The FTC should issue new warnings to consumers and new advice to connected-device manufacturers in the wake of last month’s massive DDoS attack that leveraged the Internet of Things, two leading Democrats on the House Energy and Commerce Committee urged last week.
“It is time for the FTC to strongly reinforce to both consumers and device manufacturers the need to adopt strong security measures,” Rep. Frank Pallone, D-N.J., and Rep. Jan Schakowsky, D-Ill., wrote in a letter Thursday to FTC Chairwoman Ramirez. “First, the FTC should call on IoT device manufacturers to implement security measures, including patching vulnerabilities and requiring consumers to change the default passwords on devices during the setup process. Second, the FTC should alert consumers to the security risks posed by continuing to use default passwords on IoT devices.”
Pallone is the ranking member of the full Energy and Commerce Committee, and Schakowsky is the ranking member on its Commerce, Manufacturing, and Trade Subcommittee.
The FTC has previously warned consumers to change default passwords on connected devices — default passwords are exploited by the Mirai botnet that infected hundreds of thousands of IoT devices and used them in the Oct. 24 DDoS attack that knocked many major websites offline.
While calling this advice “commendable,” the two Democrats wrote that additional warnings are necessary, both to consumers and to industry.
“Unfortunately, consumers do not always have the option of securing their own devices,” the two write, because “Some device manufacturers have chosen to hard-wire in default passwords, leaving consumers helpless.”
The FTC “is the only federal agency with responsibility for consumer protection across broad areas of the economy,” they add.
Pallone and Schakowsky asked that the FTC “immediately use all the tools at its disposal to ensure that manufacturers of IoT devices implement strong security measures to best protect consumers from cyberattacks.”