Virginia Senator Mark Warner (D), who is the co-founder of the Senate Cybersecurity Caucus and a member of the Senate Select Committee on Intelligence, sent a letter to three governmental agencies (FTC, FCC, and DHS) asking them what they can do about the recent IoT DDoS attacks and other related threats.
DoS Attacks Getting Stronger, Quickly
As seen with the recent massive DDoS attacks that have surpassed the terabit per second (Tbps) bandwidth limit, DDoS attacks are becoming an increasingly higher risk to internet services companies, and to the internet's infrastructure in general.
“The weak security of many of the new connected consumer devices provides an attractive target for attackers, leveraging the bandwidth and processing power of millions of devices, many of them with few privacy or security measures, to swamp internet sites and servers with an overwhelming volume of traffic,” said Sen. Warner in an article on his personal Senate page.
“I am interested in a range of expert opinions and meaningful action on new and improved tools to better protect American consumers, manufacturers, retailers, Internet sites and service providers,” he added.
Things are likely going to get much worse before they get better, because we’re probably still a few years away from most IoT manufacturers taking the security of their devices much more seriously. They need to build the necessary infrastructure to support that new level of security.
In the meantime, many new insecure IoT devices are thrown on the market for consumers to buy, continuously expanding the potential for stronger DDoS attacks. Innovative new amplification techniques for DDoS could also make these attacks even stronger by at least an order of magnitude.
The botnet software that has been used in the past few massive DDoS attacks was open sourced under the name of "Mirai," which means it should now be even easier for malicious actors to use botnets or create their own forked versions.
The United States Computer Emergency Readiness Team (US-CERT) seems to have already identified a new family of malware, which is similar to Mirai, infecting vulnerable IoT devices. That means we may see further development of more effective and more resilient botnets in the future.
IoT Security, A “Tragedy Of The Commons”
When the outlook for internet resilience is this dire, it seems government intervention to set some baseline standards for IoT security may be imminent. The European Union is already considering a labeling/rating system that would at least give consumers the opportunity to know which products are more secure.
However, this will likely be an insufficient solution, because when people buy their smart coffee maker or smart fridge, their first thought likely isn’t that it needs to be protected against being taken over by DDoS-creating botnets.
Individual consumers who buy IoT devices aren’t usually directly impacted by a DDoS attack, though. Their devices may upload a little more data when the botnet sends some packages to the DDoS target, but otherwise they may work just as well as they normally do.
Therefore, ensuring that most IoT devices that are being sold on the market are secure shouldn’t rely solely on the consumers. The consumers themselves won’t be able to put enough pressure on manufacturers to secure their devices simply because they wouldn’t be the ones most affected by the botnets taking over their devices.
Senator Mark Warner called this a “tragedy of the commons,” which is an economic theory about a situation where individuals would act in their own self-interest to the detriment of the common good.
“Manufacturers today are flooding the market with cheap, insecure devices, with few market incentives to design the products with security in mind, or to provide ongoing support,” said Senator Warner in his letter to the three federal agencies.
“And buyers seem unable to make informed decisions between products based on their competing security features, in part because there are no clear metrics.
Because the producers of these insecure IoT devices currently are insulated from any standards requirements, market feedback, or liability concerns, I am deeply concerned that we are witnessing a ‘tragedy of the commons’ threat to the continued functioning of the internet, as the security so vital to all internet users remains the responsibility of none.
Further, buyers have little recourse when, despite their best efforts, security failures occur,” added Warner in his letter.
ISP-Level Blocking Of “Zombie” IoT Devices
Senator Warner noted also noted that under the FCC’s Open Internet rules, ISPs aren’t allowed to block “non-harmful” devices from their networks. However, they should be able to block harmful ones, such as the infected IoT devices participating in DDoS attacks, also called “zombie” devices.
Such an action might be a potential solution to the increasingly larger and rapidly evolving DDoS problem. It would not only disrupt DDoS attacks (assuming the ISPs are quick enough to react to them), but it might also hurt the image (and later the sales of) IoT manufacturers, whose devices would then be blocked from using the internet.
If consumers learn that the devices they bought from a manufacturer are no longer connected to the internet because they had security vulnerabilities that allowed them to be taken over by a DDoS-creating botnet, they might choose a different, more secure brand next time they buy a similar product. This is also where a good security rating system for IoT devices would be welcome.
That potential damage to their image and future sales could become the incentive IoT manufacturers need to invest heavily in security their devices. Government-mandated recalls could be another, stricter, alternative solution that should have a similar impact. However, IoT device makers will likely agree to do whatever is necessary to avoid that highly expensive scenario.
Preventing Censorship, Extortion, And Disruption Of Economic Activity
These solutions are not ideal, as abuses or other problems could arise from these actions, and they are also not the only possible solutions for dealing with DDoS attacks. However, they may be the most effective ones in stopping damaging DDoS attacks in the near future, and in accelerating the security of new IoT devices.
Massive DDoS attacks could be used as censorship tools against sites such as Reddit and Twitter, but they can also be used to target financial services sites such as PayPal--or government services, or any other website--for the purpose of extortion. This is why customers of IoT devices, who may mainly care whether the device works properly and has all the features they need, can’t be the only ones putting pressure on manufacturers to improve security.