Slashdot Mirror

← Back to Stories (view on slashdot.org)

Congress Introduces Bill To Improve 'Internet of Things' Security (cnet.com)

Posted by msmash on from the better-security dept.

Members of the US Senate and House of Representatives introduced the Internet of Things Cybersecurity Improvement Act on Monday, hoping to bring legislative action to the emerging technology. From a report: Connected devices are expected to boom to 20.4 billion units by 2020, but they don't all have the same levels of security. Hackers often target IoT devices that don't have built-in security, leading to problems like default passwords and vulnerabilities that can't be fixed. [...] Lawmakers are looking to fix that with the bill, which would require a bare minimum of security standards for any IoT devices that the federal government uses. "While I'm excited about their life-changing potential, I'm also concerned that many IoT devices are being sold without appropriate safeguards and protections in place, with the device market prioritizing convenience and price over security," Sen. Mark Warner, a Democrat from Virginia, said in a statement.

54 comments

  1. Do you really think Congress will legislate this? by Snotnose · · Score: 2

    Best case, they require a password to admin accounts. Worst case, jeez, I can't imagine. We'll start with IoT vendors who pay the most $$$ to re-election campaigns. And go downhill from there.

  2. "that the government uses" by Anonymous Coward · · Score: 0

    Well no shit. I should hope so. That needs a bill?

    1. Re:"that the government uses" by Anonymous Coward · · Score: 0

      Yes. Now you ought to read it to make sure it actually does something, and exactly wtf that is - just saying it fixes the problem doesn't fix the problem. "well no shit" indeed. Read it, let us know.

  3. Well. by Anonymous Coward · · Score: 0

    Possibly this is some kind of training issue. Given there have been no issues here, I don't think it's unreasonable.

  4. Stop by Anonymous Coward · · Score: 0

    Get fucked. The "internet of things" is not a real thing. Consumer goods and other bullshit shouldn't be connected to the internet.
    Adding surveillance to everything isn't socially useful, and just gives away even more power to surveillance capitalists.

    1. Re:Stop by Anonymous Coward · · Score: 0

      It is a real thing. Though that's different from if it should be.

    2. Re:Stop by oh_my_080980980 · · Score: 1

      No it's a buzz word. Network devices or internet devices would be the correct term. "Internet of Things" is not.

  5. Not for everyone. by SeaFox · · Score: 2

    Hackers often target IoT devices that don't have built-in security, leading to problems like default passwords and vulnerabilities that can't be fixed. [...] Lawmakers are looking to fix that with the bill, which would require a bare minimum of security standards for any IoT devices that the federal government uses.

    This will become nothing more than special "government edition" and "consumer edition" product lines of the exact same item, just with different firmware. Remember the $600 hammer? Now there will be an actual justifiable difference between the product bought on government contract and the same item at a fraction of the price at Wal-Mart.

    1. Re:Not for everyone. by Anonymous Coward · · Score: 0

      Remember the $600 hammer? Now there will be an actual justifiable difference between the product bought on government contract and the same item at a fraction of the price at Wal-Mart.

      I object.
      A quick google search revealed multiple sources that said you are wrong.
      https://www.google.com.au/search?source=hp&ei=0h6HXNHuNoz8rQG1mpu4CQ&q=%24600+hammer&safe=active&ssui=on/

      The hammer was $435.
      The toilet seat was $600.

    2. Re:Not for everyone. by geekmux · · Score: 2

      Hackers often target IoT devices that don't have built-in security, leading to problems like default passwords and vulnerabilities that can't be fixed. [...] Lawmakers are looking to fix that with the bill, which would require a bare minimum of security standards for any IoT devices that the federal government uses.

      This will become nothing more than special "government edition" and "consumer edition" product lines of the exact same item, just with different firmware.

      I find it hard to believe that vendors will create separate development lines for these products. I guarantee you the "minimum" standard won't be hard to implement, and you could probably sell hardware easily to civilians with some bullshit marketing like US Tested, Government Approved.

      Remember the $600 hammer? Now there will be an actual justifiable difference between the product bought on government contract and the same item at a fraction of the price at Wal-Mart.

      Sorry, but your own example tends to invalidate your argument. There's nothing inherently different between a $6 hammer and a $600 one, proving you don't need "government edition" anything to create that stupidity.

    3. Re:Not for everyone. by Anonymous Coward · · Score: 1

      Those "$600 hammers" were beryllium copper non-sparking ones.
      They ain't cheap for anyone.

