Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
8/2/2017
12:00 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Proposed IoT Security Bill Well-Intentioned But Likely Hard To Enforce

Internet of Things Cybersecurity Improvement Act of 2017 proposes minimum set of security controls for IoT products sold to government.

Security vendors this week praised a newly-proposed Senate bill that would require a minimum set of security controls for IoT devices, but they also expressed concerns that the legislation would be hard to enforce.

The provisions of the bill, titled Internet of Things (IoT) Cybersecurity Improvement Act of 2017, apply primarily to IoT devices meant for use by the U.S. government. Senators Mark Warner (D-VA) and Cory Gardner (R-CO) Tuesday introduced the bill Tuesday, citing concerns that government cyber systems might be put at risk by poorly-protected IoT devices.

The proposed bill requires IoT vendors that sell to the federal government to ensure their devices can be patched, do not have fixed or hard-coded passwords, and do not have any known security vulnerabilities.

The bill also requires IoT vendors to ensure that any software they use for communications, encryption, and other critical functions is fully supported by the software vendor. The bill directs the White House's Office of Management and Budget to develop alternative security requirements for IoT devices that do not have the data processing or software functionality to support security updates and patches.

In addition, the Internet of Things (IoT) Cybersecurity Improvement Act of 2017 promotes the creation of standard vulnerability disclosure polices for federal contractors.  It seeks to ensure that bug hunters are provided adequate legal protections when hunting for and disclosing bugs in IoT products in a responsible manner.

The bill was drafted in consultation with organizations such as the Berkman Klein Center for Internet & Society at Harvard University and the Atlantic Council. It is one of the first to attempt to address the burgeoning security problems caused by poorly protected Internet connected devices.

Last year, threat actors took advantage of hard-coded passwords and other vulnerabilities in Internet connected home routers, CCTVs and DVRs to launch massive denial of service attacks against Internet service provider Dyn and other major online properties including Netflix, Airbnb, and Twitter. The Mirai attacks showed how easily threat actors could assemble massive attack botnets from vulnerable IoT devices and use them to launch DDoS attacks and other malicious campaigns.

With analyst firms like Gartner predicting that tens of billions of IoT device will go online in the next few years, concerns over the threat to Internet security from vulnerable IoT devices have only escalated.

From that standpoint, the proposed legislation is definitely a good thing, says Rod Schultz, chief product officer for Rubicon Labs. "The fact that Congress is even discussing IoT security is a good thing, and calling out low-hanging security challenges such as static passwords will help," he says.

There is still a lot that still needs to be considered with respect to vulnerability detection and legal enforcement of the bill, as well as what parties in the IoT supply chain will be indemnified.  "But it’s refreshing to see Congress being proactive," he says.

Travis Smith, principal security researcher at Tripwire, says the bill will help address some IoT security issues and protect security researchers who expose vulnerabilities in Internet-connected devices.  But even if IoT vendors were to develop systems that can be patched and do not have hard-coded passwords, it would still be up to the users to ensure that default passwords are changed and that relevant patches are applied. These issues could limit the effectiveness of the bill.

Mirai was successful not because users couldn't change device passwords, but because they chose not to, Smith observes.

"If this bill wants to address the real problem regarding insecurity of IoT devices, additional language…needs to be added," Smith says.

"First, not only should there be no hard-coded credentials, there should be no [admin] credentials shared across devices," Smith suggests.

Secondly, the bill should require defined processes for IoT device vendors to alert consumers about the availability of security patches. "Far too often, patches are uploaded to a support portal -- without the end-user having any idea about it," Smith says.

Related content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
8/4/2017 | 3:18:17 PM
Passing a law does nothing to solve the problem
Sounds and looks good, but all too often the organization involved may have outsourced IT to, oh, India or, worse, IBM and expects them to do the job.  Forget the law - ok, we have one.  But now let management and outsource entities take the subject SERIOUSLY and important, otherwise you have a Merck on your hands.
Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-16632
PUBLISHED: 2021-05-15
A XSS Vulnerability in /uploads/dede/action_search.php in DedeCMS V5.7 SP2 allows an authenticated user to execute remote arbitrary code via the keyword parameter.
CVE-2021-32073
PUBLISHED: 2021-05-15
DedeCMS V5.7 SP2 contains a CSRF vulnerability that allows a remote attacker to send a malicious request to to the web manager allowing remote code execution.
CVE-2021-33033
PUBLISHED: 2021-05-14
The Linux kernel before 5.11.14 has a use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c because the CIPSO and CALIPSO refcounting for the DOI definitions is mishandled, aka CID-ad5d07f4a9cd. This leads to writing an arbitrary value.
CVE-2021-33034
PUBLISHED: 2021-05-14
In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value.
CVE-2019-25044
PUBLISHED: 2021-05-14
The block subsystem in the Linux kernel before 5.2 has a use-after-free that can lead to arbitrary code execution in the kernel context and privilege escalation, aka CID-c3e2219216c9. This is related to blk_mq_free_rqs and blk_cleanup_queue.