Remember those halcyon days when the worst a hacker could do to your connected camera was use it to spy on you while you were getting changed in your home? That all ended last Friday, when unknown attackers marshaled an army of similar cameras and other “Internet of Things” devices toshut down access to major websites across much of the United States.
That’s a serious issue for anybody reading this. Ifa bunch of amateurs can use hacked IoT devices to stage a distributed denial-of-service (DDoS) attack that breaks internet routing for hours, imagine the risks when pros wield the same open-source software, called Mirai, that ran the assault.
“Even if the vendor releases firmware that can patch some of this, do most end users know how to patch firmware on an IoT device?” asked Akamai principal security researcher Ryan Barnett ata security conference in Washington Thursday.
And that’s assuming they get as far as downloading the update — which may be tough if they don’t know which company made the IoT device in question.
Xiongmai told Reuters and other news outlets that it will stage a recall, but how will U.S. customers know? They won’t necessarily know if Xiongmai’s hardware is in their devices, and Xiongmai’s only direct announcement seems to have taken placeon China’s QQ social network.
An e-mail sent Tuesday to the company’s email address went unanswered.
The recipe for making a secure IoT device shouldn’t be that complex: Ship every product with a unique admin password, with the least exposure to the internet required to do its job and with an automatic-update system.
Then give shoppers a simple way to identify safe IoT devices when they go shopping. The example of Underwriters Laboratories’ safety labels often comes up, followed by a request that UL do just that for cybersecurity.
“We haven’t completed and certified any of those devices as of yet,” said principal engineer Ken Modeste. The first quarter of 2017 looks like the earliest possible time for retail availability of gadgets with this new label.
UL’s tests will grade gadgets both on their features and their manufacturers’ systems for verifying their security and shipping patches for them.
It won’t, however, require automatically installed updates, without which many security fixes will linger on servers or in the “Download” folders on users’ computers. That will have to wait for the second version of this standard — which, Modeste said, “we’re now starting to develop.”
If you were about to ask “isn’t it illegal to ship hardware this insecure,” the answer is “not necessarily.” We don’t have product-safety regulations for IoT devices like those that protect our food, our air travel and, more recently, our financial instruments.
Security expert Bruce Schneier wrote at Vice’s Motherboard site three weeks ago — before the Dyn attack — that the Feds had to step in. He wrote: “The economics of the IoT mean that it will remain insecure unless government steps in to fix the problem.”
The government has, in fact, taken action already. The Federal Trade Commission has been studying this problem (its2015 report on IoT security and privacy now looks prophetic) and has used its existing authority to pursue some firms for egregious failings.
In2014 and2016, the FTC secured settlements from the camera vendor Trendnet and router manufacturer Asustek for misleading customers about their devices’ security — deceptive conduct being something the FTC can already punish.
In a phone interview Tuesday, FTC commissionerTerrell McSweeny reiterated that goal as well asmore recent requests that Congress expand its limited ability to fine offenders. “It would be helpful if the FTC had civil penalty authority,” she said.
Until that happens, the FTC will continue to urge companies to do better and bring cases against those who don’t or won’t. And potential IoT shoppers — McSweeny included — will have to continue to be wary.
TechDailyTimes is a web blog devoted to technology, science, research and development and everything related to new technological breakthroughs. Our aim is to cover technology news on a daily basis. Articles on technology contained in this blog may concern science news, tech news, applied technology, gadgets, devices etc. All blog entries are published 'as is'. TechDailyTimes waives any responsibility, expressed or implied, in regard to any material, published in the blog. Opinions expressed by our authors may contradict with the official standings of TechDailyTimes administration.