In the wake of October’s Distributed Denial of Service (DDoS) attack that used hundreds of unsecured devices to prevent access to a number of U.S. websites, Reps. Frank Pallone, D-N.J., and Jan Schakowsky, D-Ill., wrote a letter to Federal Trade Commission (FTC) Chairwoman Edith Ramirez asking that her agency take action to ensure greater security of Internet of Things (IoT) devices.
“It is time for the FTC to strongly reinforce to both consumers and device manufacturers the need to adopt strong security measures,” Pallone and Schakowsky wrote.
Because the October hackers were able to use default usernames and passwords on approximately 400,000 IoT devices to create their attack, the representatives requested that the FTC alert consumers to the dangers of using default passwords as well as work with device manufacturers to increase security and make password changes part of the device setup process.
“Most consumers whose devices were used in the recent DDoS attack or similar attacks will never know that their devices were accessed. Without their owners’ knowledge, the unsecured devices allow hackers to control their use and possibly learn private information about their owners. For example, a hacker may hijack a consumer’s home Web camera to learn intimate details of what is going on within the owner’s residence,” Pallone and Schakowsky wrote.
The representatives also expressed concern over devices that have hardwired default security, which doesn’t allow consumers to manually change the username or password information.
The FTC has published warnings about device security before in both a 2013 article on using IP cameras safely and a 2015 report on why device manufacturers should require consumers to change passwords from the default.
“While the FTC’s past warnings are commendable, they are insufficient in the current environment. The FTC has published no additional warnings or advice to consumers in light of the October 21 DDoS cyberattack. An incident that security experts have labeled ‘historic’ coupled with the rapid proliferation of IoT devices raises these issues with renewed urgency. It is time for the FTC to strongly reinforce to both consumers and device manufacturers the need to adopt strong security measures,” Pallone and Schakowsky wrote.