They blocked Netflix, but regulating insecure smart devices is a ‘last resort’

Facebooktwittergoogle_plusredditpinterestlinkedinmail

A computer display showing a live visualization of the online phishing and fraudulent phone calls across China during the 4th China Internet Security Conference (ISC) in Beijing.

It seems the banal world of baby monitors and webcams is all it takes to bring down our most popular websites these days.

So, what should we do about it? Well, we shouldn’t regulate at least not yet, according to the Australian government.

At an address at the National Press Club in Canberra Wednesday, Minister Dan Tehan, who assists the prime minister with cyber security, said the government would regulate smart devices to ensure adequate security only as a “last resort.”

The option may have to be exercised sooner rather than later, however. In late October, major sites like Twitter, Netflix and Spotify were left briefly inaccessible after thousands of insecure internet-connected devices were hijacked and used to funnel a stream of malicious traffic at the domain name systems (DNS) provider, Dyn.

By knocking out the company, which acts like a web traffic cop, it managed to prevent access to a handful of sites for a good portion of the U.S. East Coast and beyond.

The distributed denial of service attack (DDoS) is believed to have been enabled by a piece of malware called Mirai, which was able to take control of insecure smart devices that either had passwords still on factory settings or no password at all.

Given the risk posed by a widespread internet of things with lax security, some experts have called for minimum standards and penalties to be imposed on manufacturers.

Given the risk posed by a widespread internet of things with lax security, some experts have called for minimum standards and penalties to be imposed on manufacturers.

“If you’re shipping enough devices that can be leveraged trivially to knock down Twitter? Yeah, there should be liability,” John Bambenek, threat systems manager for Fidelis Cybersecurity, told Mashable at the time. “In the physical world, if you made a lawn mower that if you start it one time out of 10 it levelled a city block … We’d be arresting the executives.”

Tehan, for his part, thinks the PR liability for smart device manufacturers may be enough to force them into action.

“There is reputation risk here for business,” he said. “If you’re manufacturing these things you need to be cognisant of the fact it could do irreparable damage to your reputation if what you’re manufacturing isn’t seen to be safe.”

One manufacturer, whose webcams were found to have been used in the attack, recalled some of its devices after the Dyn incident.

The Chinese company Hangzhou Xiongmai told the BBC hackers were able to take over the cameras because users had not changed their passwords.

Tehan added he hopes to open discussions with businesses about the issue, rather than moving immediately to regulate.

“In the mean time, what we’d like to do is educate the consumer,” Tehan added, admitting the government is often reactive when it comes to the security risks posed by technology.

“What we’re going to be doing is always partly reactive,” he said. “But if we do just sit there and just wait and react, I think we’ll fall behind.”

Australia is willing to move forward in some ways online, however.

During his address titled “A Cyber Storm,” Tehan also confirmed that Australia had “offensive cyber capabilities” that were in use in Iraq and Syria, without offering detail.

His remarks echoed the Prime Minister Malcolm Turnbull, who told parliament Wednesday that capabilities within the Australian Signals Directorate provide the country with the ability “to deter and respond to cyber-attacks against Australia.”

Tehan also talked up the importance of a bill that would require companies to notify customers of any serious data breach.

It seems the government is in no rush there, either. A draft bill of the legislation was released more than one year ago, but its latest incarnation is yet to be passed.

Read more: http://mashable.com/2016/11/23/australia-regulating-iot-devices-last-resort/

Comments are closed.
UA-72741985-1