Four US senators yesterday introduced a bipartisan bill designed to improve baseline security for all IoT devices bought and used by the government.
The Internet of Things Cybersecurity Improvement Act aims to ensure that products can be patched, don’t include hard-coded passwords that can’t be changed, and are free of known security vulnerabilities, amongst other requirements.
It was drafted with help from cybersecurity experts at thinktank the Atlantic Council and Harvard University and features endorsements from the likes of Mozilla, Neustar and VMware.
The infamous Mirai attacks of last year, one of which managed to take out some of the biggest sites on the web for a brief time, were made possible because the malware simply scanned for the default log-ins that so many IoT devices ship with.
Interestingly, the proposed legislation also provides legal protections to researchers looking to hack IoT products to find vulnerabilities; from the Computer Fraud and Abuse Act and the Digital Millennium Copyright Act.
Finally, it requires all government agencies make an inventory of all the smart devices they are currently using.
“Internet-aware devices raise deep and novel security issues, with problems that could arise months or years after purchase, or spill over to people who aren't the purchasers,” said Jonathan Zittrain, co-founder of Harvard University’s Berkman Klein Center for Internet & Society.
“This bill deftly uses the power of the federal procurement market, rather than direct regulation, to encourage internet-aware device makers to employ some basic security measures in their products. This will help everyone in the marketplace, including non-governmental purchasers and the vendors themselves, since they'll be encouraged together to take steps to secure their products.”
However, Tripwire principal security engineer, Travis Smith, argued that the bill didn’t go far enough in forcing behavioral changes from users.
“There are two issues I see with this bill which won’t help the overall security of these types of devices,” he said. “When left up to the user, changing passwords and installing patches is not a priority.”
Just last week, a global study by security firm Irdeto revealed that 90% of consumer believe security should be built into IoT devices from the start, with over three-quarters of consumers (78%) recognizing that home equipment could be targeted by hackers.
Despite this growing appetite for more secure IoT kit, the market has so far failed to respond.
Irdeto IoT security director, Mark Hearn, argued that legislation along won’t solve the global security problem.
“The previous model for IoT devices was very often build, ship and forget. However, this approach to security is no longer acceptable as an IoT security strategy is crucial for all manufacturers including protection, updates and upgrades,” he told Infosecurity Magazine.
“If the only way to ensure this is legislation, then this is sensible move. However, the IoT market is a global one and there is a need for a standardized approach for the market as a whole.”