Recent attempted cyberattacks that used Internet of Things (IoT) devices to effect the attempted attacks have led to growing concern within the federal government over the security of such devices and the potential such devices have to launch future attacks.
On October 25, Senator Mark Warner (D-VA), a member of the Senate Select Committee on Intelligence, wrote a letter to Federal Communications Commission (FCC) Chairman Tom Wheeler asking Chairman Wheeler to respond to a series of questions regarding the tools needed to prevent cyberattacks using IoT devices. Senator Warner sent similar inquiries to the Federal Trade Commission (FTC) and the Department of Homeland Security’s National Cybersecurity & Communications Integration Center.
On October 26, the Federal Bureau of Investigation (FBI) issued a bulletin to private companies warning that online attacks using IoT devices will likely continue. Although this bulletin is not available publicly, an FBI spokeswomen stated that “[i]n furtherance of public-private partnerships, the FBI routinely advises private industry of various cyberthreat indicators observed during the course of our investigations. This data is provided in order to help systems administrators guard against the actions of persistent cybercriminals.”
Further, on November 3, Representatives Frank Pallone, Jr. (D-NJ) and Jan Schakowsky (D-Ill), the ranking members of the House Committee on Energy and Commerce and its Subcommittee on Commerce, Manufacturing, and Trade, respectively, wrote a letter to FTC Chairwoman Edith Ramirez urging the FTC to take action to increase the security of IoT devices in order to prevent future cyberattacks. According to the letter, the FTC should ensure that IoT device manufacturers implement stronger security measures, including patching any vulnerabilities that may exist in IoT devices that are currently on the market and requiring customers to change default passwords during the setup process of any IoT device. The representatives also noted that the FTC should issue an alert to consumers regarding the security risks posed by continuing to use default passwords on IoT devices.
Although it is unclear whether any of these agencies will take action, companies and consumers should be aware of the potential cybersecurity threat IoT devices pose.
We will provide updates as new information becomes available.