Proposed IoT Security Bill Well-Intentioned But Likely Hard To Enforce

Security vendors this week praised a newly-proposed Senate bill that would require a minimum set of security controls for IoT devices, but they also expressed concerns that the legislation would be hard to enforce.

The provisions of the bill, titled Internet of Things (IoT) Cybersecurity Improvement Act of 2017, apply primarily to IoT devices meant for use by the U.S. government. Senators Mark Warner (D-VA) and Cory Gardner (R-CO) Tuesday introduced the bill Tuesday, citing concerns that government cyber systems might be put at risk by poorly-protected IoT devices.

The proposed bill requires IoT vendors that sell to the federal government to ensure their devices can be patched, do not have fixed or hard-coded passwords, and do not have any known security vulnerabilities.

The bill also requires IoT vendors to ensure that any software they use for communications, encryption, and other critical functions is fully supported by the software vendor. The bill directs the White House's Office of Management and Budget to develop alternative security requirements for IoT devices that do not have the data processing or software functionality to support security updates and patches.

In addition, the Internet of Things (IoT) Cybersecurity Improvement Act of 2017 promotes the creation of standard vulnerability disclosure polices for federal contractors.  It seeks to ensure that bug hunters are provided adequate legal protections when hunting for and disclosing bugs in IoT products in a responsible manner.

The bill was drafted in consultation with organizations such as the Berkman Klein Center for Internet & Society at Harvard University and the Atlantic Council. It is one of the first to attempt to address the burgeoning security problems caused by poorly protected Internet connected devices.

Last year, threat actors took advantage of hard-coded passwords and other vulnerabilities in Internet connected home routers, CCTVs and DVRs to launch massive denial of service attacks against Internet service provider Dyn and other major online properties including Netflix, Airbnb, and Twitter. The Mirai attacks showed how easily threat actors could assemble massive attack botnets from vulnerable IoT devices and use them to launch DDoS attacks and other malicious campaigns.

With analyst firms like Gartner predicting that tens of billions of IoT device will go online in the next few years, concerns over the threat to Internet security from vulnerable IoT devices have only escalated.

From that standpoint, the proposed legislation is definitely a good thing, says Rod Schultz, chief product officer for Rubicon Labs. "The fact that Congress is even discussing IoT security is a good thing, and calling out low-hanging security challenges such as static passwords will help," he says.

There is still a lot that still needs to be considered with respect to vulnerability detection and legal enforcement of the bill, as well as what parties in the IoT supply chain will be indemnified.  "But it’s refreshing to see Congress being proactive," he says.

Travis Smith, principal security researcher at Tripwire, says the bill will help address some IoT security issues and protect security researchers who expose vulnerabilities in Internet-connected devices.  But even if IoT vendors were to develop systems that can be patched and do not have hard-coded passwords, it would still be up to the users to ensure that default passwords are changed and that relevant patches are applied. These issues could limit the effectiveness of the bill.

Mirai was successful not because users couldn't change device passwords, but because they chose not to, Smith observes.

"If this bill wants to address the real problem regarding insecurity of IoT devices, additional language…needs to be added," Smith says.

"First, not only should there be no hard-coded credentials, there should be no [admin] credentials shared across devices," Smith suggests.

Secondly, the bill should require defined processes for IoT device vendors to alert consumers about the availability of security patches. "Far too often, patches are uploaded to a support portal -- without the end-user having any idea about it," Smith says.

Related content: