Senate Bill Calls for Stronger IoT Security

1 minute read
| News

Want to sell your Internet of Things devices to the U.S government? You may have to meet new security standards—like making sure your products aren’t susceptible to know vulnerabilities—if a new bill becomes law.

web cam and padlock for Internet of Things security

Senate bill calls for stronger IoT device security

Senators Steve Daines (R-MT), Cory Gardner (R-CO), Mark Warner (D-VA), and Ron Wyden (D-OR), jointly presented the bill. Along with ensuring no known vulnerabilities are present at the time of purchase, it also requires devices can be patched when vulnerability patches are available, and prohibits hard-coded passwords.

Based on the bill’s wording, the requirements apply to pretty much anything capable of an internet connection. It targets devices with “computer processing capabilities that can collect, send or receive data,” and “a physical object that is capable of connecting to and is in regular connection with the Internet.”

In other words, if a device connects to the internet or handles data it’s covered by this bill. Considering the fast-and-loose approach some IoT device makers have taken towards security, and the major security weakness unchangeable passwords present, it’s no surprise to see this sort of legislation appear.

Last fall thousands of web-connected cameras were used in coordinated attacks to bring down sites and servers. They all included chips with passwords burned in so they couldn’t be changed. Hackers took advantage of that and used the cameras to hammer servers with more data packets than they could handle—all without the camera users having any idea their devices were being hijacked for the attacks.

IoT, DMCA and More

The bill also offers protections from the Digital Millennium Copyright Act and Computer Fraud and Abuse Act for cybersecurity researchers. That’s likely in response to cases where the CFAA was abused to threaten security researchers.

The Harvard University Berklett Cybersecurity Project, the Center for Democracy & Technology, and Mozilla are all supporting the bill.

There isn’t any guarantee the bill will become law, or that if it does the final version will include all of the security requirements found in this version. Still, it’s clear some of the IoT and smart home gear we’re using today are lacking adequate security measures, so this bill could be the first step in getting device makers to improving protections.

[Thanks to Krebs On Security for the heads up]

3
Leave a Reply

Please Login to comment
2 Comment threads
1 Thread replies
0 Followers
 
Most reacted comment
Hottest comment thread
2 Comment authors
Scott B in DCLee Dronick Recent comment authors

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  Subscribe  
newest oldest most voted
Notify of
Scott B in DC
Member
Scott B in DC

The “S” in IoT is for “security!” Wait… there is no S in IoT? True. There is no security either! Tracing the story, I was a bit wary about the discussion of bills that point to congressional working drafts. I have seen too many working drafts never even introduced. However, a search for the bill found that Sen. Warner (D-VA) introduced it into the Senate on August 1. It is assigned the bill number S. 1691. If you want to follow the progress of this bill or any bill, you can go to congress.gov, sign up for a free account,… Read more »

Lee Dronick
Member
Lee Dronick

They all included chips with passwords burned in so they couldn’t be changed.

Interesting, where were these cameras designed and manufactured?

Scott B in DC
Member
Scott B in DC

Most were designed in the United States and manufactured elsewhere, usually China and India.