member of the Subcommittee on Consumer Protection, Product Safety, Insurance, and Data Security, I write to ask you to hold accountable any IoT manufacturers that fail to implement reasonable security standards, and could therefore be complicit in the next attack.

Malicious botnets operate by commandeering tens of thousands of vulnerable internet-connected devices and directing them to conduct criminal activity unbeknownst to the consumer. Such activity can include theft of sensitive personal and financial information, intrusions into online bank accounts, identity theft, or, as happened in this most recent attack, the take down of websites. Botnets, which thrive off of poorly protected IoT devices, cause more than $9 billion in harm to victims according to data gathered by the Department of Justice.[2]

One common strategy for hackers seeking to spread malicious malware and create botnets is to exploit common username and password pairs to gain access to a device. For example, devices that have "password" as their default password are easy to unlock. In an article uncovering who makes the IoT devices being used by botnets, security reporter Brian Krebs was able to link many of the devices to brand name companies that sell products in the United States.[3] He did this by matching to the respective IoT device maker, the 68 factory default username and password pairs contained in the source code of the "Mirai" botnet likely used in the recent attack. According to security researchers, the passwords on some of these IoT devices were hard-coded into the firmware and cannot even be remedied through a software patch or firmware update.[4] Even if the password can be changed, many devices do not automatically prompt users to change the default password. Companies that don't prompt users to immediately change passwords, use obvious default passwords, or keep open risky communication ports as the default, may not be taking reasonable steps to provide security. Companies that neglect to implement such basic security standards, leaving their customers and the internet so openly vulnerable to attacks, deserve FTC scrutiny.

Thus, it is incumbent upon the FTC to examine and identify whether any IoT manufacturers with username password pairs that can be exploited by botnets also sell products in the United States that are so deficient in basic security standards that it warrants an aggressive and thorough investigation by the Commission. I encourage you to use the guidance you published in January 2015 to assess whether manufacturers implemented reasonable security standards.[5] Even though many of the IoT devices conscripted into the recent attack may have originated from overseas, strong FTC action can help improve the security standards of IoT products around the world since the United States is such a significant market.

In addition, I respectfully ask for feedback on any creative remedies to rapidly remove from shelves and homes insecure products that cannot be updated without changing the hardware. As you know, the Food and Drug Administration coordinates recalls unsafe food and drugs; the Consumer Product Safety Commission, recalls of consumer products that pose a threat to health and safety. However, there is no entity that currently coordinates or incentivizes the timely recall of products that do not necessarily pose a threat to health or safety, but may threaten personal privacy or national security. Furthermore, more publicized recalls of such insecure products could heighten consumer awareness regarding security risks associated with IoT devices and will encourage and educate consumers to look for adequate security in the products they purchase.

Thank you for your prompt attention to this critical and undoubtedly growing problem as more of our everyday products become connected to the Internet. I look forward to hearing your response.

Source