Want to sell your Internet of Things devices to the U.S government? You may have to meet new security standards—like making sure your products aren’t susceptible to know vulnerabilities—if a new bill becomes law.
Senators Steve Daines (R-MT), Cory Gardner (R-CO), Mark Warner (D-VA), and Ron Wyden (D-OR), jointly presented the bill. Along with ensuring no known vulnerabilities are present at the time of purchase, it also requires devices can be patched when vulnerability patches are available, and prohibits hard-coded passwords.
Based on the bill’s wording, the requirements apply to pretty much anything capable of an internet connection. It targets devices with “computer processing capabilities that can collect, send or receive data,” and “a physical object that is capable of connecting to and is in regular connection with the Internet.”
In other words, if a device connects to the internet or handles data it’s covered by this bill. Considering the fast-and-loose approach some IoT device makers have taken towards security, and the major security weakness unchangeable passwords present, it’s no surprise to see this sort of legislation appear.
Last fall thousands of web-connected cameras were used in coordinated attacks to bring down sites and servers. They all included chips with passwords burned in so they couldn’t be changed. Hackers took advantage of that and used the cameras to hammer servers with more data packets than they could handle—all without the camera users having any idea their devices were being hijacked for the attacks.
IoT, DMCA and More
The bill also offers protections from the Digital Millennium Copyright Act and Computer Fraud and Abuse Act for cybersecurity researchers. That’s likely in response to cases where the CFAA was abused to threaten security researchers.
The Harvard University Berklett Cybersecurity Project, the Center for Democracy & Technology, and Mozilla are all supporting the bill.
There isn’t any guarantee the bill will become law, or that if it does the final version will include all of the security requirements found in this version. Still, it’s clear some of the IoT and smart home gear we’re using today are lacking adequate security measures, so this bill could be the first step in getting device makers to improving protections.
[Thanks to Krebs On Security for the heads up]
The “S” in IoT is for “security!”
Wait… there is no S in IoT? True. There is no security either!
Tracing the story, I was a bit wary about the discussion of bills that point to congressional working drafts. I have seen too many working drafts never even introduced. However, a search for the bill found that Sen. Warner (D-VA) introduced it into the Senate on August 1. It is assigned the bill number S. 1691.
If you want to follow the progress of this bill or any bill, you can go to congress.gov, sign up for a free account, and set up trackers including trackers for your representatives in Congress. For this bill, you can click here to go directly to its page.
Interesting, where were these cameras designed and manufactured?
Most were designed in the United States and manufactured elsewhere, usually China and India.