Sen. Mark Warner on Tuesday sent a letter to the chairman of the FCC expressing concern about the emergence of the Mirai botnet and asking whether ISPs should have the ability to prevent compromised IoT devices from connecting to their networks.
In his letter, Warner (D-Va.) said that the weak security of many embedded devices is at the heart of the success of Mirai, and pointed to poor security practices in the global supply chain as a big part of the problem. Warner, a leader of the Senate Cybersecurity Caucus, echoed concerns that many security experts have raised about IoT devices and the effect that their lax security can have not just on their users, but on the Internet in general.
“Mirai’s efficacy depends, in large part, on the unacceptably low level of security inherent in a vast array of network devices. Attackers perform wide-ranging scans of IP addresses, searching for devices with poor security features such as factory default or hard-coded (i.e., unchangeable) passwords, publicly accessible remote administration ports (akin to open doors), and susceptibility to brute force attacks,” Warner said in his letter to FCC Chairman Thomas Wheeler.
“In my June 6th letter to the Federal Trade Commission (FTC), I raised serious concerns with the proliferation of these insecure connected consumer products, noting that the ‘ever-declining cost of digital storage and internet connectivity have made it possible to connect an unimaginable range of products and services to the Internet,’ potentially without adequate market incentives to adopt appropriate privacy and security measures.”
Warner points to the FCC’s Open Internet rules, adopted last year, which say that ISPs can’t block access to “non-harmful devices”. There’s no clear definition of what a harmful device is, but Warner asks in his letter to Wheeler whether network providers should be able to stop compromised devices that are being used in an attack from connecting to their networks.
“It seems entirely reasonable to conclude under the present circumstances, however, that devices with certain insecure attributes could be deemed harmful to the ‘network’ – whether the ISP’s own network or the networks to which it is connected. While remaining vigilant to ensure that such prohibitions do not serve as a pretext for anticompetitive or exclusionary behavior, I would encourage regulators to provide greater clarity to internet service providers in this area,” the letter says.
The idea of denying insecure computers the ability to connect to a given network has been floating around the security industry for a long time. Some enterprises enforce minimum patch levels or other updates for machines connecting to their networks, but that policy is more controversial for broadband providers whose customers are paying for access. Warner asks in his letter to Wheeler whether ISPs should have the power to identify and block insecure devices on their networks.
“Would it be a reasonable network management practice for ISPs to designate insecure network devices as ‘insecure’ and thereby deny them connections to their networks, including by refraining from assigning devices IP addresses? Would such practices require refactoring of router software, and if so, does this complicate the feasibility of such an approach?” Warner asks.
Warner also sent similar letters to the chairs of the Federal Trade Commission and Department of Homeland Security on Tuesday.
Image from Flickr stream of New America under CC By 2.0.