Slashdot Mirror

← Back to Stories (view on slashdot.org)

Congress Introduces Bill To Improve 'Internet of Things' Security (cnet.com)

Posted by msmash on from the better-security dept.

Members of the US Senate and House of Representatives introduced the Internet of Things Cybersecurity Improvement Act on Monday, hoping to bring legislative action to the emerging technology. From a report: Connected devices are expected to boom to 20.4 billion units by 2020, but they don't all have the same levels of security. Hackers often target IoT devices that don't have built-in security, leading to problems like default passwords and vulnerabilities that can't be fixed. [...] Lawmakers are looking to fix that with the bill, which would require a bare minimum of security standards for any IoT devices that the federal government uses. "While I'm excited about their life-changing potential, I'm also concerned that many IoT devices are being sold without appropriate safeguards and protections in place, with the device market prioritizing convenience and price over security," Sen. Mark Warner, a Democrat from Virginia, said in a statement.

28 of 54 comments (clear)

  1. Do you really think Congress will legislate this? by Snotnose · · Score: 2

    Best case, they require a password to admin accounts. Worst case, jeez, I can't imagine. We'll start with IoT vendors who pay the most $$$ to re-election campaigns. And go downhill from there.

  2. Not for everyone. by SeaFox · · Score: 2

    Hackers often target IoT devices that don't have built-in security, leading to problems like default passwords and vulnerabilities that can't be fixed. [...] Lawmakers are looking to fix that with the bill, which would require a bare minimum of security standards for any IoT devices that the federal government uses.

    This will become nothing more than special "government edition" and "consumer edition" product lines of the exact same item, just with different firmware. Remember the $600 hammer? Now there will be an actual justifiable difference between the product bought on government contract and the same item at a fraction of the price at Wal-Mart.

    1. Re:Not for everyone. by geekmux · · Score: 2

      Hackers often target IoT devices that don't have built-in security, leading to problems like default passwords and vulnerabilities that can't be fixed. [...] Lawmakers are looking to fix that with the bill, which would require a bare minimum of security standards for any IoT devices that the federal government uses.

      This will become nothing more than special "government edition" and "consumer edition" product lines of the exact same item, just with different firmware.

      I find it hard to believe that vendors will create separate development lines for these products. I guarantee you the "minimum" standard won't be hard to implement, and you could probably sell hardware easily to civilians with some bullshit marketing like US Tested, Government Approved.

      Remember the $600 hammer? Now there will be an actual justifiable difference between the product bought on government contract and the same item at a fraction of the price at Wal-Mart.

      Sorry, but your own example tends to invalidate your argument. There's nothing inherently different between a $6 hammer and a $600 one, proving you don't need "government edition" anything to create that stupidity.

    2. Re:Not for everyone. by Anonymous Coward · · Score: 1

      Those "$600 hammers" were beryllium copper non-sparking ones.
      They ain't cheap for anyone.

    3. Re:Not for everyone. by freeze128 · · Score: 2

      Insecure IoT devices are a threat to EVERYONE, including the federal government, regardless of if they are used by the government or not.

    4. Re:Not for everyone. by geekmux · · Score: 1

      Those "$600 hammers" were beryllium copper non-sparking ones. They ain't cheap for anyone.

      Care to explain the technology in the $10,000 toilet seats?

      (I'm guessing it's actually a portable black hole used to teleport the mountains of bullshit spewing from those selling $600 hammers...)

    5. Re:Not for everyone. by dcw3 · · Score: 1

      Sure. They were needed for the C5 Galaxy, and no longer being produced anywhere. That means the AF had to hire some contractor to come in and create one from scratch, and to the exact specifications (corrosion resistance for example) they had. This inflates the cost of something that most of us would have just made ourselves in the our basement to ridiculous levels, especially when you're not going to make a large production run. They made 3, so all of the engineering, and overhead cost went into that. Also, you can't just stick any old crap into a USAF plane...it must be mil-spec and rated for aircraft.

