IoT
8/2/2017
12:00 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Proposed IoT Security Bill Well-Intentioned But Likely Hard To Enforce

Internet of Things Cybersecurity Improvement Act of 2017 proposes minimum set of security controls for IoT products sold to government.

Security vendors this week praised a newly-proposed Senate bill that would require a minimum set of security controls for IoT devices, but they also expressed concerns that the legislation would be hard to enforce.

The provisions of the bill, titled Internet of Things (IoT) Cybersecurity Improvement Act of 2017, apply primarily to IoT devices meant for use by the U.S. government. Senators Mark Warner (D-VA) and Cory Gardner (R-CO) Tuesday introduced the bill Tuesday, citing concerns that government cyber systems might be put at risk by poorly-protected IoT devices.

The proposed bill requires IoT vendors that sell to the federal government to ensure their devices can be patched, do not have fixed or hard-coded passwords, and do not have any known security vulnerabilities.

The bill also requires IoT vendors to ensure that any software they use for communications, encryption, and other critical functions is fully supported by the software vendor. The bill directs the White House's Office of Management and Budget to develop alternative security requirements for IoT devices that do not have the data processing or software functionality to support security updates and patches.

In addition, the Internet of Things (IoT) Cybersecurity Improvement Act of 2017 promotes the creation of standard vulnerability disclosure polices for federal contractors.  It seeks to ensure that bug hunters are provided adequate legal protections when hunting for and disclosing bugs in IoT products in a responsible manner.

The bill was drafted in consultation with organizations such as the Berkman Klein Center for Internet & Society at Harvard University and the Atlantic Council. It is one of the first to attempt to address the burgeoning security problems caused by poorly protected Internet connected devices.

Last year, threat actors took advantage of hard-coded passwords and other vulnerabilities in Internet connected home routers, CCTVs and DVRs to launch massive denial of service attacks against Internet service provider Dyn and other major online properties including Netflix, Airbnb, and Twitter. The Mirai attacks showed how easily threat actors could assemble massive attack botnets from vulnerable IoT devices and use them to launch DDoS attacks and other malicious campaigns.

With analyst firms like Gartner predicting that tens of billions of IoT device will go online in the next few years, concerns over the threat to Internet security from vulnerable IoT devices have only escalated.

From that standpoint, the proposed legislation is definitely a good thing, says Rod Schultz, chief product officer for Rubicon Labs. "The fact that Congress is even discussing IoT security is a good thing, and calling out low-hanging security challenges such as static passwords will help," he says.

There is still a lot that still needs to be considered with respect to vulnerability detection and legal enforcement of the bill, as well as what parties in the IoT supply chain will be indemnified.  "But it’s refreshing to see Congress being proactive," he says.

Travis Smith, principal security researcher at Tripwire, says the bill will help address some IoT security issues and protect security researchers who expose vulnerabilities in Internet-connected devices.  But even if IoT vendors were to develop systems that can be patched and do not have hard-coded passwords, it would still be up to the users to ensure that default passwords are changed and that relevant patches are applied. These issues could limit the effectiveness of the bill.

Mirai was successful not because users couldn't change device passwords, but because they chose not to, Smith observes.

"If this bill wants to address the real problem regarding insecurity of IoT devices, additional language…needs to be added," Smith says.

"First, not only should there be no hard-coded credentials, there should be no [admin] credentials shared across devices," Smith suggests.

Secondly, the bill should require defined processes for IoT device vendors to alert consumers about the availability of security patches. "Far too often, patches are uploaded to a support portal -- without the end-user having any idea about it," Smith says.

Related content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
8/4/2017 | 3:18:17 PM
Passing a law does nothing to solve the problem
Sounds and looks good, but all too often the organization involved may have outsourced IT to, oh, India or, worse, IBM and expects them to do the job.  Forget the law - ok, we have one.  But now let management and outsource entities take the subject SERIOUSLY and important, otherwise you have a Merck on your hands.
6 Security Trends for 2018/2019
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/15/2018
WSJ Report: Facebook Breach the Work of Spammers, Not Nation-State Actors
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/19/2018
4 Ways to Fight the Email Security Threat
Asaf Cidon, Vice President, Content Security Services, at Barracuda Networks,  10/15/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Latest Comment: Too funny!
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-10839
PUBLISHED: 2018-10-16
Qemu emulator <= 3.0.0 built with the NE2000 NIC emulation support is vulnerable to an integer overflow, which could lead to buffer overflow issue. It could occur when receiving packets over the network. A user inside guest could use this flaw to crash the Qemu process resulting in DoS.
CVE-2018-13399
PUBLISHED: 2018-10-16
The Microsoft Windows Installer for Atlassian Fisheye and Crucible before version 4.6.1 allows local attackers to escalate privileges because of weak permissions on the installation directory.
CVE-2018-18381
PUBLISHED: 2018-10-16
Z-BlogPHP 1.5.2.1935 (Zero) has a stored XSS Vulnerability in zb_system/function/c_system_admin.php via the Content-Type header during the uploading of image attachments.
CVE-2018-18382
PUBLISHED: 2018-10-16
Advanced HRM 1.6 allows Remote Code Execution via PHP code in a .php file to the user/update-user-avatar URI, which can be accessed through an "Update Profile" "Change Picture" (aka user/edit-profile) action.
CVE-2018-18374
PUBLISHED: 2018-10-16
XSS exists in the MetInfo 6.1.2 admin/index.php page via the anyid parameter.