The US Congress has introduced a bill which aims to prohibit sale of Internet of Things (IoT) devices to the government if they can't be patched or have their password changed. Under the bill Federal agencies can still buy non-compliant IoT devices but only if they get approval from the US Office of Management and Budget.
Once the law is enacted, agencies must include a clause in their contracts with tech vendors “that requires such Internet-connected device software or firmware component to be updated or replaced, consistent with other provisions in the contract governing the term of support, in a manner that allows for any future security vulnerability or defect in any part of the software or firmware to be patched in order to fix or remove a vulnerability or defect in the software or firmware component in a properly authenticated and secure manner,” according to the proposed Internet of Things Cybersecurity Improvement Act of 2017.”
Under the act device makers couldn't hardcode passwords, which have been exploited in the past to spread malware like in the Mirai attacks, into products sold to the government. A company would have to provide written certification that a device “does not include any fixed or hard-coded credentials used for remote administration, the delivery of updates, or communication,” the bill said.
“This legislation would establish thorough, yet flexible, guidelines for Federal Government procurements of connected devices. My hope is that this legislation will remedy the obvious market failure that has occurred and encourage device manufacturers to compete on the security of their products,” Warner said in a release, underscoring his excitement about the potential of the IoT and his concerns “that too many Internet-connected devices are being sold without appropriate safeguards and protections in place.”
Gardner called the bill “bipartisan commonsense legislation' that will ensure “the federal government leads by example” and procures only those devices that meet basic requirements to prevent hacker from penetrating our government systems” or curbing the “life-changing innovations” that define IoT.
Agreeing that IoT “will change the way we do everything,” Phil Reitinger, president and CEO of the Global Cyber Alliance (GCA), praised the IoT Cybersecurity Improvement Act as “an important first step to ensure that manufacturers of IoT devices make cybersecurity part of their products' DNA and the U.S. Government takes security and privacy into account when purchasing IoT.”
The promises of IoT will be met “only if the things that make up the 'Internet of Things' are trustworthy, protect our security and privacy and enable the services on which we rely, like power, communications, and hospital services, to be more resilient,” Reitinger said in comments emailed to SC Media.
Commenting on the news Travis Smith, principal security engineer at Tripwire, emailed SC to say: "This bill will help to resolve some of the known issues plaguing so many IoT devices being hacked on a daily basis. There are two issues I see with this bill which won't help the overall security of these types of devices. When left up to the user, changing passwords and installing patches is not a priority. The priority instead is getting the device to work so you can stream Netflix from your fridge or see your front porch from a beach.”
He advises promotion of devices which automatically detect new updates and install them without any user involvement saying, “This is the strategy which should be strived for amongst all IoT vendors. The next is optional patches, which is what this bill will most likely mandate. Two issues with optional patches are first getting the user to know about the patch, then getting them to actually install the patch. Both of these tasks are notoriously difficult for your average user. Finally, there are the devices which do not receive any patches; intentionally or not.
Regarding passwords, Smith says, “I would urge this bill to add that should devices force the user to change the default password, but that the default password should be unique to each device as well. Even something as simple as using a MAC address, while not secure in, is one step better than using the default admin/admin credentials we have become accustom to.”
Smith concludes that for this bill to be successful, there needs to be incentives for vendors to get their devices to a secure state, noting: “Releasing a device which is free from security bugs is time consuming and costly. With many of these devices being a commodity, delaying the time to market or charging a higher cost may not fit their current business model."