Brendan Carr’s Baseless Xenophobia Derails New FCC ‘Internet Of Things’ (IOT) Device Security Standards
from the CHINA-CHINA-CHINA dept
For many, many years security experts have warned that the “internet of things” (IOT) (or the myriad “smart home” devices we have scattered around our homes) was a security and privacy dumpster fire. A lot of these devices are made in China (often poorly) introducing new network attack vectors and widespread national security concerns.
So in 2023, the Biden FCC proposed a new voluntary program that would rank and label smart home devices if they adhered to some basic privacy and security standards. Under the program, the FCC would work with a private Illinois-based company named UL Solutions to study and test devices, then apply a “U.S. Cyber Trust Mark” on devices deemed relatively secure.
Enter Trumpism. The program’s creation has stalled out because of some baseless claims by Trump FCC boss Brendan Carr that UL Solutions, a company that has done this kind of testing for one-hundred-and-thirty years and which is well-known and well-respected in the field, also happens to do business in China and runs 18 China-based testing locations (which makes sense given the massive volume of such devices built in, you know, China).
So in June, Carr made a post to Elon Musk’s right wing propaganda website vaguely stating the program would be paused while his FCC “investigated” UL Solutions:
To be clear, this is about U.S. companies not wanting to have to adhere to any sort of oversight or privacy and security standards whatsoever (and this voluntary program probably would have not included serious penalties). Carr has just selected weird Chinese xenophobia as cover for regulatory capture.
Carr’s “investigation” is much like his other pseudo-investigations, which have included “investigating” Verizon for not being racist enough, “investigating” CBS for doing journalism critical of King Dingus, or “investigating” Dish Network for not giving its expensive spectrum to Elon Musk.
There is absolutely zero evidence of any kind that UL Solutions has done anything wrong, and the longer the program is delayed, the greater risk to the public:
“David Simon, a partner at Skadden, Arps, Slate, Meagher & Flom, said he was “not aware of any” other instance where the FCC investigated a company it had just approved to run one of its projects.
The uncertainty is already putting pressure on the program. “The longer one proceeds without trying to implement something like this, the more the risk is to the consumers,” said Paul Besozzi, a senior partner at Squire Patton Boggs. That includes both individual buyers and companies outfitting offices with smart devices.”
It’s now September and there’s zero update or transparency into the “investigation.” The whole thing is fairly representative of MAGA’s self-serving exploitation of “national security” and Chinese xenophobia when convenient.
Like the TikTok ban, which was floated for years (often by Carr) and even written into law, only to be scuttled because it upset the financial plans of a billionaire Trump ally. Or the “race to 5G,” which involved giving giant U.S. telecoms bottomless subsidies and tax cuts to “defeat the Chinese,” only for lawmakers to disappear when the efforts resulted in slow, expensive, and patchy U.S. 5G coverage.
Or all the GOP’s fear mongering about China’s Huawei, which involved a decade of hyperventilation over Chinese spying on U.S. telecom networks, and a bunch of programs the Trump administration is now dismantling so that rich people can get tax cuts. And most recently the AI wars, where we’re told we must give giant tech companies zero oversight and bottomless subsidies, again to best thwart the Chinese.
There are genuine security concerns related to China, and then there are greasy opportunists who leverage those fears for their own financial gain. And the U.S. press sucks at illustrating the difference, which is why it’s so easy for Carr to get away with this sort of vague bullshit.
While Carr professes to be super worried about Chinese threats to national security, with its other hand the Trump administration has gutted government cybersecurity programs (including a board investigating the biggest Chinese hack of U.S. telecom networks in history), dismantled the Cyber Safety Review Board (CSRB) (responsible for investigating significant cybersecurity incidents), and fired oodles of folks doing essential work at the Cybersecurity and Infrastructure Security Agency (CISA).
Brendan Carr is also engaged in a massive effort to destroy whatever’s left of the FCC’s consumer protection and corporate oversight authority, despite the fact that the recent historic Chinese Salt Typhoon hack (caused in large part because major telecoms were too incompetent to change default administrative passwords) was a direct byproduct of this exact type of mindless deregulation.
The Trump administration’s stacked courts are also making it impossible to hold telecoms accountable for literally anything (see the Fifth Circuit’s recent reversal of a fine against AT&T for spying on customer movement), which also undermines consumer privacy and national security, and ensures zero real repercussions for companies that fail to secure their networks and sensitive data.
