By Conor L. McSweeney
The cybersecurity industry and policy experts have been warning about the dangers posed by Internet of Things (IOT) devices to the larger internet ecosystem in recent years, but they were lacking a prime example that exposed its vulnerability. That changed following two recent major attacks that showcased the immense damage the IOT devices could inflict when hackers are able to take over these devices and attack digital properties on the web. The first attack occurred September 22, 2016, against renowned cybersecurity blogger Brian Krebs with a 620 Gbps (gigabits per second) of attack traffic pounding his “Krebs On Security” blog site with one of the largest known Distributed Denial of Service (DDoS) attacks on the internet to date. The second attack was against Dyn, a global provider of Domain Name Server solutions, equivalent to a phone book look-up for websites that occurred on October 21, 2016, resulting in some of the largest internet properties in the world, such as Reddit, Netflix and Twitter, being offline for prolonged periods of time. The culprit for both of these attacks, either in whole, or at least in part, appears to be the Mirai botnet.
A botnet is a network of interconnected computers infected with malware that are controlled, without the owner’s knowledge, by malicious online actors for mostly criminal activities. The uniqueness of the Mirai (Japanese for “future”) botnet is that it consists mostly of IOT digital video recorders (DVRs) and video cameras, rather than traditional laptop or desktop devices that are manufactured mostly in China and sold into the marketplace with weak or nonexistent password protections. The Mirai source code scans and searches the far reaches of the web for IOT devices connected to the internet that still have the factory default username and passwords, and inducts them into a weaponized botnet. Once under the command of the criminal hackers, they then focus the thousands of IOT devices on the desired target all at once, flooding the web site with fictitious traffic not representative of actual users trying to access the site. To make matters worse, the Mirai source code was posted in a hacker forum on the dark web shortly after the Krebs attack and can now be utilized by a wide range of malicious actors. While DDoS attacks have been around for a while and have evolved to take various forms, the factor most concerning to cybersecurity industry and policy experts is the magnitude and sheer brute force of the Mirai botnet.
Xiongmai Technologies is one of the Chinese manufacturers whose IOT video cameras are especially susceptible to conscription under Mirai due to weak username and password controls that are issued straight from the factory. Despite initial protestations, Xiongmai eventually announced a recall of up to 4,300,000 IOT cameras that contained this security flaw, although they maintain that the main problem is that consumers who purchase their devices are not changing the default passwords as recommended. The recall, however, did not stop the Chinese Ministry of Justice, sensitive to being blamed for a problem on such a global scale, from issuing a press advisory threatening legal action against all organizations and individuals making false claims about the security of devices manufactured in China. The Chinese government blamed customers for not changing their passwords and appeared publicly ambivalent to the actual problem of cracking down on the Mirai botnet’s power. The IOT market share for Chinese companies has soared over the last few years in the IOT market for inexpensive internet-connected video cameras and DVRs, but at the moment, the Chinese government seems more concerned with saving face than correcting the problems with the devices. However, the vulnerability of IOT devices is far from being exclusively a Chinese problem, and other governments around the world must grapple with the correct approach to regulating the industry.
There are varying prognostications of the size of the IOT marketplace, but most project internet connected devices to increase from the current five to six billion devices to twenty billion devices by 2020. The European Commission is considering legislation, in part as a reaction to Mirai, at its next session to amend European Union (EU) Telecoms law and impose stringent industry-wide security standards. The EU’s overriding concern has traditionally been maintaining the privacy of its citizens, which easily translates to the issue of preventing IOT devices from being easily hacked. Another area of IOT regulation the EU will likely consider is the rights that businesses will have to commercialize the personal data harvested from IOT devices. The EU likely sees these business regulations on personal data as another means of protecting its citizens’ privacy, as they do not see hackers exploiting the security of consumer devices as the only threat to privacy. The EU traditionally does a follow-through on proposed privacy regulation, although it may take some time to move through the complex bureaucratic process, but devices like the video cameras manufactured by Xiongmai will not likely have access to the European Union market much longer if they refuse to comply with enacted EU standards.
Legislators in the United States have also noticed the vulnerability of IOT devices and the urgency for meaningful regulation. Senator Mark Warner (D-Virginia) is heavily advocating for the Federal Communications Commission (FCC) to exercise its rulemaking rights under the Administrative Procedure Act to begin imposing regulations on IOT devices that are vulnerable to exploitation via botnets like Mirai. Citing the Dyn attack, Senator Warner called on the FCC to improve the cybersecurity standards for internet connected devices because of the ease with which the DVRs and cameras under the control of Mirai were able to be exploited and used for malicious actions. Senator Warner also noted the economic threat like when the Mirai attack on Dyn brought down some of the most heavily trafficked sites on the web for hours at a time, costing millions in lost revenue for those companies. In the House of Representatives, Reps. Frank Pallone Jr. (D-New Jersey) and Jan Schakowsky (D-Ilinois) wrote a letter to the Federal Trade Commission (FTC) urging it to use its regulatory powers available to remove from the commercial marketplace IOT devices with weak password protections like the ones used in Mirai. In addition to causing businesses to adopt improved security standards for password protections of IOT devices, Pallone and Schakowsky also advocated for the FTC to reach out to consumers for education and information on best practices for protecting IOT devices. There is an argument that providing more information to consumers regarding IOT vulnerability will help resolve the issue because they will be less likely to purchase IOT devices if they know their information can be stolen and their devices hijacked by hackers.
The FTC and FCC are both unlikely to take any immediate action on this pressing issue during the lame duck period before President-elect Trump’s inauguration January 20, 2017. There will also be additional time before new leaders of the agencies aligned with President-elect Trump’s vision are appointed and develop their regulatory priorities. Proposing regulations, holding hearings and discussing the issues with industry experts and concerned citizens is a lengthy undertaking, and it would be surprising if this issue gets addressed during the first year of President-elect Trump’s term. There are also conflicting agendas conceivably at play where President-elect Trump intends to be tough on national security issues while also promoting business-friendly policies. In fact, President-elect Trump has made it a key component of his first hundred days in office plan to require each new regulation result in the removal of two existing regulations. It is difficult to determine whether this regulation policy would extend to the realm of cybersecurity since that falls within the broader national security spectrum, which is expected to be an important focus of the Trump administration. While US manufacturers in the IOT market might be subjected to regulation where it did not exist before through FTC and FCC action, cybersecurity businesses and industry experts are aligned in their desire to close out vulnerabilities in the IOT market exposed by Mirai. Ultimately, the country’s security interest in protecting consumer access to the internet and the business interest in protect arguably the greatest economic engine in the United states will supersede any partisan posturing and hopefully result in meaningful security standards imposed upon manufacturers in the exploding IOT market.
Student Bio: Conor is a staff member of the Journal of High Technology Law. He is currently a third-year evening student at Suffolk University Law School and works full time in the corporate legal department of a cloud technology company. He possesses a B.A in Political Science from Siena College with a minor in English.
Disclaimer: The views expressed in this blog are the views of the author alone and do not represent the views of JHTL or Suffolk University Law School.