[WASHINGTON, DC] – After a “botnet” hack against an internet routing company shut down an array of popular websites like Amazon, PayPal, The New York Times, and Twitter, U.S. Senator Richard Blumenthal (D-CT) called on the Federal Trade Commission (FTC) to take aggressive action to ensure that Internet connected devices – like security cameras and printers – meet basic security standards that could prevent the next cyberattack.
“While unprecedented, this episode was hardly unpredictable and could just be a preview of what’s to come if aggressive action is not taken to secure Internet connected devices. Too many IoT devices today remain shockingly deficient in basic security standards, making it far too easy for this kind of distributed denial-of-service attack to occur,” Blumenthal wrote in a letter today to FTC Chairwoman Edith Ramirez.
Blumenthal called attention to “companies that don’t prompt users to immediately change passwords, use obvious default passwords, or keep open risky communication ports as the default” and urged FTC scrutiny of such lax manufacturers.
Blumenthal also asked the agency to consider methods to better coordinate the timely recall of products that lack basic security or privacy standards. Although other federal agencies have the authority to recall unsafe food or consumers products, “there is no entity that currently coordinates or incentivizes the timely recall of products that do not necessarily pose a threat to health or safety, but may threaten personal privacy or national security.”
In May, Blumenthal joined U.S. Senators Sheldon Whitehouse (D-RI) and Lindsey Graham (R-SC) in introducing the Botnet Prevention Act to provide law enforcement and the courts expanded power to disrupt botnets—networks of infected computers used to commit cybercrime—and hold accountable those who create and use them.
Botnets are formed by infecting computers of unsuspecting users with malware that grants the originator of the infection complete control over the machine. By commanding hundreds, thousands, or even millions of computers at once, hackers are able leverage a powerful network of compromised computers while concealing their true identity. Botnets facilitate a wide range of criminal activity, including the theft of personal and financial information, intrusions into online bank accounts, and identity theft on a massive scale. Hackers have also been known to sell or lease the use of their botnets to others engaged in cybercrime.
According to estimates compiled by the U.S. Department of Justice, botnets infect 500 million computers each year—or 18 victims per second. They have caused over $9 billion in losses to victims in the United States and over $110 billion in losses globally.
The full text of today’s letter is available here and copied below.
November 3, 2016
The Honorable Edith Ramirez
Chairwoman, Federal Trade Commission
600 Pennsylvania Avenue NW
Washington, DC 20530
Dear Chairwoman Ramirez:
Investigators now believe that the recent hack against the internet routing company Dyn was powered by multiple massive “botnets” comprised of vulnerable Internet of Things (IoT) devices. This attack, which shut down an array of popular websites and services, including Amazon, PayPal, The New York Times, and Twitter, severely disrupted the economy, consumer access to news and entertainment, and could have endangered public safety. While unprecedented, this episode was hardly unpredictable and could just be a preview of what’s to come if aggressive action is not taken to secure Internet connected devices. Too many IoT devices today remain shockingly deficient in basic security standards, making it far too easy for this kind of distributed denial-of-service attack to occur. As Ranking Member of the Subcommittee on Consumer Protection, Product Safety, Insurance, and Data Security, I write to ask you to hold accountable any IoT manufacturers that fail to implement reasonable security standards, and could therefore be complicit in the next attack.
Malicious botnets operate by commandeering tens of thousands of vulnerable internet-connected devices and directing them to conduct criminal activity unbeknownst to the consumer. Such activity can include theft of sensitive personal and financial information, intrusions into online bank accounts, identity theft, or, as happened in this most recent attack, the take down of websites. Botnets, which thrive off of poorly protected IoT devices, cause more than $9 billion in harm to victims according to data gathered by the Department of Justice.
One common strategy for hackers seeking to spread malicious malware and create botnets is to exploit common username and password pairs to gain access to a device. For example, devices that have “password” as their default password are easy to unlock. In an article uncovering who makes the IoT devices being used by botnets, security reporter Brian Krebs was able to link many of the devices to brand name companies that sell products in the United States. He did this by matching to the respective IoT device maker, the 68 factory default username and password pairs contained in the source code of the “Mirai” botnet likely used in the recent attack. According to security researchers, the passwords on some of these IoT devices were hard-coded into the firmware and cannot even be remedied through a software patch or firmware update. Even if the password can be changed, many devices do not automatically prompt users to change the default password. Companies that don’t prompt users to immediately change passwords, use obvious default passwords, or keep open risky communication ports as the default, may not be taking reasonable steps to provide security. Companies that neglect to implement such basic security standards, leaving their customers and the internet so openly vulnerable to attacks, deserve FTC scrutiny.
Thus, it is incumbent upon the FTC to examine and identify whether any IoT manufacturers with username password pairs that can be exploited by botnets also sell products in the United States that are so deficient in basic security standards that it warrants an aggressive and thorough investigation by the Commission. I encourage you to use the guidance you published in January 2015 to assess whether manufacturers implemented reasonable security standards. Even though many of the IoT devices conscripted into the recent attack may have originated from overseas, strong FTC action can help improve the security standards of IoT products around the world since the United States is such a significant market.
In addition, I respectfully ask for feedback on any creative remedies to rapidly remove from shelves and homes insecure products that cannot be updated without changing the hardware. As you know, the Food and Drug Administration coordinates recalls unsafe food and drugs; the Consumer Product Safety Commission, recalls of consumer products that pose a threat to health and safety. However, there is no entity that currently coordinates or incentivizes the timely recall of products that do not necessarily pose a threat to health or safety, but may threaten personal privacy or national security. Furthermore, more publicized recalls of such insecure products could heighten consumer awareness regarding security risks associated with IoT devices and will encourage and educate consumers to look for adequate security in the products they purchase.
Thank you for your prompt attention to this critical and undoubtedly growing problem as more of our everyday products become connected to the Internet. I look forward to hearing your response.