    4. Re:Not for everyone. by freeze128 · · Score: 2

      Insecure IoT devices are a threat to EVERYONE, including the federal government, regardless of if they are used by the government or not.

    5. Re:Not for everyone. by Anonymous Coward · · Score: 0

      I once read that there was a difference in the shape of the hammer head. That's why it cost so much, the manufacturer had to retool a production line or make a new one or something along those lines. The extra price was for the new line for a small run.

    6. Re:Not for everyone. by geekmux · · Score: 1

      Those "$600 hammers" were beryllium copper non-sparking ones. They ain't cheap for anyone.

      Care to explain the technology in the $10,000 toilet seats?

      (I'm guessing it's actually a portable black hole used to teleport the mountains of bullshit spewing from those selling $600 hammers...)

    7. Re:Not for everyone. by Anonymous Coward · · Score: 0

      Care to explain the technology in the $10,000 toilet seats?

      The Air Force says that with the Lockheed's C-5 production line no longer active, there is no company with a fully staffed assembly line ready to produce exactly what it needs. That means the government has to hire a manufacturer to make a mold of the original toilet seat cover, redesign two-dimensional drawings to make sure the cover fits, manufacture a mold for the part, and then produce it - effectively reverse-engineering the toilet cover and building it from scratch.

    8. Re:Not for everyone. by dcw3 · · Score: 1

      Sure. They were needed for the C5 Galaxy, and no longer being produced anywhere. That means the AF had to hire some contractor to come in and create one from scratch, and to the exact specifications (corrosion resistance for example) they had. This inflates the cost of something that most of us would have just made ourselves in the our basement to ridiculous levels, especially when you're not going to make a large production run. They made 3, so all of the engineering, and overhead cost went into that. Also, you can't just stick any old crap into a USAF plane...it must be mil-spec and rated for aircraft.

      USAF is now saying they can recreate the part for ~$300 on a 3D printer. So hopefully we won't see this kind of crap (pun intended) again.

      --
      Just another day in Paradise
  6. Re:Do you really think Congress will legislate thi by youngone · · Score: 2

    Worst case will be some senators getting some nice backhanders for supporting this.
    Oh, hang on that's just business as usual.
    Best government money can buy all right.

  7. World is Safe by Anonymous Coward · · Score: 0

    Go back to your fields.

  8. Tldr by Anonymous Coward · · Score: 0

    Let's ban more Chinese stuff because we cant compete or hack it as easily.
    NSA

    1. Re: Tldr by Anonymous Coward · · Score: 0

      You are literally retarded.
      The problem is that anybody can hack these things.

  9. Show of hands ... by CaptainDork · · Score: 1

    Who here wishes the fuck we had a goddam act of Congress to establish best practices during our IT careers?

    THEN we could have said, "Security -- it's not just a good idea, it's the law!"

    --
    It little behooves the best of us to comment on the rest of us.
    1. Re:Show of hands ... by drinkypoo · · Score: 1

      Who here wishes the fuck we had a goddam act of Congress to establish best practices during our IT careers?
      THEN we could have said, "Security -- it's not just a good idea, it's the law!"

      We're talking about congress here. The majority of them don't know jack about shit. They'd just mandate something stupid that would hamstring security.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  10. Re:Do you really think Congress will legislate thi by Anonymous Coward · · Score: 0

    this bill won't go anywhere. some moron will throw in an amendment that mandates backdoors... so at best, we have status quo, at worst, we have an even bigger problem.

  11. LOL, it is almost like the "free market" by Anonymous Coward · · Score: 0

    cannot figure out how to win against Huawei and build secure equipment it on its own, demand and supply be damned :)

    1. Re: LOL, it is almost like the "free market" by Anonymous Coward · · Score: 0

      hehe, yeah, and the "free press" just won't stop talking about the Huawei fiasco. Seems like it would have been an especially important discussion topic on "international womens empowerment day", or whatever they called it. So not for women or even to get back at that mean old Trump, fake news just ain't talking about it.

  12. What can be done? by AHuxley · · Score: 1

    admin/admin is not to be used as a default factory set name and password?
    Stickers printed with every device showing its own unique name and long, complex and very unique password?

    --
    Domestic spying is now "Benign Information Gathering"
    1. Re:What can be done? by ilsaloving · · Score: 1

      Doesn't even need to be long and complex.

      A single non-trivial dictionary word, with a 1 hour lockout period, would be enough to thrwart the majority of attacks.

