WASHINGTON — The Obama administration urged companies on Tuesday to make millions of devices safe from hacking, underscoring the risks posed by an increasingly bewildering array of internet-connected products permeating daily life, covering everything from fitness trackers to computers in automobiles.
In a report obtained by The Associated Press, the Homeland Security Department described runaway security problems with devices that have been made internet-capable in recent years, a group that includes medical implants, surveillance cameras, home appliances, digital video recorders, thermostats and baby monitors.
It said they posed “substantial safety and economic risks,” recommending immediate action by software and hardware developers, service providers, manufacturers and commercial and government buyers. No specific penalties were proposed for manufacturers failing to comply. No blame was placed on consumers buying and operating such products.
“The growing dependency on network-connected technologies is outpacing the means to secure them,” Homeland Secretary Jeh Johnson said.
The department’s strategy represents an attempt to organize the so-far scattered cybersecurity efforts for the category of devices known as the “internet of things.” It comes less than a month after hackers harnessed an army of 100,000 internet-connected devices around the world, such as DVRs and security cameras, to attack Dyn Co., which helps route internet traffic to its destination. It caused temporary internet outages to sites that included Twitter, PayPal, Pinterest, Reddit and Spotify.
Such threats are likely to increase, U.S. officials warn.
“Securing the internet of things has become a matter of homeland security,” Johnson said. Tuesday’s guidance, he added, should help companies “make informed security decisions.”
The report culminates a six-month review by Robert Silvers, the assistant homeland security secretary for cyber policy, who coordinated with cybersecurity experts, industry associations and branches of the government such as the Justice and State departments. They spoke about possibly holding companies accountable through product liability principles and how to create a uniform rulebook for securing these devices.
“We need to have a very serious national conversation about what the approach is, and we need to do it urgently,” Silvers said.
The internet of things is decentralized and complex, making it difficult to regulate. A camera with online capabilities may be designed in California, manufactured in China with parts from Taiwan and sold to someone who operates it on Germany’s network.
Some industrial sectors have made their own recommendations. In September, the National Highway Traffic Safety Administration published guidelines for self-driving cars.
For more than a decade, companies have added internet capabilities to devices as an additional feature, sometimes without security considerations. But adding security in wholesale fashion afterward is often more costly and complicated.
Some fixes are easier than others. The government urged companies to ensure security settings are turned on by default. Unique passwords for each device should be required so hackers can’t use a single stolen password to control thousands or more devices. Manufacturers ought to make products whose vulnerabilities can be fixed remotely.
“You can’t rely on a consumer to spend three hours to upgrade her toaster software. It’s not going to happen,” Silvers said.
