Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
8/2/2017
12:00 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Proposed IoT Security Bill Well-Intentioned But Likely Hard To Enforce

Internet of Things Cybersecurity Improvement Act of 2017 proposes minimum set of security controls for IoT products sold to government.

Security vendors this week praised a newly-proposed Senate bill that would require a minimum set of security controls for IoT devices, but they also expressed concerns that the legislation would be hard to enforce.

The provisions of the bill, titled Internet of Things (IoT) Cybersecurity Improvement Act of 2017, apply primarily to IoT devices meant for use by the U.S. government. Senators Mark Warner (D-VA) and Cory Gardner (R-CO) Tuesday introduced the bill Tuesday, citing concerns that government cyber systems might be put at risk by poorly-protected IoT devices.

The proposed bill requires IoT vendors that sell to the federal government to ensure their devices can be patched, do not have fixed or hard-coded passwords, and do not have any known security vulnerabilities.

The bill also requires IoT vendors to ensure that any software they use for communications, encryption, and other critical functions is fully supported by the software vendor. The bill directs the White House's Office of Management and Budget to develop alternative security requirements for IoT devices that do not have the data processing or software functionality to support security updates and patches.

In addition, the Internet of Things (IoT) Cybersecurity Improvement Act of 2017 promotes the creation of standard vulnerability disclosure polices for federal contractors.  It seeks to ensure that bug hunters are provided adequate legal protections when hunting for and disclosing bugs in IoT products in a responsible manner.

The bill was drafted in consultation with organizations such as the Berkman Klein Center for Internet & Society at Harvard University and the Atlantic Council. It is one of the first to attempt to address the burgeoning security problems caused by poorly protected Internet connected devices.

Last year, threat actors took advantage of hard-coded passwords and other vulnerabilities in Internet connected home routers, CCTVs and DVRs to launch massive denial of service attacks against Internet service provider Dyn and other major online properties including Netflix, Airbnb, and Twitter. The Mirai attacks showed how easily threat actors could assemble massive attack botnets from vulnerable IoT devices and use them to launch DDoS attacks and other malicious campaigns.

With analyst firms like Gartner predicting that tens of billions of IoT device will go online in the next few years, concerns over the threat to Internet security from vulnerable IoT devices have only escalated.

From that standpoint, the proposed legislation is definitely a good thing, says Rod Schultz, chief product officer for Rubicon Labs. "The fact that Congress is even discussing IoT security is a good thing, and calling out low-hanging security challenges such as static passwords will help," he says.

There is still a lot that still needs to be considered with respect to vulnerability detection and legal enforcement of the bill, as well as what parties in the IoT supply chain will be indemnified.  "But it’s refreshing to see Congress being proactive," he says.

Travis Smith, principal security researcher at Tripwire, says the bill will help address some IoT security issues and protect security researchers who expose vulnerabilities in Internet-connected devices.  But even if IoT vendors were to develop systems that can be patched and do not have hard-coded passwords, it would still be up to the users to ensure that default passwords are changed and that relevant patches are applied. These issues could limit the effectiveness of the bill.

Mirai was successful not because users couldn't change device passwords, but because they chose not to, Smith observes.

"If this bill wants to address the real problem regarding insecurity of IoT devices, additional language…needs to be added," Smith says.

"First, not only should there be no hard-coded credentials, there should be no [admin] credentials shared across devices," Smith suggests.

Secondly, the bill should require defined processes for IoT device vendors to alert consumers about the availability of security patches. "Far too often, patches are uploaded to a support portal -- without the end-user having any idea about it," Smith says.

Related content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
8/4/2017 | 3:18:17 PM
Passing a law does nothing to solve the problem
Sounds and looks good, but all too often the organization involved may have outsourced IT to, oh, India or, worse, IBM and expects them to do the job.  Forget the law - ok, we have one.  But now let management and outsource entities take the subject SERIOUSLY and important, otherwise you have a Merck on your hands.
Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Ransomware Damage Hit $11.5B in 2019
Dark Reading Staff 2/20/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5524
PUBLISHED: 2020-02-21
Aterm series (Aterm WF1200C firmware Ver1.2.1 and earlier, Aterm WG1200CR firmware Ver1.2.1 and earlier, Aterm WG2600HS firmware Ver1.3.2 and earlier) allows an attacker on the same network segment to execute arbitrary OS commands with root privileges via UPnP function.
CVE-2020-5525
PUBLISHED: 2020-02-21
Aterm series (Aterm WF1200C firmware Ver1.2.1 and earlier, Aterm WG1200CR firmware Ver1.2.1 and earlier, Aterm WG2600HS firmware Ver1.3.2 and earlier) allows an authenticated attacker on the same network segment to execute arbitrary OS commands with root privileges via management screen.
CVE-2020-5533
PUBLISHED: 2020-02-21
Cross-site scripting vulnerability in Aterm WG2600HS firmware Ver1.3.2 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2020-5534
PUBLISHED: 2020-02-21
Aterm WG2600HS firmware Ver1.3.2 and earlier allows an authenticated attacker on the same network segment to execute arbitrary OS commands with root privileges via unspecified vectors.
CVE-2014-7914
PUBLISHED: 2020-02-21
btif/src/btif_dm.c in Android before 5.1 does not properly enforce the temporary nature of a Bluetooth pairing, which allows user-assisted remote attackers to bypass intended access restrictions via crafted Bluetooth packets after the tapping of a crafted NFC tag.