Warning to The Internet of Things – Send Lawyers, Gun & Money

Warning to The Internet of Things – Send Lawyers, Gun & Money

The attacks last week on DNS-provider Dyn bring to light an often hidden fact about software security; lack of diligence by companies that ship software shifts the security risk. In other words, if company A ships vulnerable software to its customers, it is the customers who (unknowingly) absorb the risk.

In the case of IoT devices, however, we have seen that it’s not just the owners of those devices who are taking on that risk. It’s all of us. In addition, the Internet is an important part of our critical infrastructure. At what point are companies that put our infrastructure at risk held accountable? I think we’re going to see that happen soon.

OEMS in the Internet of Things

To briefly recap the situation, a number of IP cameras and DVR’s manufactured by a Chinese company were sold to OEMs for use in IoT offerings. The items used default usernames and passwords without prompting users to change them (and allowed these to be bypassed using telnet access). Hackers were able to exploit this to build a botnet of up to 100,000 devices and execute a distributed denial of service (DDoS) attack on Dyn. This initially slowed, then effectively blocked access to Dyn’s DNS service, and in turn web traffic to sites such as Twitter, Okta, GitHub and Etsy. The attack had been used at least twice previously, and was “open sourced” when the original hacker released the attack’s source code a week before the Dyn attack.

Key Risks & Challenges in Application Security 2016

Costs of a DDoS Attack

This attack “only” cost those sites revenue from delayed/deferred sales, advertising, and potential SLA violations. What if the sites affected had been providing healthcare services such as remote surgery or power generation

Businesses often talk about security due diligence. This frequently refers to an understanding of the risk posed by an action or supply chain relationship. Attorneys, on the other hand, discuss due care. This refers to what an entity has done to reasonably assure that no harm will come to others from their actions. A reasonable company, to use the due care standard, would not build and sell a car without brakes. This would put not only the driver, but pedestrians and other drivers at risk. A company doing this could expect to be sued to extinction. 

Broad Distribution

In the case of broadly distributed IoT devices, the risk of harm to others is now an everyday issue, and it is increasingly clear that due care was not taken. When an attack like this results in a loss of life or damage to communications and other utilities, consequences are appropriate for the manufacturers of these devices.

Next Steps

First steps appear to be in process. Senator Mark Warner has asked the FCC for guidance on how ISPs can respond while complying with the Open Internet Order, which prohibits denying non-harmful devices access to ISPs networks. Blocking a manufacturer’s devices from networks would certainly put a damper on the company’s revenue.

Unsecure IoT devices are putting the Internet, and those services that depend on a reliable communication channel, at risk. Soon, government bodies and people will say “enough.” In the words of Warren Zevon, it will be time for IoT companies to call for more “lawyers, guns and money.”


Sorry we missed you! We close comments for older posts, but we still want to hear from you. Tweet @black_duck_sw to continue the discussion.


Now It’s Personal – 4 Takeaways From the Equifax Breach

| Sep 18, 2017

If you’re reading this, you have no doubt heard that personal information, including social security numbers, was stolen from Equifax – one of the Big 3 credit reporting agencies. From an industry standpoint, here’s a quick takeaway. Wait – For Once It Could Affect Me? For a lot of breaches, the

| MORE >

Critical Vulnerability CVE-2017-5638 Attacks Escalating

| Sep 14, 2017

 Attacks on Apache Struts 2 have escalated over the past couple of days as hackers exploit this critical vulnerability (CVE-2017-5638), which allows attackers to exploit a code-execution bug in the web application framework. Although a patch was available on Monday, hackers have been exploiting it

| MORE >

"Easy" to Hack Apache Struts Vulnerability CVE-2017-9805

| Sep 7, 2017

"This is as serious as it gets; if remote attackers are allowed to exploit the newly identified vulnerability it can critically damage thousands of enterprises." Oege de Moor, CEO and founder of Semmle. Dozens of Fortune 100 companies are at risk after security researchers at lgtm.com discovered a

| MORE >