Reps. Frank Pallone, D-N.J., and Jan Schakowsky, D-Ill., wrote a letter on Thursday to Federal Trade Commission (FTC) Chairwoman Edith Ramirez urging the agency to take action to protect consumers from insecure Internet of Things (IoT) devices.
This comes in the wake of the recent distributed denial of service (DDoS) attack that prevented access to several highly trafficked websites. The lawmakers called on the FTC to compel IoT manufacturers to implement stronger security measures, including a requirement that consumers change default passwords, patch vulnerabilities and initiate consumer education about security risks posed by insecure IoT devices.
Mirai, the botnet used in the DDoS attack, continually scans the internet for poorly secured devices, and managed to connect to almost 400,000 IoT devices with a list comprised of just 60 default usernames and passwords. This allowed them flood the affected websites with junk traffic, to the detriment of legitimate users trying to gain access.
Such attacks will become more commonplace, unless IoT manufacturers take action now to better secure devices, the lawmakers warned. They also faulted the FTC for not issuing any warnings regarding the risks posed by IoT devices after the DDoS attack, especially in light of the proliferation of IoT devices.
In certain instances, consumers do not have the option of securing their devices since some manufacturers actually hard-wire in default passwords, meaning only the manufacturers have the ability to secure and update such devices.
“The FTC should immediately use all the tools at its disposal to ensure that manufacturers of IoT devices implement strong security measures to best protect consumers from cyberattacks,” wrote the lawmakers.
“Future devices should not be sold in U.S. streams of commerce with deficient security mechanisms,” they added.