A bipartisan group of U.S. senators plans to introduce legislation on Tuesday aiming to address vulnerabilities in internet of things (IoT) devices, according to a report from Reuters in San Fransisco. Security experts have long warned that this poses a threat to global cyber security.
The new bill would require vendors that provide internet-connected equipment to the U.S. government to ensure their products are patchable and conform to industry security standards.
The proposed legislation aims to prohibit the production of IoT devices if they can’t be patched or have their password changed, says Jeremy Cowan. The bill also calls for federal agencies to have the freedom to purchase non-compliant IoT devices should this legislation pass, if they get approval from the US Office of Management and Budget.
Commenting on the news, Travis Smith, principal security engineer at security specialists Tripwire said: “As it stands now, the S in ‘IoT’ stands for security! This bill will help to resolve some of the known issues plaguing so many IoT devices being hacked on a daily basis. There are two issues I see with this bill which won’t help in the overall security of these types of devices. When left up to the user, changing passwords and installing patches is not a priority. The priority instead is getting the device to work so you can stream Netflix from your fridge or see your front porch from a beach.
IoT devices in three buckets
“I put IoT devices into three buckets when it comes to patching. The best bucket to be in are devices which automatically detect new updates and install them without any user involvement. This is the strategy which should be strived for amongst all IoT vendors. The next is optional patches, which is what this bill will most likely mandate. Two issues with optional patches are first getting the user to know about the patch, then getting them to actually install the patch. Both of these tasks are notoriously difficult for your average user. Finally, there are the devices which do not receive any patches; intentionally or not.
“Along the same lines as having users install patches is getting them to change their passwords,” said Smith. “The reason Mirai was so successful was not because users could not change their password, but because they chose not to when installing the device. I would urge this bill to add that devices should force the user to change the default password, but that the default password should be unique to each device as well. Even something as simple as using a MAC address, while not secure, is one step better than using the default admin/admin credentials we have become accustomed to.”
“For this bill to be successful, there needs to be incentives for vendors to get their devices to a secure state. Releasing a device which is free from security bugs is time-consuming and costly. With many of these devices being a commodity, delaying the time to market or charging a higher cost may not fit their current business model,” he concluded.
In addition to this Mike Bell, EVP Devices & IoT at Canonical commented: “This is an important step in ensuring better security standards for devices. Nearly half of IoT professionals (45%) surveyed by Canonical highlighted better device security as their most immediate IoT challenge, and the ability to patch devices remotely is crucial in ensuring security holes can be filled quickly, safely and painlessly.
“That’s why Canonical has invested in ensuring that our IoT operating system, Ubuntu Core, has built-in remote patching capabilities. And, with the U.S. government’s IoT spending already reaching nearly $9 billion in 2015, any new standards set by Congress will be sure to impact enterprise and consumer vendors,” said Bell.