So even if the FCC did implement this labeling program, any penalties for non-compliance (which there aren’t because it’s voluntary) would never survive the MAGA zealot-stocked court system. Carr of course is well aware of this. I suspect this program never sees the light of day and remains permanently bogged down in bogus, utterly nontransparent inquiry.
China’s super useful as a distraction from corruption or regulatory capture, but with MAGA it’s always performative. In Carr’s case, his primary interest is in pleasing the giant U.S. companies (his inevitable future employers) who don’t want any privacy and security oversight (however modest). And his efforts are always aided by a lazy U.S. corporate press too feckless to illustrate the distinction.
Filed Under: brendan carr, corruption, cyber trust mark, cybersecurity, fcc, hardware, internet of things, iot, national security, network, privacy, regulatory capture, security, telecom
Companies: ul solutions
Comments on “Brendan Carr’s Baseless Xenophobia Derails New FCC ‘Internet Of Things’ (IOT) Device Security Standards”
Don’t worry, the EU will happily set the IoT standards for the US.
Doing Business in China!
Clearly some entities doing business in China raise concerns. I understand that a 34-times-convicted felon is having questionable ‘merchandise’ made by shady operators in that country and then distributing said ‘merchandise’ all over the country, albeit in the less educated areas, without proper security reviews. This needs to stop!
UL is so ubiquitous that even bootleg and counterfeit electronics makers put their logo on pretty much every device they make.
Meanwhile, out there in the real world...
…the problems of the IOT continue to escalate rapidly. Most of the devices are security and privacy nightmares by design, but those which aren’t almost always turn out to be so in practice.
Also, huge numbers of these devices are being abandoned by their makers, who are simply washing their hands of their ensuing problems — including mass hijacking of these devices, which are then being used for all kinds of abuse and attacks.
The program discussed here wasn’t and isn’t perfect, but it was at least a credible attempt. Without it, manufacturers will continue to flood the market with crap — and this includes manufacturers in China — that makes an already epidemic problem worse.
And here’s the best part — for attackers: they don’t have to do anything. They don’t have to design, build, or sell these. They don’t have to buy or install them. All they have to do is wait…while their targets spend their time and money and effort deploying IOT devices that they (the attackers) can readily repurpose as weapons.
A few references — and this is only a tiny sample:
One more point: botnets constructed from these devices, like the Android TV one discussed in that last link, are more than capable of conducting credible DDoS attacks when deployed against a single system or network. Dealing with such an attack is a fairly well-understood problem by now; there are all kinds of strategies, tactics, and tools available to mitigate it.
But such a botnet is also capable of conducting multi-target DDoS attacks, where “multi” could mean “millions”. As a simple example, consider what would happen if every device in that botnet attacked every other device. This isn’t a problem that we have well-defined methodologies for, and it’s especially difficult because the targets are everywhere and not being operated by skilled/experienced systems/network engineers. If you think through this scenario, you’ll realize that it’s a logistical mess: for starters, how do we reach the ~1.59M people with those devices in order to tell them to disconnect them? Will they believe us? Will they know how to do it? Will they do it? And so on.
IPv6
IPv6 is going to make this problem worse.
The IPv6 advocates keep shouting “NAT is not a firewall”, but it does provide some protection. Symmetric NAT does provide a lot of protection, relying on the firewall/router to redirect incoming packets, while the typical IPv6 firewall/router merely needs to decide if packets are to be passed on, unchanged, or not.
Far more IoT devices will be exposed to hacking as IPv6 become ubiquitous.
Re:
Why does it matter whether the packet is changed or unchanged? As long as the router blocks new incoming connections (as my parents’ ISP-provided router does for IPv6), that seems about the same as a stateful IPv4 firewall. Even if that statefulness of IPv4 firewalling was initially kind of an accident.
It seems foolish, anyway, to think a device behind an internet-router firewall is not exposed. Attacks such as DNS rebinding worked for a long time. People buy “internet of things” shit, connect it to their “internal” network, and never update it. And it’s usually connected via wi-fi now, which means changing the credentials would require updating every “thing” and thus basically never happens.
