The swarm of internet-connected security cameras, kitchen appliances, wearables and other gadgets that make up the Internet of Things are notoriously insecure. Two US senators want to fix that — at least for tech acquired by the US federal government — and are introducing bipartisan legislation intended to force manufacturers to include basic security features in their products.
The bill, called the Internet of Things Cybersecurity Improvement Act of 2017, would require manufacturers to allow software updates on their devices, make them properly authenticate those updates, and forbid them from using hardcoded passwords on devices that cannot be modified.
The security requirements outlined in the bill sound basic, but IoT devices are often shipped with unsecure features that make them easy to hijack.
When a large-scale denial of service attack took down large swaths of the internet last spring, it turned out that a botnet of IoT gadgets with hardcoded passwords were to blame. Manufacturers typically ship devices with these kinds of unchangeable passwords so they can install updates or debug devices once they’re out in the hands of consumers, but the login credentials are often something stupidly easy to guess such as “admin/admin”. This makes it simple for hackers to take over devices, and impossible for companies to kick them out by changing a password.
The bill would also require vendors who sell IoT devices to the US government to certify that their product has no known security vulnerabilities at the time it is sold, and take responsibility for issuing patches if vulnerabilities are discovered later. There’s also a nice carveout in the bill that protects security researchers who are hunting for new, undiscovered bugs in IoT devices.
Senators Cory Gardner, Steve Daines, Mark Warner and Ron Wyden are sponsoring the proposed legislation. Warner told Reuters that the bill is designed to address an “obvious market failure” in IoT.
Although the bill only covers devices that are sold to the US federal government, hopefully IoT vendors who are hungry for lucrative government contracts will start making more secure IoT devices available to consumers, too.