It's easy to fix; back in the day when a machine was infected; an ISP would just block outgoing traffic, contact line owner and re-enable when the issue is resolved.
If the "machine" in question is my ADSL router as supplied by my ISP, I will be deeply unimpressed if they block me due to their own negligence in updating it!
Similarly, a single bad device on my network would block the whole of my network from the internet. It's another sort of denial of service attack.
We need IPv6 and have devices either access the internet with their own IP address or not access it at all. This solution, then, would only impact bad actor devices, not your other (non-compromised) devices. Still, not easy.
While technically accurate to describe them as such, the vast majority of consumers (and internet service subscribers) lack the actual technical expertise to be network administrators.
Where these devices are being attacked inside, ostensibly, professional organizations (companies, schools, government buildings), I agree. But there you have, again ostensibly, an actual network administrator capable of dealing with the issue (and paid to do so).
We don't expect all homeowners to be, say, experts in electrical wiring, or gas supply, plumbing, drainage, or waste management. But all of these things—if they are poorly modified, managed, or maintained—can cause impacts on third parties. In the case of networked devices, the possible impact on third parties is even greater. We also enforce strong regulation on these systems – defining what may and may not be legally connected to public utility networks, for example.
We would probably expect a homeowner to hire a tradesperson to maintain these services, and in some cases it's legally mandated that only a qualified person may install or modify these systems. Is it then unreasonable to kick consumers off of the Internet when they install poorly-maintained devices, and require them to resolve the problem – perhaps by hiring the networking equivalent of a qualified plumber?
Then we need to regulate the installation and maintenance of home networks like we do plumbing and electric. This is not a small requirement, and given the current ubiquity of home networks and networked devices it will be an incredible challenge to implement.
Probably a startup idea or two would come out of that sort of regulation. Now that, to install that Nanny Cam, I have to hire a certified network administrator.
If the ISP were held responsible by contract, the ISP could either transfer that responsibility as described above or they could just filter their outbound a little harder. The latter solution seems more practical.
What sort of regulation are you referring to? I'm not a plumber or electrician but I replace broken faucets and light switches. No certification required.
I was more referring to requiring homes be up to code. You're right that individual projects don't really require anything special, more important when building new buildings.
That's fine, if you connect some cheap webcam and it causes you to be knocked off the internet you're going to be mad, leave a bad review for the camera, and not buy from them again. Market forces would then incentivize better security to be built into these devices.
But the average consumer won't realize, especially when the installation and network failure aren't temporally adjacent, that the camera is the cause of the problem.
The solutions available (and there are more, just enumerating some):
IPv6 so everything is directly on the internet or not hidden behind a common router like they are now. This allows direct blocking of bad actors.
Security certifications for all software and hardware that ever connects to the internet. Well, guess I won't be doing as much programming at home anymore. And good luck getting that open source project of yours certified without getting some Patreon supporters with deep pockets.
Arbitrarily, from the consumers perspective, block their access to the internet when they "did nothing wrong".
Hold the creators of the devices accountable for making shitty, exploitable systems. Sue them directly for the financial harm they've permitted (millions of dollars today alone). But good luck suing them, they're in a foreign and will cease to exist tomorrow (under that corporate entity).
>But the average consumer won't realize, especially when the installation and network failure aren't temporally adjacent, that the camera is the cause of the problem.
In theory the user could be presented with a "here is why you've been blocked" explanation when they try to browse any site. They could then (probably) figure out what is the offending device, take it off the network, then click "please let me back on the internet, the bad device has been removed". (Somewhat similar to how the MX blacklists work at present).
"the vast majority of consumers (and internet service subscribers) lack the actual technical expertise to be network administrators."
that's true, but the vast majority of internet service subscribers aren't their own network administrators. If you're using an ISP-supplied modem/router combo, i'd say that your ISP is your network administrator. If my ISP wants that kind of access into my local network (and they don't give me any other option) then they should be doing some actual administration.
Under this concept, they'd be able to specify precisely what kinds of computers and IoT devices you'd be allowed to use on your home network. This would be a net-negative for the world.
"Fix" is a relative term, especially if IoT devices are in play – yes, turning off the internet to customers stops the attack, but then (at least?) thousands of people lose internet connectivity because of a vulnerability that they could very well be powerless to fix. I'm not saying it's ok with me that an army of smart refrigerators could be taking out big chunks of the web, but it's a lot easier to tell someone, "Hey, either get the infection off your computer or re-format" than it is to make someone buy new lightbulbs and appliances.
Not powerless, just unplug their toaster and they get their internet back.
What is powerless is that many people today couldn't get twitter, github, reddit, spotify, box, etc. because many people don't care about securing their webcam.
I would hope things like smart refrigerators and lightbulbs actually still operate normally when the internet is out, right? By "normally" I mean similar to "dumb" versions of the same product. So a customer could fix the issue by kicking the device off the network (disconnect the smart fridge from the ethernet / wifi, unplug the hub for your light bulbs, etc) without actually having to immediately replace them.
When a pipe breaks in your condo and starts flooding all the people below nobody asks which appliance might be leaking. Water is cut and you get the bill for _all of the damages_.
Why can't everyone else then block the customer? Get the big 5 tech companies to block IPs that are shown to do DDOS, for say a 24hr period, and you will see how quickly they unplug that IOT Toaster
Speaking as not-me, the average, non-technical homeowner who just installed his new internet connected washing machine at home.
Great, now I can throw in a load and get a notice on my phone when it's done. This is awesome! (3 hours later) Wait, why can't I get to the internet? I call my ISP, they tell me that my connection is fine (it's tech support, they aren't security experts). But, I tell them, Google doesn't work for me. They do some tests, everything should work. I bitch, moan, cry a little, rage quite my ISP and sign up with someone new. It works for a few days until my washing machine (having been offline for a bit) gets exploited again.
I still don't have a clue as to why I'm being blocked from Google and company. Maybe they kick back a message as a 4xx (what would be appropriate?) that says my network has been hacked. But I've seen those sorts of things all the time in ads, I know that's just someone trying to scam me, convince me to run something that'll install a virus on my computer.
Must be my computer! Damn Dell piece of shit. I can't afford a new one. Maybe that neighbor kid can come over again and help me out with this.
($200 and several trips for the neighbor kid later it's still not solved)
As you said, some sort of message would have to be the way. A 4xx probably won't cut it but something like the messages Google shows you when asking for a captcha is fine.
My point is that there will be a cost, and that taking action against vendors won't be enough (sp. if they are in a different country, are no longer in business, etc.)
Not very quickly? First, you wouldn't know why you were disconnected. You would try the standard things first (plug and unplug your router, etc). Then maybe after a while you would call your ISP. Get put on hold a bunch. Your ISP tech support probably won't know much either, since in your scenario it isn't the ISP doing the blocking. They MIGHT test the connection, or maybe they just give the customer a new IP address.
It is going to take quite a while in this scenario for the user to realize it is their IoT toaster that is causing the issue.