      Obviously that's not enough to stop a concerted effort, but this would serve very well as a bare minimum.

    2. Re:What can be done? by AHuxley · · Score: 1

      Yes to just stop admin/admin getting set as the production default over decades of connected devices.
      Make every attempt to login CPU and network intensive per device.

      --
      Domestic spying is now "Benign Information Gathering"
  13. Encryption by Anonymous Coward · · Score: 0

    That'd be lovely. The feds demand some kind of fake not-actually-encrypted crypto, while Congress demands actually crypto crypto to secure IOT

    1. Re:Encryption by Anonymous Coward · · Score: 0

      Nonono... you misunderstand.

      This is *how* they will get their fake crypto. Just by calling it something like FREEDOMCRYPTO.

  14. The "S" in "IoT" ... by kenwd0elq · · Score: 4, Informative

    The "S" in "IoT" stands for "Security". As in, there ain't none.

    Yes, having a default password already applied to all IoT devices would be a great idea, as long as the instructions on "HOW TO CHANGE THE DEFAULT PASSWORD" was printed in at least 24-point type. For appliances, the instructions should be printed on a sticker (same typeface) across the front of the device.

    Beyond that .... the users need to be afraid of IoT devices and be concerned that they could he hacked. Because they all will be.

    1. Re:The "S" in "IoT" ... by mentil · · Score: 1

      Less than one person in ten would bother doing so, even if it were clearly printed how to do it. They wouldn't understand WHY they should. Having unique default passwords per device (like recent Comcast routers do) is a better idea. That're changeable, of course.

      --
      Corruption is convincing someone that the selfless ideal is the same as their selfish ideal.
    2. Re:The "S" in "IoT" ... by torstenvl · · Score: 4, Interesting

      The default password should be randomly generated and included as a sticker in the packaging, like when you buy a combination lock. That way each device will have a random, unique password from the start. You'd have to go out of your way to make it admin/admin.

    3. Re:The "S" in "IoT" ... by supremebob · · Score: 1

      They should really enforce changing the default password as part of the initial setup. If you give people the option to skip it, they will.

      Otherwise, the default password just gets added to that long password list of manufacturer default passwords that crackers use to get into your stuff.

    4. Re:The "S" in "IoT" ... by TomGreenhaw · · Score: 1

      >Beyond that .... the users need to be afraid of IoT devices and be concerned that they could he hacked. Because they all will be.

      I'm not sure I can agree. Modern credit card terminals are often IOT devices and implement strong measures very resistant to hacking.

      If an IOT device can only be configured using Bluetooth, an unauthorized user would need to be in close proximity to the device and if a unique code is required to access the configuration is printed on the device, they would need physical access to the device to change its settings. Alternatively, a challenge/response scheme implemented on a trusted server with predefined GUIDs and timing would also be secure.

      If all connections are protected by TLS1.2 and inbound connections only allowed from a whitelisted domain/IP address, its hard for me to understand how the device can be compromised.

      IOT is like the early days of the Internet. If it works at all, victory is declared by idiots.

      IMHO, IOT devices can be secured..

      --
      Greed is the root of all evil.
    5. Re:The "S" in "IoT" ... by Anonymous Coward · · Score: 0

      Idea in practice: Ok guys let's get started right away and put that sticker on the package...

    6. Re:The "S" in "IoT" ... by MobyDisk · · Score: 1

      I love that you point out that this security problem was solved decades before the microprocessor was invented, and yet still manufacturers haven't figured this out.

  15. Re:Do you really think Congress will legislate thi by arglebargle_xiv · · Score: 1

    It'll be watered down to pointlessness by the time it passes anyway, like most of these bills usually are. As long as it doesn't override the California law, which again these bills usually do, things should be OK though, at least that has some teeth. The CA one is still pretty weak, but at least it's something.

  16. Re: Do you really think Congress will legislate th by Anonymous Coward · · Score: 0

    It is already watered down from conception. The summary says the law would only apply to IoT devices used by the USA federal government.

    It's completely useless. Anyone selling IoT to them probably already does a decent job with security.

  17. Updates, Updates, Updates. by Anonymous Coward · · Score: 0

    Real updatability is what is needed. Today we have two options

    1) Continous updates with all new and cripling functionality

    2) No updates at all

    We need a third, possibly forced, option where only security patches are allowed

    1. Re:Updates, Updates, Updates. by Shotgun · · Score: 1

      Because the environment and requirements of a refrigerator change constantly? If an appliance needs a software update, you're not a customer; you're a beta tester.

