Senator Wants to Classify Insecure Internet of Things Devices As 'Harmful'
Sen. Mark Warner is asking the FCC whether poorly secured Internet of Things devices should not be allowed on the internet.
Image: Matt Baume/Flickr
A massive attack carried out with a zombie army of hacked internet-connected devices caused intermittent outages on Friday, preventing tens of thousands of people from accessing popular sites such as Twitter, Reddit, and Netflix.
For many security experts, an attack like that one, which leveraged thousands of easy-to-hack Internet of Things such as DVRs and surveillance cameras—weaponized thanks to a mediocre but effective malware known as Mirai—is just a sign of things to come.
That's why Sen. Mark Warner (D-Va.) wants the US government to do something about it.
The Senator warned of the dangers the internet is facing due to the seemingly unstoppable proliferation of Internet of Things devices in a letter he sent on Tuesday to the Federal Communications Commission, the Federal Trade Commission, and the Department of Homeland Security National Cybersecurity & Communications Integration Center (NCCIC).
As more "dumb devices," as Warner described them in a phone call with Motherboard, get connected to the internet, a distributed denial of service attack like the one last week "could take our economy to a halt and also sow seeds of insecurity."
Considering these risks, Warner is asking the FCC, the FTC and DHS a series of questions on what could possibly be done to encourage manufacturers to take security more seriously. (A company that made some of the cameras hijacked by the Mirai malware and used in the recent attacks announced a recall this week.)
"We are witnessing a 'tragedy of the commons' threat to the continued functioning of the internet."
"Manufacturers today are flooding the market with cheap, insecure devices, with few market incentives to design the products with security in mind, or to provide ongoing support. And buyers seem unable to make informed decisions between products based on their competing security features, in part because there are no clear metrics," Warner wrote in his letter to the FCC. "Because the producers of these insecure IoT devices currently are insulated from any standards requirements, market feedback, or liability concerns, I am deeply concerned that we are witnessing a 'tragedy of the commons' threat to the continued functioning of the internet, as the security so vital to all internet users remains the responsibility of none."
One of Warner's ideas is to label insecure devices as "harmful" to the internet, and perhaps allow internet service providers block them or prevent manufacturers from selling them in the US. In the interview, Warner stressed that he's just asking questions for now, and that such a classification would probably fall under the umbrella of Net Neutrality regulations, but it's something worth considering.
"Under the Federal Communications Commission's (FCC's) Open Internet rules, ISPs cannot prohibit the attachment of 'non-harmful devices' to their networks," Warner wrote. "It seems entirely reasonable to conclude under the present circumstances, however, that devices with certain insecure attributes could be deemed harmful to the 'network.'"
Asked about Warner's letter, an FCC spokesperson simply said the agency received it and it's reviewing it.
The Senator also raised the idea of some sort of "seal of approval" or some kind of certification that will tell consumers whether the device they are about to buy is safe, or at least meets certain minimum security requirements.
Regardless of what solution is the ideal one, given that some analysts believe we might have 20 billion or even 38 billion of "things" on the internet by 2020, one thing is for sure, somebody needs to do something.
Get six of our favorite Motherboard stories every day by signing up for our newsletter.