IoT
8/2/2017
12:00 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Proposed IoT Security Bill Well-Intentioned But Likely Hard To Enforce

Internet of Things Cybersecurity Improvement Act of 2017 proposes minimum set of security controls for IoT products sold to government.

Security vendors this week praised a newly-proposed Senate bill that would require a minimum set of security controls for IoT devices, but they also expressed concerns that the legislation would be hard to enforce.

The provisions of the bill, titled Internet of Things (IoT) Cybersecurity Improvement Act of 2017, apply primarily to IoT devices meant for use by the U.S. government. Senators Mark Warner (D-VA) and Cory Gardner (R-CO) Tuesday introduced the bill Tuesday, citing concerns that government cyber systems might be put at risk by poorly-protected IoT devices.

The proposed bill requires IoT vendors that sell to the federal government to ensure their devices can be patched, do not have fixed or hard-coded passwords, and do not have any known security vulnerabilities.

The bill also requires IoT vendors to ensure that any software they use for communications, encryption, and other critical functions is fully supported by the software vendor. The bill directs the White House's Office of Management and Budget to develop alternative security requirements for IoT devices that do not have the data processing or software functionality to support security updates and patches.

In addition, the Internet of Things (IoT) Cybersecurity Improvement Act of 2017 promotes the creation of standard vulnerability disclosure polices for federal contractors.  It seeks to ensure that bug hunters are provided adequate legal protections when hunting for and disclosing bugs in IoT products in a responsible manner.

The bill was drafted in consultation with organizations such as the Berkman Klein Center for Internet & Society at Harvard University and the Atlantic Council. It is one of the first to attempt to address the burgeoning security problems caused by poorly protected Internet connected devices.

Last year, threat actors took advantage of hard-coded passwords and other vulnerabilities in Internet connected home routers, CCTVs and DVRs to launch massive denial of service attacks against Internet service provider Dyn and other major online properties including Netflix, Airbnb, and Twitter. The Mirai attacks showed how easily threat actors could assemble massive attack botnets from vulnerable IoT devices and use them to launch DDoS attacks and other malicious campaigns.

With analyst firms like Gartner predicting that tens of billions of IoT device will go online in the next few years, concerns over the threat to Internet security from vulnerable IoT devices have only escalated.

From that standpoint, the proposed legislation is definitely a good thing, says Rod Schultz, chief product officer for Rubicon Labs. "The fact that Congress is even discussing IoT security is a good thing, and calling out low-hanging security challenges such as static passwords will help," he says.

There is still a lot that still needs to be considered with respect to vulnerability detection and legal enforcement of the bill, as well as what parties in the IoT supply chain will be indemnified.  "But it’s refreshing to see Congress being proactive," he says.

Travis Smith, principal security researcher at Tripwire, says the bill will help address some IoT security issues and protect security researchers who expose vulnerabilities in Internet-connected devices.  But even if IoT vendors were to develop systems that can be patched and do not have hard-coded passwords, it would still be up to the users to ensure that default passwords are changed and that relevant patches are applied. These issues could limit the effectiveness of the bill.

Mirai was successful not because users couldn't change device passwords, but because they chose not to, Smith observes.

"If this bill wants to address the real problem regarding insecurity of IoT devices, additional language…needs to be added," Smith says.

"First, not only should there be no hard-coded credentials, there should be no [admin] credentials shared across devices," Smith suggests.

Secondly, the bill should require defined processes for IoT device vendors to alert consumers about the availability of security patches. "Far too often, patches are uploaded to a support portal -- without the end-user having any idea about it," Smith says.

Related content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
8/4/2017 | 3:18:17 PM
Passing a law does nothing to solve the problem
Sounds and looks good, but all too often the organization involved may have outsourced IT to, oh, India or, worse, IBM and expects them to do the job.  Forget the law - ok, we have one.  But now let management and outsource entities take the subject SERIOUSLY and important, otherwise you have a Merck on your hands.
What We Talk About When We Talk About Risk
Jack Jones, Chairman, FAIR Institute,  7/11/2018
Ticketmaster Breach Part of Massive Payment Card Hacking Campaign
Jai Vijayan, Freelance writer,  7/10/2018
7 Ways to Keep DNS Safe
Curtis Franklin Jr., Senior Editor at Dark Reading,  7/10/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Locked device, Ha! I knew there was another way in.
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-15137
PUBLISHED: 2018-07-16
The OpenShift image import whitelist failed to enforce restrictions correctly when running commands such as "oc tag", for example. This could allow a user with access to OpenShift to run images from registries that should not be allowed.
CVE-2017-17541
PUBLISHED: 2018-07-16
A Cross-site Scripting (XSS) vulnerability in Fortinet FortiManager 6.0.0, 5.6.4 and below versions, FortiAnalyzer 6.0.0, 5.6.4 and below versions allows inject Javascript code and HTML tags through the CN value of CA and CRL certificates via the import CA and CRL certificates feature.
CVE-2018-1046
PUBLISHED: 2018-07-16
pdns before version 4.1.2 is vulnerable to a buffer overflow in dnsreplay. In the dnsreplay tool provided with PowerDNS Authoritative, replaying a specially crafted PCAP file can trigger a stack-based buffer overflow, leading to a crash and potentially arbitrary code execution. This buffer overflow ...
CVE-2018-10840
PUBLISHED: 2018-07-16
Linux kernel is vulnerable to a heap-based buffer overflow in the fs/ext4/xattr.c:ext4_xattr_set_entry() function. An attacker could exploit this by operating on a mounted crafted ext4 image.
CVE-2018-10857
PUBLISHED: 2018-07-16
git-annex is vulnerable to a private data exposure and exfiltration attack. It could expose the content of files located outside the git-annex repository, or content from a private web server on localhost or the LAN.