      --
      Aah, change is good. -- Rafiki
      Yeah, but it ain't easy. -- Simba
  18. Re:Do you really think Congress will legislate thi by mentil · · Score: 5, Insightful

    Almost certainly this will be a checklist, like PCI DSS compliance for credit card processors. Just like it is there, it will ensure you have a lock on the door, the window is closed, and a fence is around the perimeter... but does nothing to ensure the fence isn't made from tissue paper or that there isn't a large gap in the wall right next to the door.

    --
    Corruption is convincing someone that the selfless ideal is the same as their selfish ideal.
  19. just build a wall by Anonymous Coward · · Score: 0

    Just build a yuge wall around all of IoT, with fire, and make all the shitty manufacturers and consumets pay for it.

  20. Legislate the freaking SPYING COMPANY also! by Anonymous Coward · · Score: 0

    We keep forgetting that we need laws to stop companies from F'ing the consumer with a knife.

  21. Re:Do you really think Congress will legislate thi by Anonymous Coward · · Score: 0

    Yes they will "legislate" this.

    1) Propose a bill (written by the IoT vendors) that pretty much allows the vendors to lock users out of their products AND PROMISES SOME PROTECTIONS.
    2) Tout the bill as the Safeguard for the FUTURE OF THE INTERNET
    3) Tack on all sorts of riders for other interests
    4) Pass it with BIPARTISAN support (because it is meaningless)
    5) Give it to the FCC to "enforce" with no attached budget

    Yep. Legislation at its finest.

  22. He doesn't know by Anonymous Coward · · Score: 0

    "...with the device market prioritizing convenience and price over security," Sen. Mark Warner, a Democrat from Virginia, said in a statement.
    That's the whole idea, Senator. Get with the times, will ya!

  23. How about banning IOT??? by Anonymous Coward · · Score: 0

    How about banning IOT, in children's toys (& companies using them to collect valuable info from children & even try to manipulate them)?

    How about banning IOT, for anything that is not really need it (& the manufacturing company actually using it to collect valuable info from general public)?

  24. wow by Anonymous Coward · · Score: 0

    They actually put "Internet of things" in the title, cant even get more lame and inept than this, America.

  25. Re:Do you really think Congress will legislate thi by supremebob · · Score: 3, Insightful

    Knowing the current state of Congress, they're require a third-party auditor to "certify" all new IoT products before allowing their sale in the US.

    The list of third-party auditors will probably closely match the list of corporate donors who sponsored the bill.

    I'm sure that the open source people will love jumping through this extra regulatory hoop and paying the required fees toll before getting their product on the market.

  26. Re:Do you really think Congress will legislate thi by Thud457 · · Score: 1

    This will be watered down to the point where all it says is "Every internet-enabled appliance should have a password for security. The official credentials are scott/tiger".
    Enjoy.

    --

    the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff

  27. Re:Do you really think Congress will legislate thi by bobdehnhardt · · Score: 1

    According to the article, they're having NIST prepare the standards and controls, with a 5-year refresh. If this was the legislators coming up with standards, as they did with HIPAA, I think it would be doomed to fail. But NIST knows their stuff - the controls in Special Publication 800-53 rev 4 are pretty solid, and come with mappings for low, moderate and high security situations. Like FedRAMP for cloud providers, this will become a bar for entry into the public sector, and at this point, it has the potential for being a good one.

  28. Re:Do you really think Congress will legislate thi by Obfuscant · · Score: 1

    Knowing the current state of Congress, they're require a third-party auditor to "certify" all new IoT products before allowing their sale in the US.

    If you read the bill instead of fabricate FUD, you'll see that it has nothing to do with approving anything for sale in the US, and that the "third party" is NIST.

    The list of third-party auditors will probably closely match the list of corporate donors who sponsored the bill.

    I did not know that NIST was a corporate donor to any political campaign.

    I'm sure that the open source people will love jumping through this extra regulatory hoop and paying the required fees toll before getting their product on the market.

    It has nothing to do with "open source" or getting a product on the market.

  29. Re:Do you really think Congress will legislate thi by dcw3 · · Score: 1

    Reminds me of the whole 8570 CompTIA scam. Come pay us (forever) for this useless certification that the government is now going to require everyone who touches a government computer to have.

    --
    Just another day in Paradise