Re:
I don’t particularly think of myself as an IPv6 advocate, but it’s true that NAT is not a firewall. It’s also true that many devices which perform NAT also do some traffic cleanup while they’re at it, and that function is similar to some firewalls, e.g., OpenBSD’s “pf” has a ‘scrub” function that works pretty well.
But even if this sort of thing is enabled, that just means that the traffic isn’t malformed, i.e., that the packets comply with the firewall’s idea of what the RFCs say. That doesn’t stop attacks which are transported inside these well-formed packets.
If there’s any good news in this, it’s that IPv4 to IPv6 (and vice versa) NAT implementations tend to do the kind of cleanup I referred to above as part of their normal function, and that’s a good thing. The downside is that there are all kinds of v4/v6 edge cases, attackers know about them, and they can/will exploit those if the NAT implementation allows it.
Re: Re:
What you’re missing is that NA(P)T essentially has to be a stateful firewall. When a new connection comes in from the “WAN” side, the firewall can’t know where on the LAN to send it. Unless someone’s manually configured forwarding (or the system does something stupid like sending it to a broadcast or randomly-selected-unicast address—which just doesn’t happen).
So, connection initiation from the WAN side is semi-accidentally blocked. But it’s like one line of firewalling code to enable that on IPv6 (with nft on Linux, “ct state established,related accept”, assuming “policy drop” is set as the “input” chain’s default). And though I generally use OpenWRT, I’ve seen even ISP-provided routers blocking incoming connections, and I’ve heard it’s pretty common (maybe even ubiquitous?). So I’m not worried about this specific thing as a security risk; there are many greater risks.
If your security depends on a router blocking connections from outside, you might want to check that it works that way for IPv6. At least until implementing proper authentication and encryption, which should be considered a priority; otherwise you’re one compromised “smart” device away from a more general security breach. (Your kid connected to a dodgy coffee-shop network, and then came home? You might just be screwed.)
Re: Re: Re:
I get that first part: and you’re right, pretty much consumer ISP-supplied router/gateway blocks incoming connections in its default configuration, and it requires user intervention to override that.
What I’m referring to are attacks carried out in the application layer in response to connections initiated from the inside. To give an example from the IOT itself: what happens when one of these device models is abandoned by the vendor because they’ve gone defunct, shut down their servers, stopped renewing their domain, etc. — but the devices are still “phoning home” for updates? An attacker who cop-opts this process can cause the devices to download new (and malicious) firmware or other code, which will be cheerfully carried through the firewall on an HTTPS connection (likely), regardless of IPv4/IPv6 or packet scrubbing or any of the other things operating at lower layers.
Yeah, I know: it’s not a network attack per se. But it’d be very difficult to explain to most users the nuanced difference.
Re: Re: Re:2
Nothing good. Your definition of “firewall”, then, seems to be from a “power user” perspective. There’s always someone in internet comments talking about how they put each “IoT” device on its own VLAN, run them as DMZs, and tightly restrict what kind of access they have. (Which, for me, raises the question: “why buy that shit at all?”. In some cases, the person would prefer not to, but compromises for family unity.)
But I think “block incoming connections” is all the average person expects of a “firewall”. And they happen to get that from NAT (in its consumer form), and consider it sufficient for security.
As a slightly off-topic aside, “phoning home for updates” is not inherently required for security. We’ve come to accept it because software is developed without any engineering-style rigor, to the point where all software is expected to contain major security fuck-ups that we just haven’t found yet.
eVERYONE OF THESE CAMERA'S
hAS A big FLAW.
wHERE TO SEND THE Pictures and video. and 99% of the time are not setup to send it Locally. Not even to the USA companies.
And you cant change the destination.
It would be Nice to set them to Send to your Gmail account, where you setup a Box for Only Security.
And as many are learning, the prices Are Adjusted. They are almost the same as Buying in the USA.
Instead of railing against DEI,perhaps fire all the incompetent white officials(99% currently appointed)and diversify government with competent whites, blacks,hispanics,asian,arabs,indians.
This will allow proper consumer law enforcement. Essentially,needing a democrat administration.
I’m wondering why they haven’t gone after TP-Link yet. Maybe they’re aware of the chaos it would cause, since they make pretty much ALL of the decent cheap routers out there today. I’ve been delaying uprading my mesh system (currently a somewhat older TP-Link setup) because it would be just my luck for the feds to step in and brick a brand-new rig.