Skip to main content
Image
Photo of Committee panel

Pallone & Schakowsky Urge FTC to Strengthen Security of IoT Devices Following Recent Cyberattack

November 3, 2016

Agency Must Warn Businesses and Consumers of Risks of Default Passwords

Energy and Commerce Ranking Member Frank Pallone, Jr. (D-NJ) and Commerce, Manufacturing, and Trade Subcommittee Ranking Member Jan Schakowsky (D-IL), today sent a letter to Federal Trade Commission (FTC) Chairwoman Edith Ramirez urging the agency to take action to protect consumers from insecure Internet of Things (IoT) devices following last month’s cyberattack that caused prolonged outages on popular websites across the U.S.

Compromised IoT devices were instrumental in the October 21 cyberattack. Mirai, the botnet used to orchestrate the attack, scanned the internet for poorly secured devices and leveraged them to produce junk traffic that left websites inaccessible for legitimate users. Mirai was able to connect to an estimated 400,000 IoT devices using just 60 default usernames and passwords. Security experts have warned that similar attacks will continue to occur if device manufacturers do not take steps to secure their devices.

“It is time for the FTC to strongly reinforce to both consumers and device manufacturers the need to adopt strong security measures,” Pallone and Schakowsky wrote in their letter to Chairwoman Ramirez. “First, the FTC should call on IoT device manufacturers to implement security measures, including patching vulnerabilities and requiring consumers to change the default passwords on devices during the set-up process. Second, the FTC should alert consumers to the security risks posed by continuing to use default passwords on IoT devices.”

A recent survey found that half of respondents were either unaware of or had chosen not to change the default passwords on their home internet routers. While the FTC has previously encouraged consumers to change default passwords on connected devices, the two Democratic Committee leaders wrote that additional warnings are necessary.

Unfortunately, in some instances, consumers do not have the option of securing their own devices because manufacturers have chosen to hard-wire in default passwords. For these devices, only the manufacturer has the ability to update and secure the device.

Pallone and Schakowsky asked that the FTC immediately use all the tools at its disposal to ensure that manufacturers of IoT devices implement strong security measures to best protect consumers from cyberattacks.

While companies are ultimately responsible for manufacturing secure products, consumers can also take a number of steps to make the devices in their homes are more secure:

· Consumers should check their owner manuals or with manufacturers on how to change the default passwords on existing connected devices in their home.
· Just like consumers periodically change the batteries in their smoke detectors, they should plan to change passwords on a periodic basis.
· When purchasing new connected devices, consumers should ensure prior to purchase that the default passwords can be changed by the consumer.

A copy of the letter is available here.