The Internet of Things (IoT) industry might want to find ways to combat botnets such as Mirai, because if they don’t — the government might try to do it for them.
Senator Mark Warner (D-VA) fired a cluster of questions at the FCC today, suggesting a few ways the agency could get involved in preventing IoT botnets or at least mitigating the damage.
Warner sent similar missives to the Federal Trade Commission (FTC) and the Department of Homeland Security’s National Cybersecurity & Communications Integration Center (NCCIC). The FCC letter is the one that happens to be publicly available, here.
DDoS attacks have been happening for decades, but recent high-profile events, such as last week’s attack on domain name service (DNS) provider Dyn, have called to attention the magnified scope of DDoS that’s possible thanks to IoT.
Mirai, in particular, was used for a DDoS attack of record-breaking size against the KrebsOnSecurity site. Mirai was also a contributor to the Dyn attack, the size of which has not been disclosed.
Mirai consists of hundreds of thousands of compromised IoT devices. Cameras using firmware from Chinese supplier Hangzhou Xiongmai Technology make up some portion of Mirai, as they’ve got factory-installed passwords that grant access through non-web-based protocols.
Xiongmai has issued a recall for some of its products, particularly webcams, and has issued a software patch for products made before April 2015, Reuters reported yesterday. But the company denied that products using its software made up the majority of Mirai’s army.
What Can the FCC Do?
Some of Senator Warner’s questions to the FCC suggest that service providers could play a role in botnet mitigation. For example, one question is: “Would it be a reasonable network management practice for ISPs to designate insecure network devices as ‘insecure’ and thereby deny them connections to their networks, including by refraining from assigning devices IP addresses?”
Most of his questions, though, have more to do with altering manufacturers’ and consumers’ behavior — creating minimum technical security standards for manufacturers, for instance, or finding ways to cajole users into applying software upgrades.
The flaw in that line of thinking is that neither the buyer nor the seller of IoT devices is affected by a botnet such as Mirai, as security consultant Bruce Schneier pointed out in a blog entry last month:
Think of all the CCTV cameras and DVRs used in the attack against Brian Krebs. The owners of those devices don’t care. Their devices were cheap to buy, they still work, and they don’t even know Brian. The sellers of those devices don’t care: they’re now selling newer and better models, and the original buyers only cared about price and features.