      USAF is now saying they can recreate the part for ~$300 on a 3D printer. So hopefully we won't see this kind of crap (pun intended) again.

      --
      Just another day in Paradise
  3. Re:Do you really think Congress will legislate thi by youngone · · Score: 2

    Worst case will be some senators getting some nice backhanders for supporting this.
    Oh, hang on that's just business as usual.
    Best government money can buy all right.

  4. Show of hands ... by CaptainDork · · Score: 1

    Who here wishes the fuck we had a goddam act of Congress to establish best practices during our IT careers?

    THEN we could have said, "Security -- it's not just a good idea, it's the law!"

    --
    It little behooves the best of us to comment on the rest of us.
    1. Re:Show of hands ... by drinkypoo · · Score: 1

      Who here wishes the fuck we had a goddam act of Congress to establish best practices during our IT careers?
      THEN we could have said, "Security -- it's not just a good idea, it's the law!"

      We're talking about congress here. The majority of them don't know jack about shit. They'd just mandate something stupid that would hamstring security.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  5. What can be done? by AHuxley · · Score: 1

    admin/admin is not to be used as a default factory set name and password?
    Stickers printed with every device showing its own unique name and long, complex and very unique password?

    --
    Domestic spying is now "Benign Information Gathering"
    1. Re:What can be done? by ilsaloving · · Score: 1

      Doesn't even need to be long and complex.

      A single non-trivial dictionary word, with a 1 hour lockout period, would be enough to thrwart the majority of attacks.

      Obviously that's not enough to stop a concerted effort, but this would serve very well as a bare minimum.

    2. Re:What can be done? by AHuxley · · Score: 1

      Yes to just stop admin/admin getting set as the production default over decades of connected devices.
      Make every attempt to login CPU and network intensive per device.

      --
      Domestic spying is now "Benign Information Gathering"
  6. The "S" in "IoT" ... by kenwd0elq · · Score: 4, Informative

    The "S" in "IoT" stands for "Security". As in, there ain't none.

    Yes, having a default password already applied to all IoT devices would be a great idea, as long as the instructions on "HOW TO CHANGE THE DEFAULT PASSWORD" was printed in at least 24-point type. For appliances, the instructions should be printed on a sticker (same typeface) across the front of the device.

    Beyond that .... the users need to be afraid of IoT devices and be concerned that they could he hacked. Because they all will be.

    1. Re:The "S" in "IoT" ... by mentil · · Score: 1

      Less than one person in ten would bother doing so, even if it were clearly printed how to do it. They wouldn't understand WHY they should. Having unique default passwords per device (like recent Comcast routers do) is a better idea. That're changeable, of course.

      --
      Corruption is convincing someone that the selfless ideal is the same as their selfish ideal.
    2. Re:The "S" in "IoT" ... by torstenvl · · Score: 4, Interesting

      The default password should be randomly generated and included as a sticker in the packaging, like when you buy a combination lock. That way each device will have a random, unique password from the start. You'd have to go out of your way to make it admin/admin.

    3. Re:The "S" in "IoT" ... by supremebob · · Score: 1

      They should really enforce changing the default password as part of the initial setup. If you give people the option to skip it, they will.

      Otherwise, the default password just gets added to that long password list of manufacturer default passwords that crackers use to get into your stuff.

    4. Re:The "S" in "IoT" ... by TomGreenhaw · · Score: 1

      >Beyond that .... the users need to be afraid of IoT devices and be concerned that they could he hacked. Because they all will be.

      I'm not sure I can agree. Modern credit card terminals are often IOT devices and implement strong measures very resistant to hacking.

      If an IOT device can only be configured using Bluetooth, an unauthorized user would need to be in close proximity to the device and if a unique code is required to access the configuration is printed on the device, they would need physical access to the device to change its settings. Alternatively, a challenge/response scheme implemented on a trusted server with predefined GUIDs and timing would also be secure.

