If the bill becomes law, federal agencies will retain the freedom to purchase prohibited IoT devices.
A newly proposed bill targeting the Internet of Things (IoT) has been proposed by the US government that aims to stem the major cybersecurity problem caused by IoT devices.
The US government bill stipulates that IoT devices must provide users with the ability to patch them, and to alter their passwords. Failure to comply with this rule would result in production being prohibited.
Federal agencies would however retain the power to purchase non-compliant devices in the event that the new bill becomes law.
IoT devices that are not properly secured have been at the epicentre of some major cyberattacks in recent times, including the notorious Mirai Botnet attack. With household appliances gaining IoT status at a constant rate, people are bringing devices into their homes that could form entry points for threat actors.
Travis Smith, principal security engineer at Tripwire, said: “As it stands now, the S in IoT stands for security. This bill will help to resolve some of the known issues plaguing so many IoT devices being hacked on a daily basis. There are two issues I see with this bill which won’t help the overall security of these types of devices. When left up to the user, changing passwords and installing patches is not a priority. The priority instead is getting the device to work so you can stream Netflix from your fridge or see your front porch from a beach.”
Smith taps into a key point that is relevant throughout cybersecurity, as human error is continually at the root of problems, and it is often an accelerant. Lack of awareness and human nature combine to cause big mistakes. The US government has clearly noticed the severity of this weak spot.
“I put IoT devices into three buckets when it comes to patching. The best bucket to be in is devices which automatically detect new updates and install them without any user involvement. This is the strategy which should be strived for amongst all IoT vendors. The next is optional patches, which is what this bill will most likely mandate. Two issues with optional patches are first getting the user to know about the patch, then getting them to actually install the patch. Both of these tasks are notoriously difficult for your average user. Finally, there are the devices which do not receive any patches; intentionally or not,” said Smith.
The same human flaw applies to an inability to maintain secure passwords, this is due to putting off changing them regularly, and also failing to make them suitably complex. Biometrics are being looked into widely as an alternative to need to change and remember passwords.
Smith said: “For this bill to be successful, there needs to be incentives for vendors to get their devices to a secure state. Releasing a device which is free from security bugs is time consuming and costly. With many of these devices being a commodity, delaying the time to market or charging a higher cost may not fit their current business model.”
Also viewing the bill with positivity, Mark Noctor, VP EMEA at Arxan Technologies, said: “The proposed IoT legislation introduced to the US Senate last night is a positive step towards ensuring much-needed security for connected devices… By requiring vendors to explain the vulnerabilities in their systems and explain why their device is still considered secure, the Internet of Things Cybersecurity Act of 2017 would force developers to take security seriously.”