U.S. Senator Calls On Federal Agencies To Improve IoT Device Security, Stop DDoS Attacks

Virginia Senator Mark Warner (D), who is the co-founder of the Senate Cybersecurity Caucus and a member of the Senate Select Committee on Intelligence, sent a letter to three governmental agencies (FTC, FCC, and DHS) asking them what they can do about the recent IoT DDoS attacks and other related threats.

DoS Attacks Getting Stronger, Quickly

As seen with the recent massive DDoS attacks that have surpassed the terabit per second (Tbps) bandwidth limit, DDoS attacks are becoming an increasingly higher risk to internet services companies, and to the internet's infrastructure in general.

“The weak security of many of the new connected consumer devices provides an attractive target for attackers, leveraging the bandwidth and processing power of millions of devices, many of them with few privacy or security measures, to swamp internet sites and servers with an overwhelming volume of traffic,” said Sen. Warner in an article on his personal Senate page.

“I am interested in a range of expert opinions and meaningful action on new and improved tools to better protect American consumers, manufacturers, retailers, Internet sites and service providers,” he added.

Things are likely going to get much worse before they get better, because we’re probably still a few years away from most IoT manufacturers taking the security of their devices much more seriously. They need to build the necessary infrastructure to support that new level of security.

In the meantime, many new insecure IoT devices are thrown on the market for consumers to buy, continuously expanding the potential for stronger DDoS attacks. Innovative new amplification techniques for DDoS could also make these attacks even stronger by at least an order of magnitude.

The botnet software that has been used in the past few massive DDoS attacks was open sourced under the name of "Mirai," which means it should now be even easier for malicious actors to use botnets or create their own forked versions.

The United States Computer Emergency Readiness Team (US-CERT) seems to have already identified a new family of malware, which is similar to Mirai, infecting vulnerable IoT devices. That means we may see further development of more effective and more resilient botnets in the future.

IoT Security, A “Tragedy Of The Commons”

When the outlook for internet resilience is this dire, it seems government intervention to set some baseline standards for IoT security may be imminent. The European Union is already considering a labeling/rating system that would at least give consumers the opportunity to know which products are more secure.

However, this will likely be an insufficient solution, because when people buy their smart coffee maker or smart fridge, their first thought likely isn’t that it needs to be protected against being taken over by DDoS-creating botnets.

Individual consumers who buy IoT devices aren’t usually directly impacted by a DDoS attack, though. Their devices may upload a little more data when the botnet sends some packages to the DDoS target, but otherwise they may work just as well as they normally do.

Therefore, ensuring that most IoT devices that are being sold on the market are secure shouldn’t rely solely on the consumers. The consumers themselves won’t be able to put enough pressure on manufacturers to secure their devices simply because they wouldn’t be the ones most affected by the botnets taking over their devices.

Senator Mark Warner called this a “tragedy of the commons,” which is an economic theory about a situation where individuals would act in their own self-interest to the detriment of the common good.

“Manufacturers today are flooding the market with cheap, insecure devices, with few market incentives to design the products with security in mind, or to provide ongoing support,” said Senator Warner in his letter to the three federal agencies.

“And buyers seem unable to make informed decisions between products based on their competing security features, in part because there are no clear metrics.

Because the producers of these insecure IoT devices currently are insulated from any standards requirements, market feedback, or liability concerns, I am deeply concerned that we are witnessing a ‘tragedy of the commons’ threat to the continued functioning of the internet, as the security so vital to all internet users remains the responsibility of none.

Further, buyers have little recourse when, despite their best efforts, security failures occur,” added Warner in his letter.

ISP-Level Blocking Of “Zombie” IoT Devices

Senator Warner noted also noted that under the FCC’s Open Internet rules, ISPs aren’t allowed to block “non-harmful” devices from their networks. However, they should be able to block harmful ones, such as the infected IoT devices participating in DDoS attacks, also called “zombie” devices.

Such an action might be a potential solution to the increasingly larger and rapidly evolving DDoS problem. It would not only disrupt DDoS attacks (assuming the ISPs are quick enough to react to them), but it might also hurt the image (and later the sales of) IoT manufacturers, whose devices would then be blocked from using the internet.

If consumers learn that the devices they bought from a manufacturer are no longer connected to the internet because they had security vulnerabilities that allowed them to be taken over by a DDoS-creating botnet, they might choose a different, more secure brand next time they buy a similar product. This is also where a good security rating system for IoT devices would be welcome.

That potential damage to their image and future sales could become the incentive IoT manufacturers need to invest heavily in security their devices. Government-mandated recalls could be another, stricter, alternative solution that should have a similar impact. However, IoT device makers will likely agree to do whatever is necessary to avoid that highly expensive scenario.

Preventing Censorship, Extortion, And Disruption Of Economic Activity

These solutions are not ideal, as abuses or other problems could arise from these actions, and they are also not the only possible solutions for dealing with DDoS attacks. However, they may be the most effective ones in stopping damaging DDoS attacks in the near future, and in accelerating the security of new IoT devices.

Massive DDoS attacks could be used as censorship tools against sites such as Reddit and Twitter, but they can also be used to target financial services sites such as PayPal--or government services, or any other website--for the purpose of extortion. This is why customers of IoT devices, who may mainly care whether the device works properly and has all the features they need, can’t be the only ones putting pressure on manufacturers to improve security.

This thread is closed for comments
10 comments
    Your comment
  • skit75
    Spouse A: Ohh look dear... this toilet paper dispenser only has a $300.00 annual firewall subscription!
    Spouse B: That must be on sale, GRAB IT! As long as we let the manufacturer know how much we wipe and agree to the 3rd party marketing flea-poop print, the first year is actually only $150.00!
  • InvalidError
    A "limit" implies that it wasn't meant or believed to be possible to beat. 1Tbps DDoS isn't a limit, it is a milestone or a new high-watermark that will inevitably get surpassed at some point in the future as more bandwidth becomes available at the network edge and more potential victim devices come online.
  • falchard
    Honestly, when I saw it was a Democrat Senator proposing regulations on the Internet in the vain of added security, I expected something idiotic. He at least makes some sense that ISPs should not be forced to allow all traffic through their networks. Aside from that he didn't propose anything like requiring certain features, or having computer assemblers get a certification which is positive. He just asked for ideas from this business sector. So suffice to say I can't say how dumb it is until legislation is written.
    The only thing I can say is that he misunderstands the "Tragedy of the Commons" in terms of economics. It only applies to a limited resource that is open to public consumption. The tragedy of the commons is mostly eliminated when the resource is owned privately. It would be difficult to apply the theory on internet security and DDoS attack.