      If all connections are protected by TLS1.2 and inbound connections only allowed from a whitelisted domain/IP address, its hard for me to understand how the device can be compromised.

      IOT is like the early days of the Internet. If it works at all, victory is declared by idiots.

      IMHO, IOT devices can be secured..

      --
      Greed is the root of all evil.
    5. Re:The "S" in "IoT" ... by MobyDisk · · Score: 1

      I love that you point out that this security problem was solved decades before the microprocessor was invented, and yet still manufacturers haven't figured this out.

  7. Re:Do you really think Congress will legislate thi by arglebargle_xiv · · Score: 1

    It'll be watered down to pointlessness by the time it passes anyway, like most of these bills usually are. As long as it doesn't override the California law, which again these bills usually do, things should be OK though, at least that has some teeth. The CA one is still pretty weak, but at least it's something.

  8. Re:Do you really think Congress will legislate thi by mentil · · Score: 5, Insightful

    Almost certainly this will be a checklist, like PCI DSS compliance for credit card processors. Just like it is there, it will ensure you have a lock on the door, the window is closed, and a fence is around the perimeter... but does nothing to ensure the fence isn't made from tissue paper or that there isn't a large gap in the wall right next to the door.

    --
    Corruption is convincing someone that the selfless ideal is the same as their selfish ideal.
  9. Re:Do you really think Congress will legislate thi by supremebob · · Score: 3, Insightful

    Knowing the current state of Congress, they're require a third-party auditor to "certify" all new IoT products before allowing their sale in the US.

    The list of third-party auditors will probably closely match the list of corporate donors who sponsored the bill.

    I'm sure that the open source people will love jumping through this extra regulatory hoop and paying the required fees toll before getting their product on the market.

  10. Re:Do you really think Congress will legislate thi by Thud457 · · Score: 1

    This will be watered down to the point where all it says is "Every internet-enabled appliance should have a password for security. The official credentials are scott/tiger".
    Enjoy.

    --

    the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff

  11. Re:Updates, Updates, Updates. by Shotgun · · Score: 1

    Because the environment and requirements of a refrigerator change constantly? If an appliance needs a software update, you're not a customer; you're a beta tester.

    --
    Aah, change is good. -- Rafiki
    Yeah, but it ain't easy. -- Simba
  12. Re:Stop by oh_my_080980980 · · Score: 1

    No it's a buzz word. Network devices or internet devices would be the correct term. "Internet of Things" is not.

  13. Re:Do you really think Congress will legislate thi by bobdehnhardt · · Score: 1

    According to the article, they're having NIST prepare the standards and controls, with a 5-year refresh. If this was the legislators coming up with standards, as they did with HIPAA, I think it would be doomed to fail. But NIST knows their stuff - the controls in Special Publication 800-53 rev 4 are pretty solid, and come with mappings for low, moderate and high security situations. Like FedRAMP for cloud providers, this will become a bar for entry into the public sector, and at this point, it has the potential for being a good one.

  14. Re:Do you really think Congress will legislate thi by Obfuscant · · Score: 1

    Knowing the current state of Congress, they're require a third-party auditor to "certify" all new IoT products before allowing their sale in the US.

    If you read the bill instead of fabricate FUD, you'll see that it has nothing to do with approving anything for sale in the US, and that the "third party" is NIST.

    The list of third-party auditors will probably closely match the list of corporate donors who sponsored the bill.

    I did not know that NIST was a corporate donor to any political campaign.

    I'm sure that the open source people will love jumping through this extra regulatory hoop and paying the required fees toll before getting their product on the market.

    It has nothing to do with "open source" or getting a product on the market.

  15. Re:Do you really think Congress will legislate thi by dcw3 · · Score: 1

    Reminds me of the whole 8570 CompTIA scam. Come pay us (forever) for this useless certification that the government is now going to require everyone who touches a government computer to have.

    --
    Just another day in Paradise